aeondave/slither
offensive-tools/vuln-scanners/slither/SKILL.md
slither: smart contract static analyzer for Solidity and Vyper with detectors, printers, and custom analysis APIs. Use when auditing Foundry, Hardhat, Brownie, or standalone contracts for reentrancy, unsafe delegatecall, tx.origin misuse, upgradeability mistakes, weak randomness, and other EVM security issues.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill slitherInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:47 AM209.8s1 file scanned
SKILL.md
- name:
- slither
- description:
- slither: smart contract static analyzer for Solidity and Vyper with detectors, printers, and custom analysis APIs. Use when auditing Foundry, Hardhat, Brownie, or standalone contracts for reentrancy, unsafe delegatecall, tx.origin misuse, upgradeability mistakes, weak randomness, and other EVM security issues.
- license:
- AGPL-3.0
- compatibility:
- Linux, macOS, WSL; Python 3.10+; solc or framework compilation required
- author:
- AeonDave
- version:
- 1.0
Slither
Fast static analysis for Solidity and Vyper codebases.
When to use Slither
Use Slither when you need to:
- run a fast first-pass audit on a smart contract repo
- catch common vulnerability classes with low friction
- generate structural views like call graphs and human summaries
- script custom contract analysis in Python
Installation
# Recommended
uv tool install slither-analyzer
# Or pip
python3 -m pip install slither-analyzer
Upstream recommends solc-select or a supported build framework when multiple compiler versions are in play.
Quick Start
# Preferred for real projects with imports
slither .
# Single self-contained file
slither contracts/Token.sol
# Markdown checklist report
slither . --checklist
Core Workflow
1. Make compilation work first
If the project uses Hardhat, Foundry, Brownie, or another framework, ensure its normal compile command succeeds before blaming Slither.
Run Slither from the project root, not from an isolated contract file, when imports and dependencies exist.
2. Run default detectors
slither .
This gives broad coverage for issues like:
- reentrancy variants
- arbitrary-send patterns
- unchecked low-level calls
- weak PRNG
tx.originmisuse- dangerous upgradeability patterns
- uninitialized state or storage mistakes
3. Generate review-oriented outputs
slither . --checklist
slither . --print human-summary
slither . --print call-graph,cfg,function-summary
Use printers for comprehension, not just bug hunting.
High-Value Uses
CI or pre-commit gate
slither . --checklist
Quick architecture review
slither . --print human-summary,inheritance-graph,entry-points
Custom analysis
Use Slither's Python API when a one-off audit question is too specific for stock detectors.
Practical Notes
- Slither is the fastest high-value first pass in many Solidity audits.
- It integrates best with the project's real build system.
- Use it early to reduce manual review surface before heavier symbolic or dynamic tooling.
- Pair with
mythrilfor symbolic execution depth on suspicious paths.
Caveats
- Static findings still require human triage.
- Compilation failures usually mean the project layout or dependencies are wrong, not necessarily a Slither bug.
- Single-file runs are convenient but weaker for real projects with imports.
Resources
No bundled scripts/, references/, or assets/.
Use the upstream detector and printer documentation for the full detector list and tuning options.
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026