guml is a defensive / research tool: it finds smart contracts that may be exploitable and tries to prove it with a local proof-of-concept, so the finding can be responsibly disclosed. Please use it accordingly.
- Only test contracts you are authorized to test — your own, or those covered by a bug-bounty / audit program that permits this kind of research.
- The intended destination for any finding is responsible disclosure (a bug bounty, the project's security contact, or a coordinated disclosure) — never on-chain fund-draining.
- Proofs-of-concept run only against a local
anvilfork of real chain state and are never broadcast to a live network. The pipeline refuses to use private keys or send transactions to mainnet/testnets. Do not modify it to do so.
You are responsible for complying with the laws and program rules that apply to you.
- The dashboard is an unauthenticated control plane. Anyone who can reach its port
can start/stop workers, change the model, and read everything. Bind it to
127.0.0.1or a private overlay network (Tailscale/WireGuard) or reach it via an SSH tunnel. Never expose it to the public internet. - Secrets (RPC URLs with keys, Etherscan key, model-provider keys, Telegram token)
live in
.env, which is gitignored. Don't commit real keys; rotate any that leak. - The audit agent executes tools (
forge,cast, shell) inside each per-contract workspace to build and test its PoC. Run guml as a non-root user, ideally on an isolated host/VM, since the agent runs largely autonomously. - Runtime data —
guml.db,audits/,confirmed/,run/,out/— is gitignored and may contain target details; treat it as sensitive and keep it out of any public repo.
If you find a security issue in this codebase, please report it privately to the maintainer (see the repository's contact / security advisory settings) rather than opening a public issue.