OpenAudit

OpenAudit is a Claude Code/OpenAI Codex metaskill that runs smart contract source code through multiple agent-based auditing skill pipelines in parallel. By combining 100+ skills across 10+ community audit skill repositories, OpenAudit provides comprehensive and free smart contract security analysis using different methodologies, vulnerability databases, and static analysis tools.

The skill has been refined to a such a level that any software developer audit do a basic smart audit. You can point the skill to any deployed smart contract on any chain and get a basic audit report of its security qualities. No subscriptions or sign ups needed, 100% open source.

Table of Contents

• How it works
• Supported agent pipelines
• Prerequisites
  • Clone
  • macOS (Homebrew)
  • Linux
  • Windows
• Usage
• Examples
• Configuration
• Version history
• Support
• Social media

Read the announcement post.

How it works

1. We set up software tools for smart contract auditing and poking the chain
2. Point this skill to a smart contract address
3. It analyses deployment information (proxy patterns, privileged addresses, multisig setups)
4. Runs several audit skill pipelines against the project
5. Every audit pipeline products its own report, stored in out folder
6. Find existing audit reports and cross reference for the same contract
7. A summart report with deduplication and cross-reference is written at the end

The skills support Solidity, Vyper, Anchor (Rust) and CosmWasm (Rust) smart contracts.

The skill is in skills/openaudit/SKILL.md.

Supported agent pipelines

These are open source, community maintained, skill repositores which we are going to run against the smart contract we are going to audit:

Prerequisites

The skills require access to the tooling, like Solidity compiler, Python-based Slither or Rust-based Foundry. We also use web3-ethereum-defi and Web3.py
packages to read the chain data over RPCs.

Clone

Clone the repository recursively to get the skills - currently packaged installation like PyPi is unsupported:

git clone --recursive --depth 1 https://github.com/tradingstrategy-ai/openaudit.git

macOS (Homebrew)

Install and check dependencies:

# Python 3.11+
# Node 22+
brew install python uv brew codeql node rustup aderyn semgrep

# Rust toolchain (optional — needed for Aderyn static analyser)
rustup-init

# Foundry (forge — downloads verified contract source code)
curl -L https://foundry.paradigm.xyz | bash
foundryup

# Install Slither using Python uv packaging tool
uv sync

# Install a Solidity compiler Slither can use
SOLIDITY_VERSION=0.8.34 && uv run solc-select install $SOLIDITY_VERSION && uv run solc-select use $SOLIDITY_VERSION

Get a report everything is correctly installed:

scripts/check-prerequisites.sh

Then edit env.sh include necessary blockchain RPC API keys, Etherscan API keys and such.

cp env.sh.example env.sh

You need to add RPCs to chains where the contracts are deployed, and then any other API keys like Etherscan that may be needed to read the verified smart contract source code:

export JSON_RPC_ETHEREUM=
export ETHERSCAN_API_KEY=

The skill pipelines won't work without RPC API keys for the chains we are going to read, as we are auditing deployed contracts and their variable values. For reading the source code, we preper open Sourcify over proprietary paid Etherscan, but due to history of proprietary tooling the source code may require Etherscan API key. Use Chainlist to get free RPC node APIs if needed.

Linux

Tested on Arch Linux. Adapt the package manager commands for your distribution (e.g. apt on Debian/Ubuntu, dnf on Fedora).

Arch Linux

# Python 3.11+, Node 22+, and base dependencies
sudo pacman -S --needed python nodejs npm git base-devel

# uv (Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.local/bin/env  # or restart your shell

# Rust toolchain (optional — needed for Aderyn static analyser)
sudo pacman -S --needed rustup
rustup default stable

# Foundry (forge — downloads verified contract source code)
curl -L https://foundry.paradigm.xyz | bash
foundryup

# Aderyn (optional — Solidity static analyser by Cyfrin)
cargo install aderyn

# Install Python packages (Slither, semgrep, web3, etc.)
uv sync

# Install a Solidity compiler Slither can use
SOLIDITY_VERSION=0.8.34 && uv run solc-select install $SOLIDITY_VERSION && uv run solc-select use $SOLIDITY_VERSION

Debian / Ubuntu

# Python 3.11+, Node 22+, and base dependencies
sudo apt update && sudo apt install -y python3 python3-venv nodejs npm git build-essential curl

# uv (Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
source ~/.local/bin/env

# Rust toolchain (optional — needed for Aderyn static analyser)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env

# Foundry (forge — downloads verified contract source code)
curl -L https://foundry.paradigm.xyz | bash
foundryup

# Aderyn (optional)
cargo install aderyn

# Install Python packages
uv sync

# Install a Solidity compiler Slither can use
SOLIDITY_VERSION=0.8.34 && uv run solc-select install $SOLIDITY_VERSION && uv run solc-select use $SOLIDITY_VERSION

Windows

Unsupported.

Usage

Open this repositorty in Claude Code/Codex/Visual Studio Code.

Use the skill by pointing it to a smart contract on a blockchain explorer:

/openaudit https://etherscan.io/address/0x657d9ABA1DBb59e53f9F3eCAA878447dCfC96dCb

Your AI will start to work on this:

When it is finished you get the summary and reports in writes them in out folder:

Understanding the audit pipelines

OpenAudit runs two categories of pipelines against the source code:

Static analysis tools (Slither, Aderyn, Semgrep) — external binaries that scan the source code
and produce machine-readable output. These catch common vulnerability patterns, unsafe coding
practices, and compiler-level issues automatically.

AI-driven methodology skills (pashov, kadenzipfel, forefy, quillai, auditmos, trailofbits,
archethect, cyfrin) — structured markdown prompts that the AI agent reads and follows step by
step. Each skill contains vulnerability databases, attack vector references, or protocol-specific
checklists. The AI agent analyzes the source code against these patterns using its own reasoning.
No external tools are needed for these — they leverage the AI's ability to understand code semantics.

Running all pipelines provides defense-in-depth: static tools catch syntactic patterns that AI may
overlook, while AI-driven skills catch business logic bugs, economic exploits, and cross-contract
issues that static analysis cannot reason about.

For the full list of 10 pipelines with exact invocation instructions, see
skills/openaudit/audit-pipeline-reference.md.

Examples

See the YieldNest OpenAudit report example and its deployment findings for weaknesses in controls.

Configuration

The skill has been taught read multiple blockchains using Python and Web3.py.
See here how the blockchains RPCs are configured. E.g. JSON_RPC_ARBITRUM for Arbirum RPCs.

Use env.sh to source the RPC API keys and such that the skills needs.

You can use get-block-number skill to test RPCs:

/get-block-number arbitrum

Should give you:

Chain: Arbitrum
Latest block number: 439,218,227

Version history

• Read changelog.

Support

• Join Discord for any questions.

Social media

• Follow on Twitter
• Follow on Telegram
• Follow on LinkedIn
• Follow on YouTube

License

MIT.

Created by Trading Strategy.