CtrlK
BlogDocsLog inGet started
Tessl Logo

web3-testing

Test smart contracts comprehensively using Hardhat and Foundry with unit tests, integration tests, and mainnet forking. Use when testing Solidity contracts, setting up blockchain test suites, or validating DeFi protocols.

82

1.19x
Quality

64%

Does it follow best practices?

Impact

92%

1.19x

Average score across 6 eval scenarios

SecuritybySnyk

Advisory

Suggest reviewing before use

Optimize this skill with Tessl

npx tessl skill review --optimize ./plugins/blockchain-web3/skills/web3-testing/SKILL.md
SKILL.md
Quality
Evals
Security

Security

2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.

Medium

W011: Third-party content exposure detected (indirect prompt injection risk)

What this means

The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.

Why it was flagged

Third-party content exposure detected (high risk: 0.70). The skill explicitly forks and queries mainnet using third‑party RPC endpoints (e.g., vm.createSelectFork("https://eth-mainnet.alchemyapi.io/v2/...") and network.provider.request with jsonRpcUrl/process.env.MAINNET_RPC_URL) and interacts with public on-chain contracts (e.g., Uniswap, DAI), which are untrusted, user-generated third‑party data that the agent reads and uses to drive test logic and actions.

Report incorrect finding
Medium

W009: Direct money access capability detected (payment gateways, crypto, banking)

What this means

The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.

Why it was flagged

Direct money access detected (high risk: 1.00). The skill is explicitly tailored to blockchain/DeFi development and includes concrete crypto execution capabilities: it shows using a PRIVATE_KEY in network accounts, invoking token.transfer and ERC20 interactions, performing Uniswap swaps (mainnet fork), impersonating accounts to move tokens, and using RPC/mainnet forking. These are explicit crypto/blockchain actions (wallet signing, swaps, token transfers) rather than generic tooling, so it grants direct financial execution capability.

Report incorrect finding
Repository
wshobson/agents
Commit

70444e5

Audited
Security analysis
Snyk

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill