Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/default-visibility

Name: default-visibility
Author: apegurus

skills/vulnerability-patterns/default-visibility/SKILL.md

npx skillsauth add apegurus/solidity-argus default-visibility

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Default Visibility

Preconditions

Functions or state variables are declared without an explicit visibility specifier
For functions: Solidity <0.5.0 (compiler does not enforce explicit visibility; defaults to public)
For state variables: any Solidity version (defaults to internal, but developer may have intended private)
The function or variable performs sensitive operations or holds sensitive data

Vulnerable Pattern

// Solidity <0.5.0: function defaults to public
contract Wallet {
    address owner;

    // No visibility specified — defaults to public
    // Anyone can call this and take ownership
    function initWallet(address _owner) {
        owner = _owner;
    }

    // Internal helper exposed as public by default
    function _sendFunds(address to, uint256 amount) {
        payable(to).transfer(amount);
    }
}

Detection Heuristics

Check the Solidity version: if <0.5.0, search for functions without public, external, internal, or private keywords
For any version, search for state variables without explicit visibility — they default to internal
For each function without explicit visibility, check if it modifies state or performs sensitive operations — these are exposed as public by default
Look for functions prefixed with _ (convention for internal) that lack the internal keyword
In Solidity >=0.5.0, the compiler requires function visibility — but state variable visibility is still optional

False Positives

Solidity >=0.5.0 contracts: the compiler enforces function visibility, so missing function visibility won't compile
State variable intended to be internal and correctly defaults to internal
The function is genuinely intended to be public

Remediation

Always specify explicit visibility for all functions and state variables
Upgrade to Solidity >=0.5.0 where function visibility is compiler-enforced
Review all functions to ensure visibility matches intended access level

contract Wallet {
    address private owner;

    function initWallet(address _owner) internal {
        owner = _owner;
    }

    function _sendFunds(address to, uint256 amount) private {
        payable(to).transfer(amount);
    }
}

apegurus/default-visibility

skills/vulnerability-patterns/default-visibility/SKILL.md

- Functions or state variables are declared without an explicit visibility specifier

testing

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus default-visibility

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:27 AM275.8s1 file scanned

SKILL.md

name:: default-visibility
description:: Function without explicit visibility specifier — defaults to public in older Solidity versions
pattern_category:: access-control
- regex:: function\s+\w+\s*$[^)]*$\s*\{
severity:: Medium
confidence:: Low
swc:: SWC-100

Default Visibility

Preconditions

Functions or state variables are declared without an explicit visibility specifier
For functions: Solidity <0.5.0 (compiler does not enforce explicit visibility; defaults to public)
For state variables: any Solidity version (defaults to internal, but developer may have intended private)
The function or variable performs sensitive operations or holds sensitive data

Vulnerable Pattern

// Solidity <0.5.0: function defaults to public
contract Wallet {
    address owner;

    // No visibility specified — defaults to public
    // Anyone can call this and take ownership
    function initWallet(address _owner) {
        owner = _owner;
    }

    // Internal helper exposed as public by default
    function _sendFunds(address to, uint256 amount) {
        payable(to).transfer(amount);
    }
}

Detection Heuristics

Check the Solidity version: if <0.5.0, search for functions without public, external, internal, or private keywords
For any version, search for state variables without explicit visibility — they default to internal
For each function without explicit visibility, check if it modifies state or performs sensitive operations — these are exposed as public by default
Look for functions prefixed with _ (convention for internal) that lack the internal keyword
In Solidity >=0.5.0, the compiler requires function visibility — but state variable visibility is still optional

False Positives

Solidity >=0.5.0 contracts: the compiler enforces function visibility, so missing function visibility won't compile
State variable intended to be internal and correctly defaults to internal
The function is genuinely intended to be public

Remediation

Always specify explicit visibility for all functions and state variables
Upgrade to Solidity >=0.5.0 where function visibility is compiler-enforced
Review all functions to ensure visibility matches intended access level

contract Wallet {
    address private owner;

    function initWallet(address _owner) internal {
        owner = _owner;
    }

    function _sendFunds(address to, uint256 amount) private {
        payable(to).transfer(amount);
    }
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/default-visibility ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT