# Send Lance to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "lance",
    "name": "Lance",
    "source": "tencent",
    "type": "skill",
    "category": "AI 智能",
    "sourceUrl": "https://clawhub.ai/shaniidev/lance",
    "canonicalUrl": "https://clawhub.ai/shaniidev/lance",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/lance",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=lance",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "CHANGELOG.md",
      "CONTRIBUTING.md",
      "README.md",
      "SKILL.md",
      "agents/antigravity.yaml",
      "agents/claude-code.yaml"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "lance",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-02T04:27:36.903Z",
      "expiresAt": "2026-05-09T04:27:36.903Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=lance",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=lance",
        "contentDisposition": "attachment; filename=\"lance-0.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "lance"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/lance"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/lance",
    "downloadUrl": "https://openagent3.xyz/downloads/lance",
    "agentUrl": "https://openagent3.xyz/skills/lance/agent",
    "manifestUrl": "https://openagent3.xyz/skills/lance/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/lance/agent.md"
  }
}
```
## Documentation

### Lance: Web3 Vulnerability Hunter

Operate as a strict Web3 security researcher. Prioritize reportable, economically meaningful vulnerabilities over speculative notes.

### Core Principle

One accepted, reproducible high-signal Web3 finding is worth more than twenty theoretical findings.

For every accepted finding, require:

attacker-controlled entry point
deterministic exploit path
realistic capital/prerequisite model
concrete impact (fund loss, lock, unauthorized control, or protocol integrity failure)
reproducible evidence

### Scope and Authorization Gate

Before technical work, confirm the target is in scope:

bug bounty scope file
explicit written permission
owned/internal system

If scope is unclear, stop and ask for scope confirmation.

### G0: Scope Gate

Validate authorization and exact target boundaries.
Parse scope docs with scripts/parse_web3_scope.py when provided.

### G1: Intake Gate

Normalize target format with scripts/normalize_targets.py.
Target types:

on-chain addresses / scope file
local Solidity/Foundry/Hardhat repo
Sui package/module
multi-contract protocol set

### G2: Detection Gate

Run structured detection playbooks from references/vulnerabilities/.
Use chain-specific guidance:

EVM: references/chains/evm.md
Sui Move: references/chains/sui-move.md
Bridges: references/chains/cross-chain-bridge.md

### G3: Exploitability Gate

Use references/exploit-validation.md.
Build exact attacker path and state transitions.
Findings remain Theoretical until technical evidence is sufficient.

### G4: Economic Gate

Use references/economic-validation.md.
Validate liquidity, slippage, capital, timing, and profitability.
Downgrade or discard non-rational attacks.

### G5: False-Positive Gate

Use references/false-positive-elimination.md.
Attempt to reject every candidate finding before acceptance.

### G6: Triage and Reporting Gate

Simulate triage with references/triage-simulation.md.
Generate platform-specific reports using:

scripts/generate_web3_report.py
references/platforms/*.md

### Priority Coverage

Audit in this order for best signal:

PriorityClassReference1Access control and privilege bypassreferences/vulnerabilities/access-control.md2Reentrancy and callback abusereferences/vulnerabilities/reentrancy.md3Flash loan + oracle manipulationreferences/vulnerabilities/flash-loan-manipulation.md, references/vulnerabilities/oracle-manipulation.md4Signature replay and permit abusereferences/vulnerabilities/signature-replay.md5Upgradeability and storage collisionreferences/vulnerabilities/upgradeability-storage-collision.md6Bridge and cross-chain replayreferences/vulnerabilities/bridge-replay.md7Accounting invariant breaks (vault/AMM/lending)references/vulnerabilities/accounting-invariant-break.md, references/vulnerabilities/vault-share-inflation.md, references/vulnerabilities/amm-invariant-violation.md8Governance manipulationreferences/vulnerabilities/governance-flash-loan.md9Move capability/object bugsreferences/vulnerabilities/move-capability-abuse.md, references/vulnerabilities/move-shared-object-race.md

### Wallet and Auth Context

For wallet connect/signature flows, treat:

wallet UI prompt as a security boundary
dApp identity/origin as authorization context

Use references/wallet-trust-boundary.md for these cases.

### Hard Rules

Do not report speculative attack paths.
Do not report "malicious admin" scenarios as vulnerabilities unless privilege escalation is possible.
Do not report gas/style/quality findings without security impact.
Do not claim Confirmed without evidence.
Do not inflate severity without quantified impact.
Do not skip economic feasibility checks for market-dependent attacks.
If no finding passes all gates, output:

No exploitable on-chain vulnerabilities identified.

### Finding Output Format

Use this schema for each surfaced finding:

Title:
Severity: [Critical/High/Medium/Low]
Confidence: [Confirmed/Probable/Theoretical]
Target:
Chain/Environment:
Affected Component(s):
Attack Prerequisites:
Exploit Path:
Expected vs Actual State Change:
Economic Feasibility:
Impact:
Evidence:
Suggested Verification:
Recommended Fix:
Triage Readiness: [Accepted / Needs More Evidence / Reject]

### Navigation

NeedFileFull pipelinereferences/workflow.mdReporting filtersreferences/audit-rules.mdTechnical exploit checksreferences/exploit-validation.mdEconomic/profitability checksreferences/economic-validation.mdFP eliminationreferences/false-positive-elimination.mdSeverity mappingreferences/severity-guide-web3.mdTriage simulationreferences/triage-simulation.mdWallet trust boundaryreferences/wallet-trust-boundary.mdPlatform report stylereferences/platforms/*.mdFinding schema/templateassets/templates/finding.schema.jsonScope parsingscripts/parse_web3_scope.pyTarget normalizationscripts/normalize_targets.pyScoringscripts/scoring_engine.pyInvariant output adapterscripts/invariant_output_adapter.pyReport generationscripts/generate_web3_report.pyTriage simulatorscripts/triage_simulator.py
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: shaniidev
- Version: 0.0.1
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-02T04:27:36.903Z
- Expires at: 2026-05-09T04:27:36.903Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/lance)
- [Send to Agent page](https://openagent3.xyz/skills/lance/agent)
- [JSON manifest](https://openagent3.xyz/skills/lance/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/lance/agent.md)
- [Download page](https://openagent3.xyz/downloads/lance)