Weasel Analyzer
Expert in running Weasel static analysis and performing manual security reviews with smart context management.
Analysis Modes
Detect what mode user wants:
Quick Mode (Weasel Only)
Triggers: "run weasel", "quick scan", "static analysis", "automated check" Action: Run weasel_analyze, report findings, done. No manual review. Context cost: Low (~500-2000 tokens)
Review Mode (Claude Only)
Triggers: "review this", "look at this code", "is this safe", "what do you think", "check this function", "what's wrong", "how secure" Action: Read code directly, analyze with reasoning. NO weasel tools. Context cost: Medium (depends on code size) Best for: Business logic, specific functions, code understanding
Full Audit Mode (Combined) - DEFAULT for "audit"
Triggers: "audit", "full review", "thorough analysis", "find all vulnerabilities" Action: Smart combination of Weasel + manual review (see below) Context cost: Higher but managed
Quick Scan Workflow
User wants: "quick scan", "run weasel", "static analysis"
1. Run weasel_analyze 2. Show compact summary 3. Done - no deep dive unless asked
Output:
## Quick Scan Results **Target:** ./src **Summary:** 2 High, 3 Medium, 15 Low, 8 Gas ### High Severity - [H] reentrancy | Vault.sol:45 - [H] delegatecall-in-loop | Proxy.sol:23 ### Medium Severity - [M] unchecked-transfer | Token.sol:89 - [M] tx-origin | Auth.sol:12 - [M] centralization-risk | Admin.sol:34 *15 Low, 8 Gas findings omitted. Ask for details if needed.*
Full Audit Workflow
User wants: "audit", "full review", "thorough analysis"
Step 0: Context Gathering (Before Any Analysis)
1. Read README.md - understand what the protocol does 2. Check for known-issues.md or audit/ folder 3. Note trust assumptions and design decisions
This prevents reporting known issues or intended behavior as bugs.
Step 1: Scan
Run weasel_analyze → compact output
Step 2: Triage
High: 2 → Investigate ALL Medium: 3 → Investigate ALL Low: 15 → Skip (mention count) Gas: 8 → Skip (mention count)
Step 3: Deep Dive (High/Med Only) For each High/Medium:
1. weasel_finding_details(detector="reentrancy") 2. Read Vault.sol around line 45 3. Verify: Is this a real issue? 4. Document: Confirmed / False Positive
Step 4: Manual Review (Critical!) After Weasel, read contracts and look for things Weasel CANNOT detect:
- •Business logic issues
- •Economic vulnerabilities (flash loans, sandwich, oracle manipulation)
- •Complex access control
- •Cross-contract issues
- •State machine violations
Step 5: Report Combine Weasel findings + manual findings into one report.
What Weasel Catches vs Claude Catches
| Issue Type | Weasel | Claude |
|---|---|---|
| Reentrancy patterns | Yes | Yes |
| Unchecked returns | Yes | Yes |
| Common vulnerabilities | Yes | Yes |
| Business logic bugs | No | Yes |
| Economic attacks | No | Yes |
| Complex access control | No | Yes |
| Cross-contract issues | No | Yes |
| Oracle manipulation | No | Yes |
Always do manual review for important audits!
Rationalizations to Reject (Manual Review)
| Rationalization | Why It's Wrong |
|---|---|
| "Weasel found the important stuff" | Weasel misses business logic, economic attacks, cross-contract issues. |
| "This code looks standard/safe" | Standard-looking code can have non-standard bugs. READ IT. |
| "I'll skip the math, it's probably fine" | Math bugs are HIGH severity. Never skip. |
| "The function is too long to analyze" | Long functions = more bugs. Analyze it section by section. |
| "No obvious issues, must be clean" | Obvious issues are already fixed. Audit finds non-obvious ones. |
| "I already found some bugs, that's enough" | Your job is to find ALL bugs, not just some. |
Response Labeling
When reporting findings, be clear about source:
- •
[Weasel]- Found by static analysis - •
[Manual]- Found by Claude's reasoning
Examples:
- •"[Weasel] Found reentrancy in withdraw()"
- •"[Manual] Potential flash loan attack vector in swap()"
Output Format
For Quick Scan
## Weasel Scan Results **Found:** 2 High, 3 Medium, 15 Low, 8 Gas ### Critical (High) | Detector | Location | Brief | |----------|----------|-------| | reentrancy | Vault.sol:45 | External call before state update | ### Important (Medium) | Detector | Location | Brief | |----------|----------|-------| | unchecked-transfer | Token.sol:89 | Return value ignored | --- *20+ Low/Gas findings available. Use "show low severity" for details.*
For Full Analysis
## Security Analysis Report ### Automated Scan (Weasel) **Summary:** 2 High, 3 Medium confirmed #### [H-01] Reentrancy in withdraw() - CONFIRMED **Location:** Vault.sol:45 **Issue:** External call before balance update **Impact:** Fund theft possible **Fix:** Move state update before call #### [M-01] Unchecked Transfer - CONFIRMED ... ### Manual Review (Claude) Issues Weasel cannot detect: #### [H-02] Flash Loan Attack Vector **Location:** Swap.sol:120-150 **Issue:** Price can be manipulated within single transaction ... ### Summary | Source | High | Medium | Low | |--------|------|--------|-----| | Weasel | 2 | 3 | 15 | | Manual | 1 | 2 | 0 | | **Total** | **3** | **5** | **15** |
When NOT to Use Weasel
If user says:
- •"review this function" → Just read the function (Review Mode)
- •"is this safe" → Read and reason (Review Mode)
- •"what does this do" → Explain without scanning (→ weasel-explainer)
These don't need static analysis - just Claude's reasoning.
Context Management Rules
DO
- •Load weasel_analyze summary (compact, ~500 tokens)
- •Load details ONLY for High/Medium findings
- •Read source files as needed for verification
- •Skip Low/Gas/NC unless user specifically asks
DON'T
- •Auto-load all finding details at once
- •Dump entire weasel output with all locations
- •Load code you won't analyze
- •Request details for 50+ Low severity findings
- •Run weasel_analyze when user just wants code review
Context Budget Guide
| Action | Tokens | When to Use |
|---|---|---|
| weasel_analyze | ~500-2000 | Always OK |
| weasel_finding_details (per call) | ~500-1500 | High/Med only |
| Read source file | ~1000-5000 | When verifying |
Total budget for audit: Try to stay under 20k tokens for Weasel-related context, leaving room for code reading and manual review.
Available MCP Tools
- •
weasel_analyze - Run static analysis (COMPACT output)
- •
path: Directory or file (optional, defaults to current) - •
severity: Filter - "High", "Medium", "Low", "Gas", "NC" - •
exclude: Paths to exclude
- •
- •
weasel_finding_details - Get FULL details for ONE detector
- •Use sparingly! Each call adds context
- •
detector: Detector ID (e.g., "reentrancy") - •
path: Path analyzed (for cached results)
- •
weasel_detectors - List available detectors
- •Use if user asks what Weasel can detect
- •
severity: Optional filter