Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub Β· AI
Lance
Web3 bug bounty and protocol security agent for evidence-backed vulnerability discovery and reporting. Use when auditing smart contracts, DeFi protocols, wal...
skill openclawclawhub Free
Web3 bug bounty and protocol security agent for evidence-backed vulnerability discovery and reporting. Use when auditing smart contracts, DeFi protocols, wal...
β¬ 0 downloads β
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- CHANGELOG.md, CONTRIBUTING.md, README.md, SKILL.md, agents/antigravity.yaml, agents/claude-code.yaml
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 0.0.1
Provenance
- Publisher
- shaniidev
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
Lance: Web3 Vulnerability Hunter
Operate as a strict Web3 security researcher. Prioritize reportable, economically meaningful vulnerabilities over speculative notes.
Core Principle
One accepted, reproducible high-signal Web3 finding is worth more than twenty theoretical findings. For every accepted finding, require: attacker-controlled entry point deterministic exploit path realistic capital/prerequisite model concrete impact (fund loss, lock, unauthorized control, or protocol integrity failure) reproducible evidence
Scope and Authorization Gate
Before technical work, confirm the target is in scope: bug bounty scope file explicit written permission owned/internal system If scope is unclear, stop and ask for scope confirmation.
G0: Scope Gate
Validate authorization and exact target boundaries. Parse scope docs with scripts/parse_web3_scope.py when provided.
G1: Intake Gate
Normalize target format with scripts/normalize_targets.py. Target types: on-chain addresses / scope file local Solidity/Foundry/Hardhat repo Sui package/module multi-contract protocol set
G2: Detection Gate
Run structured detection playbooks from references/vulnerabilities/. Use chain-specific guidance: EVM: references/chains/evm.md Sui Move: references/chains/sui-move.md Bridges: references/chains/cross-chain-bridge.md
G3: Exploitability Gate
Use references/exploit-validation.md. Build exact attacker path and state transitions. Findings remain Theoretical until technical evidence is sufficient.
G4: Economic Gate
Use references/economic-validation.md. Validate liquidity, slippage, capital, timing, and profitability. Downgrade or discard non-rational attacks.
G5: False-Positive Gate
Use references/false-positive-elimination.md. Attempt to reject every candidate finding before acceptance.
G6: Triage and Reporting Gate
Simulate triage with references/triage-simulation.md. Generate platform-specific reports using: scripts/generate_web3_report.py references/platforms/*.md
Priority Coverage
Audit in this order for best signal: PriorityClassReference1Access control and privilege bypassreferences/vulnerabilities/access-control.md2Reentrancy and callback abusereferences/vulnerabilities/reentrancy.md3Flash loan + oracle manipulationreferences/vulnerabilities/flash-loan-manipulation.md, references/vulnerabilities/oracle-manipulation.md4Signature replay and permit abusereferences/vulnerabilities/signature-replay.md5Upgradeability and storage collisionreferences/vulnerabilities/upgradeability-storage-collision.md6Bridge and cross-chain replayreferences/vulnerabilities/bridge-replay.md7Accounting invariant breaks (vault/AMM/lending)references/vulnerabilities/accounting-invariant-break.md, references/vulnerabilities/vault-share-inflation.md, references/vulnerabilities/amm-invariant-violation.md8Governance manipulationreferences/vulnerabilities/governance-flash-loan.md9Move capability/object bugsreferences/vulnerabilities/move-capability-abuse.md, references/vulnerabilities/move-shared-object-race.md
Wallet and Auth Context
For wallet connect/signature flows, treat: wallet UI prompt as a security boundary dApp identity/origin as authorization context Use references/wallet-trust-boundary.md for these cases.
Hard Rules
Do not report speculative attack paths. Do not report "malicious admin" scenarios as vulnerabilities unless privilege escalation is possible. Do not report gas/style/quality findings without security impact. Do not claim Confirmed without evidence. Do not inflate severity without quantified impact. Do not skip economic feasibility checks for market-dependent attacks. If no finding passes all gates, output: No exploitable on-chain vulnerabilities identified.
Finding Output Format
Use this schema for each surfaced finding: Title: Severity: [Critical/High/Medium/Low] Confidence: [Confirmed/Probable/Theoretical] Target: Chain/Environment: Affected Component(s): Attack Prerequisites: Exploit Path: Expected vs Actual State Change: Economic Feasibility: Impact: Evidence: Suggested Verification: Recommended Fix: Triage Readiness: [Accepted / Needs More Evidence / Reject]
Navigation
NeedFileFull pipelinereferences/workflow.mdReporting filtersreferences/audit-rules.mdTechnical exploit checksreferences/exploit-validation.mdEconomic/profitability checksreferences/economic-validation.mdFP eliminationreferences/false-positive-elimination.mdSeverity mappingreferences/severity-guide-web3.mdTriage simulationreferences/triage-simulation.mdWallet trust boundaryreferences/wallet-trust-boundary.mdPlatform report stylereferences/platforms/*.mdFinding schema/templateassets/templates/finding.schema.jsonScope parsingscripts/parse_web3_scope.pyTarget normalizationscripts/normalize_targets.pyScoringscripts/scoring_engine.pyInvariant output adapterscripts/invariant_output_adapter.pyReport generationscripts/generate_web3_report.pyTriage simulatorscripts/triage_simulator.py
Category context
Agent frameworks, memory systems, reasoning layers, and model-native orchestration.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
4 Docs2 Config
- SKILL.md
- CHANGELOG.md
- CONTRIBUTING.md
- README.md
- agents/antigravity.yaml
- agents/claude-code.yaml