Integration Contract Auditor Pro — v1.0 Release Notes
Released: 2026-05-04
Last security re-audit: 2026-05-07
Version: 1.0
Category: Developer Tools
Price: $4.99 (one-time)
What is New in v1.0
First public release of Integration Contract Auditor Pro.
Features
- Preflight any OpenClaw skill, plugin, MCP/tool wrapper, or integration repo before publishing, upgrading, or QA handoff
- Contract inventory: automatically discovers OpenAPI schemas, JSON/YAML manifests, package.json, tool contracts, and SKILL.md
- SKILL.md frontmatter validation: checks required
nameanddescriptionfields are present and correctly formatted - Broken reference detection: finds every script path referenced in SKILL.md that does not exist on disk
- Environment variable documentation check: detects
process.envandos.environusage and warns when no.env.exampleorENVIRONMENT.mdis present - Stale contract marker detection: flags TODO, FIXME,
any,unknown,snapshot,stale, anddeprecatedmarkers in contract/schema/manifest files --strictmode: promotes all warnings to release blockers for release candidate preflights- Dual output formats: markdown (human-readable with grouped findings) and JSON (for CI pipelines and downstream tooling)
- Clear PASS / WARN / FAIL status with exact file paths, messages, and suggested fixes for every finding
- Non-destructive read-only scan: never modifies any file
Security Boundary
- User-supplied path only; no access to MEMORY.md, USER.md, SOUL.md, openclaw.json, or fixed sensitive paths
- No subprocess execution, no network calls, no eval/exec, no shell access
- stdlib-only (argparse, json, re, pathlib — no pip installs required)
- All findings reference file evidence, not assumed values
Usage
# Markdown report (default)
python3 scripts/audit_contracts.py /path/to/skill-or-repo
# JSON output for CI pipelines
python3 scripts/audit_contracts.py /path/to/skill-or-repo --format json
# Strict mode — warnings become release blockers
python3 scripts/audit_contracts.py /path/to/skill-or-repo --strict
# Typical pre-publish workflow
python3 scripts/audit_contracts.py /path/to/skill-or-repo --format markdown --strict
Output
- PASS: No blocking findings; optional warnings present or absent
- WARN: One or more warnings; no hard errors (review before publishing)
- FAIL: One or more errors (missing scripts, bad frontmatter, no contract files) — fix before publishing
Exit status: 0 for PASS/WARN, 1 for FAIL.
Security & QA History
- Viper: APPROVED_FOR_RELEASE (5/5 tests passed — 2026-05-04)
- Warlock: SECURITY_CLEARED (2026-05-04) — initial clearance
- Warlock re-audit (2026-05-05): SECURITY_CLEARED — sensitive file exclusion + is_sensitive() guard added; content reads restricted to contract/manifest/SKILL files only; py_compile PASS; functional test PASS
- Warlock re-audit (2026-05-06): SECURITY_CLEARED — confirmed no subprocess/network/eval/exec; process.env/os.environ strings are detector text only (false positive confirmed); SENSITIVE_NAMES frozenset excludes MEMORY.md/USER.md/SOUL.md/.env/credential files; openclaw.json excluded; py_compile PASS; functional test PASS
- Warlock re-audit (2026-05-07): SECURITY_CLEARED — warlock-audit CLEARED (YELLOW pathlib FP only, no blocking issues); sensitive file exclusion + is_sensitive() guard confirmed; content reads restricted to contract/manifest/SKILL files only; py_compile PASS; functional test PASS
Requirements
- Python 3.8+ (stdlib only — no pip installs)
- OpenClaw v2026.3.23 or later
- No API keys required