Scans Algorand smart contracts for 11 common vulnerabilities including rekeying attacks, unchecked transaction fees, missing field validations, and access control issues. Use when auditing Algorand projects (TEAL/PyTeal).
View on GitHubplugins/building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/trailofbits/skills/blob/main/plugins/building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md -a claude-code --skill algorand-vulnerability-scannerInstallation paths:
.claude/skills/algorand-vulnerability-scanner/# Algorand Vulnerability Scanner
## 1. Purpose
Systematically scan Algorand smart contracts (TEAL and PyTeal) for platform-specific security vulnerabilities documented in Trail of Bits' "Not So Smart Contracts" database. This skill encodes 11 critical vulnerability patterns unique to Algorand's transaction model.
## 2. When to Use This Skill
- Auditing Algorand smart contracts (stateful applications or smart signatures)
- Reviewing TEAL assembly or PyTeal code
- Pre-audit security assessment of Algorand projects
- Validating fixes for reported Algorand vulnerabilities
- Training team on Algorand-specific security patterns
## 3. Platform Detection
### File Extensions & Indicators
- **TEAL files**: `.teal`
- **PyTeal files**: `.py` with PyTeal imports
### Language/Framework Markers
```python
# PyTeal indicators
from pyteal import *
from algosdk import *
# Common patterns
Txn, Gtxn, Global, InnerTxnBuilder
OnComplete, ApplicationCall, TxnType
@router.method, @Subroutine
```
### Project Structure
- `approval_program.py` / `clear_program.py`
- `contract.teal` / `signature.teal`
- References to Algorand SDK or Beaker framework
### Tool Support
- **Tealer**: Trail of Bits static analyzer for Algorand
- Installation: `pip3 install tealer`
- Usage: `tealer contract.teal --detect all`
---
## 4. How This Skill Works
When invoked, I will:
1. **Search your codebase** for TEAL/PyTeal files
2. **Analyze each file** for the 11 vulnerability patterns
3. **Report findings** with file references and severity
4. **Provide fixes** for each identified issue
5. **Run Tealer** (if installed) for automated detection
---
## 5. Example Output
When vulnerabilities are found, you'll get a report like this:
```
=== ALGORAND VULNERABILITY SCAN RESULTS ===
Project: my-algorand-dapp
Files Scanned: 3 (.teal, .py)
Vulnerabilities Found: 2
---
[CRITICAL] Rekeying Attack
File: contracts/approval.py:45
Pattern: Missing RekeyTo validation
Code:
If(Txn.type_enum() == TxnType.Paym