npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

krait

v0.1.0

Published

Solidity security audit CLI powered by Claude. 90% precision across 40 blind Code4rena contests.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vendrell46vendrell46

Keywords

securityauditsoliditysmart-contractsethereumdefiaiclaudeclaude-codevulnerabilityweb3

Readme

Krait — Solidity Security Audit Skills for Claude Code

Silent. Precise. Lethal.

Claude Code skills for Solidity smart contract security auditing. Type /krait in any Solidity project → structured audit with concrete exploit traces, zero API cost. Built by Zealynx Security.

| | | |---|---| | Technology | Solidity | | Platform | Claude Code (skills + commands) | | Cost | Zero — uses your Claude subscription | | Precision | 90% across 40 blind Code4rena contests | | Install | Copy to ~/.claude//krait works everywhere |

The methodology lives in .claude/skills/ and .claude/commands/ as structured prompts that Claude Code executes. No external API calls, no separate tool — just Claude, guided by 40 contests worth of battle-tested detection heuristics.

What Makes Krait Different

Most AI audit tools do: scan code → report findings. One pass, no verification, no benchmarks.

Benchmarked Against 40 Real Contests

No other AI audit tool publishes precision/recall against real competitions. Krait has been blind-tested against 40 Code4rena contests:

v6.4 (latest):  90% precision · 0.2 FPs/contest · 4/5 contests at 100% precision

| Version | Contests | Precision | FPs/Contest | |---------|----------|-----------|-------------| | v1 | 1–3 | 12% | 1.3 | | v5 | 31–35 | 70% | 0.6 | | v6.4 | 36–40 | 90% | 0.2 |

Latest (v6.4) contest-by-contest:

| Contest | Type | Official H+M | TPs | FPs | Precision | |---------|------|-------------|-----|-----|-----------| | LoopFi | Lending/Looping | 45 | 2 | 0 | 100% | | DittoETH | Stablecoin/OrderBook | 16 | 1 | 1 | 50% | | Phi | Social/NFT | 15 | 1 | 0 | 100% | | Vultisig | ILO/Token | 6 | 2 | 0 | 100% | | Predy | DeFi Derivatives | 12 | 1 | 0 | 100% |

Every result is verifiable in shadow-audits/.

Verification Phase (Kill Gates)

Eight automatic gates try to disprove every finding before it reaches you. They've never killed a true positive across 40 contests:

  • A: Generic best practice ("use SafeERC20") · B: Theoretical/unrealistic
  • C: Intentional design · D: Speculative (no WHO/WHAT/HOW MUCH)
  • E: Admin trust · F: Dust (<$100) · G: Out of context · H: Known issue

Result: FPs dropped from 4.2/contest → 0.2/contest (95% reduction).

Self-Improving

After each blind test: score → root-cause every miss → update methodology → re-test. This loop produced 50+ heuristics, 30 modules, and 7 protocol-specific primers from real missed findings.

Four-Phase Pipeline

| Phase | What It Does | |-------|-------------| | Recon | Architecture map, deterministic file risk scoring, protocol primer selection | | Detection | Three passes × 4 parallel lenses on highest-risk files | | State Analysis | Coupled state pairs, mutation matrix — catches sync bugs scanning misses | | Verification | Kill gates + concrete exploit trace required for every H/M |

Dual-Engine Architecture

Two complementary engines sharing the same knowledge base:

  • CLI Agent (this repo): 4-phase adversarial pipeline for security researchers who want automated vulnerability analysis with concrete exploit traces.
  • Web Platform (krait.zealynx.io): Protocol-specific security assessment — 39 DeFi verticals, 845+ checks, smart filtering, auto-generated architectural observations, branded exportable reports.

Real Bugs Found (Blind)

  • AuraVault claim double-spend (LoopFi H-401) — fees not deducted, draining vault
  • UniV3 fee drain via shared position (Vultisig H-43) — first claimer steals all fees
  • ILO launch DoS (Vultisig H-41) — slot0 manipulation blocks all launches
  • Public internals → permanent fund lock (Phi H-51) — state corruption locks ETH
  • Both HIGHs (Munchables) — lockOnBehalf griefing + early unlock, 100% precision
  • Assembly encoding bug (DittoETH M-221) — add vs and corrupts data
  • ERC4626 inflation (Basin), reentrancy (reNFT), EIP-712 mismatch (reNFT), oracle precision (Dopex), TVL error (Renzo)

Detection Coverage

Strong on: Reentrancy/CEI, access control gaps, oracle issues, EIP/ERC compliance, first-depositor inflation, accounting errors, assembly bugs, pause bypasses

Improving: Complex math (CDP liquidation, options pricing), cross-chain edge cases, game mechanic exploits, protocol-specific integrations (Curve, UniV3 tick math), economic design flaws

Installation

Claude Code Skills (Recommended — Zero Cost)

Install Krait's skills and commands into your global Claude Code directory:

git clone https://github.com/ZealynxSecurity/krait.git
mkdir -p ~/.claude/commands ~/.claude/skills
cp -r krait/.claude/commands/* ~/.claude/commands/
cp -r krait/.claude/skills/* ~/.claude/skills/

Then open Claude Code in any Solidity project and run:

/krait                  # Full 4-phase audit
/krait-quick            # Fast mode (skips state analysis)

Individual phases: /krait-recon · /krait-detect · /krait-state · /krait-critic · /krait-report

To update to the latest methodology:

cd krait && git pull
cp -r .claude/commands/* ~/.claude/commands/
cp -r .claude/skills/* ~/.claude/skills/

Works with Claude Code CLI, VS Code extension, and Cursor. Once installed, /krait is available in every project — no per-project setup needed.

CLI (API-Powered — Development)

For automated batch processing via the Anthropic API:

git clone https://github.com/ZealynxSecurity/krait.git
cd krait && npm install && npm run build
export ANTHROPIC_API_KEY=your-key-here
node dist/cli.js audit /path/to/project         # Full audit
node dist/cli.js audit /path/to/project --quick  # Fast mode
node dist/cli.js audit /path/to/project --dry-run # Preview without API calls
node dist/cli.js patterns                         # List loaded patterns

The CLI is not yet published to npm. For now, clone and build locally.

Project Status

| Component | Status | |-----------|--------| | Claude Code skills (4-phase audit) | Production | | Kill gates + shadow benchmarking (40 contests) | Production | | Detection primers (7 protocol types) | Production | | Web assessment platform (39 verticals) | Live | | CLI tool | Development | | Multi-domain (Rust, TypeScript, AI) | Planned |

Author

Carlos Vendrell Felici — Founder, Zealynx Security Twitter/X · GitHub

License

MIT © Zealynx Security