Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/incorrect-constructor

Name: incorrect-constructor
Author: apegurus

skills/vulnerability-patterns/incorrect-constructor/SKILL.md

npx skillsauth add apegurus/solidity-argus incorrect-constructor

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Incorrect Constructor Name

Preconditions

Solidity version <0.4.22 where constructors are named functions matching the contract name
The function name does not exactly match the contract name (typo, case mismatch, or contract renamed without updating the constructor)

Vulnerable Pattern

// Solidity <0.4.22: constructor is a named function
contract Owned {
    address public owner;

    // Typo: "owned" != "Owned" (case mismatch)
    // This becomes a regular public function anyone can call
    function owned() public {
        owner = msg.sender;
    }
}

// Contract renamed but constructor not updated
contract Treasury {
    address public owner;

    // Was "Wallet" before rename — now a regular public function
    function Wallet() public {
        owner = msg.sender;
    }
}

Detection Heuristics

Check the Solidity version: if >=0.4.22 and the constructor keyword is used, this vulnerability does not apply
For <0.4.22 contracts: find the function that sets initial state (owner, parameters) and verify its name exactly matches the contract name (case-sensitive)
Search for public/external functions that set owner or perform one-time initialization — these may be misnamed constructors
Check if the contract was renamed at any point (git history, comments) but the constructor function was not updated
Flag any named function that appears to perform initialization logic (sets owner, initializes critical state) but doesn't match the contract name

False Positives

Solidity >=0.4.22 using the constructor keyword (enforced by compiler)
The function is intentionally a public initializer (e.g., in proxy patterns) with proper access control

Remediation

Upgrade to Solidity >=0.4.22 and use the constructor keyword
For legacy contracts, verify the constructor function name exactly matches the contract name

// Modern Solidity: compiler-enforced constructor
contract Owned {
    address public owner;

    constructor() {
        owner = msg.sender;
    }
}

apegurus/incorrect-constructor

skills/vulnerability-patterns/incorrect-constructor/SKILL.md

- Solidity version <0.4.22 where constructors are named functions matching the contract name

tools

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus incorrect-constructor

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:27 AM119.3s1 file scanned

SKILL.md

name:: incorrect-constructor
description:: Constructor syntax signal for legacy constructor-name migration review
pattern_category:: logic-error
- regex:: constructor\s*\(
severity:: Informational
confidence:: Low
swc:: SWC-118

Incorrect Constructor Name

Preconditions

Solidity version <0.4.22 where constructors are named functions matching the contract name
The function name does not exactly match the contract name (typo, case mismatch, or contract renamed without updating the constructor)

Vulnerable Pattern

// Solidity <0.4.22: constructor is a named function
contract Owned {
    address public owner;

    // Typo: "owned" != "Owned" (case mismatch)
    // This becomes a regular public function anyone can call
    function owned() public {
        owner = msg.sender;
    }
}

// Contract renamed but constructor not updated
contract Treasury {
    address public owner;

    // Was "Wallet" before rename — now a regular public function
    function Wallet() public {
        owner = msg.sender;
    }
}

Detection Heuristics

Check the Solidity version: if >=0.4.22 and the constructor keyword is used, this vulnerability does not apply
For <0.4.22 contracts: find the function that sets initial state (owner, parameters) and verify its name exactly matches the contract name (case-sensitive)
Search for public/external functions that set owner or perform one-time initialization — these may be misnamed constructors
Check if the contract was renamed at any point (git history, comments) but the constructor function was not updated
Flag any named function that appears to perform initialization logic (sets owner, initializes critical state) but doesn't match the contract name

False Positives

Solidity >=0.4.22 using the constructor keyword (enforced by compiler)
The function is intentionally a public initializer (e.g., in proxy patterns) with proper access control

Remediation

Upgrade to Solidity >=0.4.22 and use the constructor keyword
For legacy contracts, verify the constructor function name exactly matches the contract name

// Modern Solidity: compiler-enforced constructor
contract Owned {
    address public owner;

    constructor() {
        owner = msg.sender;
    }
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/incorrect-constructor ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT