Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/unsafe-low-level-call

Name: unsafe-low-level-call
Author: apegurus

skills/vulnerability-patterns/unsafe-low-level-call/SKILL.md

npx skillsauth add apegurus/solidity-argus unsafe-low-level-call

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Unsafe Low-Level Call

Preconditions

Contract uses .call(), .delegatecall(), .staticcall(), or .send() for external interactions
The return value is not checked, OR
The target address may not have deployed code (user-provided, destroyed, or never deployed)

Vulnerable Pattern

function payout(address to, uint256 amount) external {
    // Unchecked return value — silent failure
    to.call{value: amount}("");
    totalPaid += amount; // Updated even if call failed
}

function interact(address target, bytes calldata data) external {
    // Call to non-existent contract "succeeds" silently
    // EVM treats call to codeless address as successful
    (bool success,) = target.call(data);
    require(success); // Passes even if target has no code!
    _markComplete();
}

Detection Heuristics

Search for .call(, .send(, .delegatecall(, .staticcall( in the codebase
For each, check if the returned bool is captured AND checked (e.g., require(success))
If the return value is not captured or not checked, flag it — execution continues after failure
For calls to user-supplied addresses, check if target.code.length > 0 is verified before the call — the EVM silently succeeds on calls to addresses with no code
Note: address.code.length check can be bypassed during constructor execution (code size is 0)
Check if state changes after the call assume it succeeded

False Positives

Return value is properly checked with require(success)
High-level Solidity calls are used (e.g., IERC20(token).transfer(...)) which include automatic extcodesize checks and revert on failure
The call is intentionally fire-and-forget with no state depending on success (rare, must be documented)

Remediation

Always check return values: require(success, "call failed")
Verify target has code before low-level calls: require(target.code.length > 0)
Prefer high-level Solidity calls for known interfaces — they include automatic code existence checks
For critical integrations, combine both checks

function payout(address to, uint256 amount) external {
    require(to.code.length > 0 || to == tx.origin, "no code at target");
    (bool success,) = to.call{value: amount}("");
    require(success, "transfer failed");
    totalPaid += amount;
}

apegurus/unsafe-low-level-call

skills/vulnerability-patterns/unsafe-low-level-call/SKILL.md

- Contract uses `.call()`, `.delegatecall()`, `.staticcall()`, or `.send()` for external interactions

tools

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus unsafe-low-level-call

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:34 AM291.9s1 file scanned

SKILL.md

name:: unsafe-low-level-call
description:: delegatecall usage with elevated storage-context risk
pattern_category:: logic-error
- regex:: \.delegatecall\(
severity:: High
confidence:: Medium
swc:: SWC-104

Unsafe Low-Level Call

Preconditions

Contract uses .call(), .delegatecall(), .staticcall(), or .send() for external interactions
The return value is not checked, OR
The target address may not have deployed code (user-provided, destroyed, or never deployed)

Vulnerable Pattern

function payout(address to, uint256 amount) external {
    // Unchecked return value — silent failure
    to.call{value: amount}("");
    totalPaid += amount; // Updated even if call failed
}

function interact(address target, bytes calldata data) external {
    // Call to non-existent contract "succeeds" silently
    // EVM treats call to codeless address as successful
    (bool success,) = target.call(data);
    require(success); // Passes even if target has no code!
    _markComplete();
}

Detection Heuristics

Search for .call(, .send(, .delegatecall(, .staticcall( in the codebase
For each, check if the returned bool is captured AND checked (e.g., require(success))
If the return value is not captured or not checked, flag it — execution continues after failure
For calls to user-supplied addresses, check if target.code.length > 0 is verified before the call — the EVM silently succeeds on calls to addresses with no code
Note: address.code.length check can be bypassed during constructor execution (code size is 0)
Check if state changes after the call assume it succeeded

False Positives

Return value is properly checked with require(success)
High-level Solidity calls are used (e.g., IERC20(token).transfer(...)) which include automatic extcodesize checks and revert on failure
The call is intentionally fire-and-forget with no state depending on success (rare, must be documented)

Remediation

Always check return values: require(success, "call failed")
Verify target has code before low-level calls: require(target.code.length > 0)
Prefer high-level Solidity calls for known interfaces — they include automatic code existence checks
For critical integrations, combine both checks

function payout(address to, uint256 amount) external {
    require(to.code.length > 0 || to == tx.origin, "no code at target");
    (bool success,) = to.call{value: amount}("");
    require(success, "transfer failed");
    totalPaid += amount;
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/unsafe-low-level-call ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT