@elizaos/skills 2.0.0-alpha.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +126 -0
- package/package.json +53 -0
- package/skills/1password/SKILL.md +70 -0
- package/skills/1password/references/cli-examples.md +29 -0
- package/skills/1password/references/get-started.md +17 -0
- package/skills/apple-notes/SKILL.md +77 -0
- package/skills/apple-reminders/SKILL.md +96 -0
- package/skills/bear-notes/SKILL.md +107 -0
- package/skills/bird/SKILL.md +224 -0
- package/skills/blogwatcher/SKILL.md +69 -0
- package/skills/blucli/SKILL.md +47 -0
- package/skills/bluebubbles/SKILL.md +131 -0
- package/skills/camsnap/SKILL.md +45 -0
- package/skills/canvas/SKILL.md +203 -0
- package/skills/clawhub/SKILL.md +77 -0
- package/skills/coding-agent/SKILL.md +284 -0
- package/skills/discord/SKILL.md +578 -0
- package/skills/eightctl/SKILL.md +50 -0
- package/skills/food-order/SKILL.md +48 -0
- package/skills/gemini/SKILL.md +43 -0
- package/skills/gifgrep/SKILL.md +79 -0
- package/skills/github/SKILL.md +77 -0
- package/skills/gog/SKILL.md +116 -0
- package/skills/goplaces/SKILL.md +52 -0
- package/skills/healthcheck/SKILL.md +245 -0
- package/skills/himalaya/SKILL.md +257 -0
- package/skills/himalaya/references/configuration.md +184 -0
- package/skills/himalaya/references/message-composition.md +199 -0
- package/skills/imsg/SKILL.md +74 -0
- package/skills/local-places/SERVER_README.md +101 -0
- package/skills/local-places/SKILL.md +102 -0
- package/skills/local-places/pyproject.toml +21 -0
- package/skills/local-places/src/local_places/__init__.py +2 -0
- package/skills/local-places/src/local_places/google_places.py +314 -0
- package/skills/local-places/src/local_places/main.py +65 -0
- package/skills/local-places/src/local_places/schemas.py +107 -0
- package/skills/mcporter/SKILL.md +61 -0
- package/skills/model-usage/SKILL.md +69 -0
- package/skills/model-usage/references/codexbar-cli.md +33 -0
- package/skills/model-usage/scripts/model_usage.py +310 -0
- package/skills/nano-banana-pro/SKILL.md +58 -0
- package/skills/nano-banana-pro/scripts/generate_image.py +184 -0
- package/skills/nano-pdf/SKILL.md +38 -0
- package/skills/notion/SKILL.md +172 -0
- package/skills/obsidian/SKILL.md +81 -0
- package/skills/openai-image-gen/SKILL.md +89 -0
- package/skills/openai-image-gen/scripts/gen.py +240 -0
- package/skills/openai-whisper/SKILL.md +38 -0
- package/skills/openai-whisper-api/SKILL.md +52 -0
- package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
- package/skills/openhue/SKILL.md +51 -0
- package/skills/oracle/SKILL.md +125 -0
- package/skills/ordercli/SKILL.md +78 -0
- package/skills/peekaboo/SKILL.md +190 -0
- package/skills/sag/SKILL.md +87 -0
- package/skills/security-ask-questions-if-underspecified/.claude-plugin/plugin.json +10 -0
- package/skills/security-ask-questions-if-underspecified/README.md +24 -0
- package/skills/security-ask-questions-if-underspecified/skills/ask-questions-if-underspecified/SKILL.md +85 -0
- package/skills/security-audit-context-building/.claude-plugin/plugin.json +10 -0
- package/skills/security-audit-context-building/README.md +58 -0
- package/skills/security-audit-context-building/commands/audit-context.md +21 -0
- package/skills/security-audit-context-building/skills/audit-context-building/SKILL.md +297 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/COMPLETENESS_CHECKLIST.md +47 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/FUNCTION_MICRO_ANALYSIS_EXAMPLE.md +355 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/OUTPUT_REQUIREMENTS.md +71 -0
- package/skills/security-building-secure-contracts/.claude-plugin/plugin.json +10 -0
- package/skills/security-building-secure-contracts/README.md +241 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md +284 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +405 -0
- package/skills/security-building-secure-contracts/skills/audit-prep-assistant/SKILL.md +409 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/SKILL.md +329 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +722 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/SKILL.md +218 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/ASSESSMENT_CRITERIA.md +355 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/EXAMPLE_REPORT.md +248 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/REPORT_FORMAT.md +33 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md +334 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +740 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/SKILL.md +252 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/ASSESSMENT_AREAS.md +329 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/DELIVERABLES.md +118 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/EXAMPLE_REPORT.md +298 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/SKILL.md +161 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/EXAMPLE_REPORT.md +279 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/WORKFLOW_STEPS.md +132 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/SKILL.md +389 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +669 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/SKILL.md +298 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +791 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/SKILL.md +362 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/ASSESSMENT_CATEGORIES.md +571 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/REPORT_TEMPLATES.md +141 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/SKILL.md +388 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +595 -0
- package/skills/security-burpsuite-project-parser/.claude-plugin/plugin.json +10 -0
- package/skills/security-burpsuite-project-parser/README.md +103 -0
- package/skills/security-burpsuite-project-parser/commands/burp-search.md +18 -0
- package/skills/security-burpsuite-project-parser/skills/SKILL.md +358 -0
- package/skills/security-burpsuite-project-parser/skills/scripts/burp-search.sh +99 -0
- package/skills/security-claude-in-chrome-troubleshooting/.claude-plugin/plugin.json +8 -0
- package/skills/security-claude-in-chrome-troubleshooting/README.md +31 -0
- package/skills/security-claude-in-chrome-troubleshooting/skills/claude-in-chrome-troubleshooting/SKILL.md +251 -0
- package/skills/security-constant-time-analysis/.claude-plugin/plugin.json +9 -0
- package/skills/security-constant-time-analysis/README.md +381 -0
- package/skills/security-constant-time-analysis/commands/ct-check.md +20 -0
- package/skills/security-constant-time-analysis/ct_analyzer/__init__.py +49 -0
- package/skills/security-constant-time-analysis/ct_analyzer/analyzer.py +1284 -0
- package/skills/security-constant-time-analysis/ct_analyzer/script_analyzers.py +3081 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/__init__.py +1 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_analyzer.py +1397 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js +205 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c +74 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go +78 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs +92 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.cs +174 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.java +161 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.kt +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.php +140 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.py +252 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.rb +188 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.swift +199 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.ts +154 -0
- package/skills/security-constant-time-analysis/pyproject.toml +52 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/README.md +90 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/SKILL.md +219 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/compiled.md +129 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/javascript.md +136 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/kotlin.md +252 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/php.md +172 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/python.md +179 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/ruby.md +198 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/swift.md +288 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/vm-compiled.md +354 -0
- package/skills/security-constant-time-analysis/uv.lock +8 -0
- package/skills/security-culture-index/.claude-plugin/plugin.json +8 -0
- package/skills/security-culture-index/README.md +79 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/SKILL.md +293 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/anti-patterns.md +255 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/conversation-starters.md +408 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/interview-trait-signals.md +253 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/motivators.md +158 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/patterns-archetypes.md +147 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/primary-traits.md +307 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/secondary-traits.md +228 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/team-composition.md +148 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/check_deps.py +108 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/__init__.py +20 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/constants.py +122 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/extract.py +187 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/models.py +16 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/opencv_extractor.py +520 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/extract_pdf.py +237 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/pyproject.toml +18 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/burnout-report.md +113 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/comparison-report.md +103 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/hiring-profile.md +127 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/individual-report.md +85 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/predicted-profile.md +165 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/team-report.md +109 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/analyze-team.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/coach-manager.md +267 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/compare-profiles.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/define-hiring-profile.md +220 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/detect-burnout.md +206 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/extract-from-pdf.md +121 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interpret-individual.md +183 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interview-debrief.md +234 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/mediate-conflict.md +306 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/plan-onboarding.md +322 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/predict-from-interview.md +250 -0
- package/skills/security-differential-review/.claude-plugin/plugin.json +10 -0
- package/skills/security-differential-review/README.md +109 -0
- package/skills/security-differential-review/commands/diff-review.md +21 -0
- package/skills/security-differential-review/skills/differential-review/SKILL.md +220 -0
- package/skills/security-differential-review/skills/differential-review/adversarial.md +203 -0
- package/skills/security-differential-review/skills/differential-review/methodology.md +234 -0
- package/skills/security-differential-review/skills/differential-review/patterns.md +300 -0
- package/skills/security-differential-review/skills/differential-review/reporting.md +369 -0
- package/skills/security-dwarf-expert/.claude-plugin/plugin.json +10 -0
- package/skills/security-dwarf-expert/README.md +38 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/SKILL.md +93 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/coding.md +31 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/dwarfdump.md +50 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/readelf.md +8 -0
- package/skills/security-entry-point-analyzer/.claude-plugin/plugin.json +10 -0
- package/skills/security-entry-point-analyzer/README.md +74 -0
- package/skills/security-entry-point-analyzer/commands/entry-points.md +18 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/SKILL.md +251 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/cosmwasm.md +182 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-aptos.md +107 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-sui.md +87 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solana.md +155 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solidity.md +135 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/ton.md +185 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/vyper.md +141 -0
- package/skills/security-firebase-apk-scanner/.claude-plugin/plugin.json +10 -0
- package/skills/security-firebase-apk-scanner/README.md +85 -0
- package/skills/security-firebase-apk-scanner/commands/scan-apk.md +18 -0
- package/skills/security-firebase-apk-scanner/scanner.sh +1408 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/SKILL.md +197 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/references/vulnerabilities.md +803 -0
- package/skills/security-fix-review/.claude-plugin/plugin.json +13 -0
- package/skills/security-fix-review/README.md +118 -0
- package/skills/security-fix-review/commands/fix-review.md +24 -0
- package/skills/security-fix-review/skills/fix-review/SKILL.md +264 -0
- package/skills/security-fix-review/skills/fix-review/references/bug-detection.md +408 -0
- package/skills/security-fix-review/skills/fix-review/references/finding-matching.md +298 -0
- package/skills/security-fix-review/skills/fix-review/references/report-parsing.md +398 -0
- package/skills/security-insecure-defaults/.claude-plugin/plugin.json +10 -0
- package/skills/security-insecure-defaults/README.md +45 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
- package/skills/security-modern-python/.claude-plugin/plugin.json +10 -0
- package/skills/security-modern-python/README.md +58 -0
- package/skills/security-modern-python/hooks/hooks.json +16 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.bats +388 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.sh +109 -0
- package/skills/security-modern-python/hooks/test_helper.bash +75 -0
- package/skills/security-modern-python/skills/modern-python/SKILL.md +333 -0
- package/skills/security-modern-python/skills/modern-python/references/dependabot.md +43 -0
- package/skills/security-modern-python/skills/modern-python/references/migration-checklist.md +141 -0
- package/skills/security-modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
- package/skills/security-modern-python/skills/modern-python/references/prek.md +211 -0
- package/skills/security-modern-python/skills/modern-python/references/pyproject.md +254 -0
- package/skills/security-modern-python/skills/modern-python/references/ruff-config.md +240 -0
- package/skills/security-modern-python/skills/modern-python/references/security-setup.md +255 -0
- package/skills/security-modern-python/skills/modern-python/references/testing.md +284 -0
- package/skills/security-modern-python/skills/modern-python/references/uv-commands.md +200 -0
- package/skills/security-modern-python/skills/modern-python/templates/dependabot.yml +36 -0
- package/skills/security-modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
- package/skills/security-property-based-testing/.claude-plugin/plugin.json +9 -0
- package/skills/security-property-based-testing/README.md +47 -0
- package/skills/security-property-based-testing/skills/property-based-testing/README.md +88 -0
- package/skills/security-property-based-testing/skills/property-based-testing/SKILL.md +109 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/design.md +191 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/generating.md +200 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
- package/skills/semgrep-rule-creator/.claude-plugin/plugin.json +8 -0
- package/skills/semgrep-rule-creator/README.md +43 -0
- package/skills/semgrep-rule-creator/commands/semgrep-rule.md +26 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/SKILL.md +168 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/quick-reference.md +203 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/workflow.md +240 -0
- package/skills/semgrep-rule-variant-creator/.claude-plugin/plugin.json +9 -0
- package/skills/semgrep-rule-variant-creator/README.md +86 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
- package/skills/session-logs/SKILL.md +115 -0
- package/skills/sharp-edges/.claude-plugin/plugin.json +10 -0
- package/skills/sharp-edges/README.md +48 -0
- package/skills/sharp-edges/skills/sharp-edges/SKILL.md +292 -0
- package/skills/sharp-edges/skills/sharp-edges/references/auth-patterns.md +252 -0
- package/skills/sharp-edges/skills/sharp-edges/references/case-studies.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/config-patterns.md +333 -0
- package/skills/sharp-edges/skills/sharp-edges/references/crypto-apis.md +190 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-c.md +205 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-csharp.md +285 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md +270 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md +263 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-javascript.md +269 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-kotlin.md +265 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-php.md +245 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-python.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-ruby.md +273 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-rust.md +272 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-swift.md +287 -0
- package/skills/sharp-edges/skills/sharp-edges/references/language-specific.md +588 -0
- package/skills/sherpa-onnx-tts/SKILL.md +103 -0
- package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
- package/skills/skill-creator/SKILL.md +370 -0
- package/skills/skill-creator/license.txt +202 -0
- package/skills/skill-creator/scripts/init_skill.py +378 -0
- package/skills/skill-creator/scripts/package_skill.py +111 -0
- package/skills/skill-creator/scripts/quick_validate.py +101 -0
- package/skills/slack/SKILL.md +144 -0
- package/skills/songsee/SKILL.md +49 -0
- package/skills/sonoscli/SKILL.md +46 -0
- package/skills/spec-to-code-compliance/.claude-plugin/plugin.json +10 -0
- package/skills/spec-to-code-compliance/README.md +67 -0
- package/skills/spec-to-code-compliance/commands/spec-compliance.md +22 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md +349 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
- package/skills/spotify-player/SKILL.md +64 -0
- package/skills/static-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/static-analysis/README.md +59 -0
- package/skills/static-analysis/skills/codeql/SKILL.md +315 -0
- package/skills/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills/static-analysis/skills/semgrep/SKILL.md +337 -0
- package/skills/summarize/SKILL.md +87 -0
- package/skills/testing-handbook-skills/.claude-plugin/plugin.json +8 -0
- package/skills/testing-handbook-skills/README.md +241 -0
- package/skills/testing-handbook-skills/scripts/pyproject.toml +8 -0
- package/skills/testing-handbook-skills/scripts/validate-skills.py +657 -0
- package/skills/testing-handbook-skills/skills/address-sanitizer/SKILL.md +341 -0
- package/skills/testing-handbook-skills/skills/aflpp/SKILL.md +640 -0
- package/skills/testing-handbook-skills/skills/atheris/SKILL.md +515 -0
- package/skills/testing-handbook-skills/skills/cargo-fuzz/SKILL.md +454 -0
- package/skills/testing-handbook-skills/skills/codeql/SKILL.md +549 -0
- package/skills/testing-handbook-skills/skills/constant-time-testing/SKILL.md +507 -0
- package/skills/testing-handbook-skills/skills/coverage-analysis/SKILL.md +607 -0
- package/skills/testing-handbook-skills/skills/fuzzing-dictionary/SKILL.md +297 -0
- package/skills/testing-handbook-skills/skills/fuzzing-obstacles/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/harness-writing/SKILL.md +614 -0
- package/skills/testing-handbook-skills/skills/libafl/SKILL.md +625 -0
- package/skills/testing-handbook-skills/skills/libfuzzer/SKILL.md +795 -0
- package/skills/testing-handbook-skills/skills/ossfuzz/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/ruzzy/SKILL.md +443 -0
- package/skills/testing-handbook-skills/skills/semgrep/SKILL.md +601 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/SKILL.md +372 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/agent-prompt.md +280 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/discovery.md +452 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/domain-skill.md +504 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/fuzzer-skill.md +454 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/technique-skill.md +527 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/tool-skill.md +366 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/testing.md +482 -0
- package/skills/testing-handbook-skills/skills/wycheproof/SKILL.md +533 -0
- package/skills/things-mac/SKILL.md +86 -0
- package/skills/tmux/SKILL.md +135 -0
- package/skills/tmux/scripts/find-sessions.sh +112 -0
- package/skills/tmux/scripts/wait-for-text.sh +83 -0
- package/skills/trello/SKILL.md +95 -0
- package/skills/variant-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/variant-analysis/README.md +41 -0
- package/skills/variant-analysis/commands/variants.md +23 -0
- package/skills/variant-analysis/skills/variant-analysis/METHODOLOGY.md +327 -0
- package/skills/variant-analysis/skills/variant-analysis/SKILL.md +142 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/go.ql +69 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/java.ql +71 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/python.ql +80 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/variant-report-template.md +75 -0
- package/skills/video-frames/SKILL.md +46 -0
- package/skills/video-frames/scripts/frame.sh +81 -0
- package/skills/voice-call/SKILL.md +45 -0
- package/skills/wacli/SKILL.md +72 -0
- package/skills/weather/SKILL.md +54 -0
- package/skills/yara-authoring/.claude-plugin/plugin.json +9 -0
- package/skills/yara-authoring/README.md +131 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/SKILL.md +645 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Mac_ProtonRAT_Jan25.yar +99 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_NPM_SupplyChain_Jan25.yar +170 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Win_Remcos_Jan25.yar +103 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_CRX_SuspiciousPermissions.yar +134 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_JS_Obfuscation_Jan25.yar +185 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/crx-module.md +214 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/dex-module.md +383 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/performance.md +333 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/strings.md +433 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/style-guide.md +257 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/testing.md +399 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/atom_analyzer.py +526 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/pyproject.toml +25 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/yara_lint.py +631 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/workflows/rule-development.md +493 -0
package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/cosmwasm.md
ADDED
|
@@ -0,0 +1,182 @@
|
|
|
1
|
+
# CosmWasm Entry Point Detection
|
|
2
|
+
|
|
3
|
+
## Entry Point Identification (State-Changing Only)
|
|
4
|
+
|
|
5
|
+
### Include: State-Changing Entry Points
|
|
6
|
+
```rust
|
|
7
|
+
// Instantiate - called once on deployment
|
|
8
|
+
#[cfg_attr(not(feature = "library"), entry_point)]
|
|
9
|
+
pub fn instantiate(
|
|
10
|
+
deps: DepsMut,
|
|
11
|
+
env: Env,
|
|
12
|
+
info: MessageInfo,
|
|
13
|
+
msg: InstantiateMsg,
|
|
14
|
+
) -> Result<Response, ContractError> { }
|
|
15
|
+
|
|
16
|
+
// Execute - main entry point for state changes
|
|
17
|
+
#[cfg_attr(not(feature = "library"), entry_point)]
|
|
18
|
+
pub fn execute(
|
|
19
|
+
deps: DepsMut,
|
|
20
|
+
env: Env,
|
|
21
|
+
info: MessageInfo,
|
|
22
|
+
msg: ExecuteMsg,
|
|
23
|
+
) -> Result<Response, ContractError> { }
|
|
24
|
+
|
|
25
|
+
// Query - read-only entry point
|
|
26
|
+
#[cfg_attr(not(feature = "library"), entry_point)]
|
|
27
|
+
pub fn query(
|
|
28
|
+
deps: Deps,
|
|
29
|
+
env: Env,
|
|
30
|
+
msg: QueryMsg,
|
|
31
|
+
) -> StdResult<Binary> { }
|
|
32
|
+
|
|
33
|
+
// Migrate - called on contract migration
|
|
34
|
+
#[cfg_attr(not(feature = "library"), entry_point)]
|
|
35
|
+
pub fn migrate(
|
|
36
|
+
deps: DepsMut,
|
|
37
|
+
env: Env,
|
|
38
|
+
msg: MigrateMsg,
|
|
39
|
+
) -> Result<Response, ContractError> { }
|
|
40
|
+
|
|
41
|
+
// Reply - handles submessage responses
|
|
42
|
+
#[cfg_attr(not(feature = "library"), entry_point)]
|
|
43
|
+
pub fn reply(
|
|
44
|
+
deps: DepsMut,
|
|
45
|
+
env: Env,
|
|
46
|
+
msg: Reply,
|
|
47
|
+
) -> Result<Response, ContractError> { }
|
|
48
|
+
|
|
49
|
+
// Sudo - privileged operations (governance)
|
|
50
|
+
#[cfg_attr(not(feature = "library"), entry_point)]
|
|
51
|
+
pub fn sudo(
|
|
52
|
+
deps: DepsMut,
|
|
53
|
+
env: Env,
|
|
54
|
+
msg: SudoMsg,
|
|
55
|
+
) -> Result<Response, ContractError> { }
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
### Entry Point Types
|
|
59
|
+
| Entry Point | Include? | Classification | Notes |
|
|
60
|
+
|-------------|----------|----------------|-------|
|
|
61
|
+
| `instantiate` | **Yes** | One-time setup | Sets initial state |
|
|
62
|
+
| `execute` | **Yes** | Main dispatcher | Contains multiple operations |
|
|
63
|
+
| `query` | No | Read-only | EXCLUDE - no state changes |
|
|
64
|
+
| `migrate` | **Yes** | Admin/Governance | Requires migration permission |
|
|
65
|
+
| `reply` | **Yes** | Contract-Only | Submessage callback |
|
|
66
|
+
| `sudo` | **Yes** | Governance | Chain-level privileged |
|
|
67
|
+
|
|
68
|
+
### ExecuteMsg Variants (Primary Focus)
|
|
69
|
+
```rust
|
|
70
|
+
#[cw_serde]
|
|
71
|
+
pub enum ExecuteMsg {
|
|
72
|
+
Transfer { recipient: String, amount: Uint128 }, // Usually public
|
|
73
|
+
UpdateConfig { admin: Option<String> }, // Admin only
|
|
74
|
+
Pause {}, // Guardian
|
|
75
|
+
Withdraw { amount: Uint128 }, // Public or restricted
|
|
76
|
+
}
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
## Access Control Patterns
|
|
80
|
+
|
|
81
|
+
### Cw-Ownable Pattern
|
|
82
|
+
```rust
|
|
83
|
+
use cw_ownable::{assert_owner, initialize_owner};
|
|
84
|
+
|
|
85
|
+
pub fn execute_admin_action(deps: DepsMut, info: MessageInfo) -> Result<...> {
|
|
86
|
+
assert_owner(deps.storage, &info.sender)?;
|
|
87
|
+
// ...
|
|
88
|
+
}
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### Manual Owner Check
|
|
92
|
+
```rust
|
|
93
|
+
pub fn execute_update_config(deps: DepsMut, info: MessageInfo) -> Result<...> {
|
|
94
|
+
let config = CONFIG.load(deps.storage)?;
|
|
95
|
+
if info.sender != config.owner {
|
|
96
|
+
return Err(ContractError::Unauthorized {});
|
|
97
|
+
}
|
|
98
|
+
// ...
|
|
99
|
+
}
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
### Role-Based Access
|
|
103
|
+
```rust
|
|
104
|
+
// Common patterns
|
|
105
|
+
if info.sender != state.admin { return Err(Unauthorized); }
|
|
106
|
+
if info.sender != state.governance { return Err(Unauthorized); }
|
|
107
|
+
if !state.operators.contains(&info.sender) { return Err(Unauthorized); }
|
|
108
|
+
|
|
109
|
+
// Using cw-controllers
|
|
110
|
+
use cw_controllers::Admin;
|
|
111
|
+
ADMIN.assert_admin(deps.as_ref(), &info.sender)?;
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
### Access Control Classification
|
|
115
|
+
| Pattern | Classification |
|
|
116
|
+
|---------|----------------|
|
|
117
|
+
| `assert_owner(storage, &sender)` | Owner |
|
|
118
|
+
| `ADMIN.assert_admin(deps, &sender)` | Admin |
|
|
119
|
+
| `info.sender != config.owner` | Owner |
|
|
120
|
+
| `info.sender != config.admin` | Admin |
|
|
121
|
+
| `info.sender != config.governance` | Governance |
|
|
122
|
+
| `!operators.contains(&sender)` | Operator |
|
|
123
|
+
| `!guardians.contains(&sender)` | Guardian |
|
|
124
|
+
| No sender check | Public (Unrestricted) |
|
|
125
|
+
|
|
126
|
+
## Contract-Only Detection
|
|
127
|
+
|
|
128
|
+
### Reply Handler
|
|
129
|
+
```rust
|
|
130
|
+
#[entry_point]
|
|
131
|
+
pub fn reply(deps: DepsMut, env: Env, msg: Reply) -> Result<Response, ContractError> {
|
|
132
|
+
match msg.id {
|
|
133
|
+
INSTANTIATE_REPLY_ID => handle_instantiate_reply(deps, msg),
|
|
134
|
+
_ => Err(ContractError::UnknownReplyId { id: msg.id }),
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
### Callback Messages
|
|
140
|
+
```rust
|
|
141
|
+
// Messages expected from other contracts
|
|
142
|
+
ExecuteMsg::Callback { ... } => {
|
|
143
|
+
// Should verify sender is expected contract
|
|
144
|
+
if info.sender != expected_contract {
|
|
145
|
+
return Err(ContractError::Unauthorized {});
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
```
|
|
149
|
+
|
|
150
|
+
## Extraction Strategy
|
|
151
|
+
|
|
152
|
+
1. **Find Message Enums**:
|
|
153
|
+
- `ExecuteMsg` - main operations (INCLUDE)
|
|
154
|
+
- `QueryMsg` - read operations (EXCLUDE)
|
|
155
|
+
- `SudoMsg` - governance operations (INCLUDE)
|
|
156
|
+
|
|
157
|
+
2. **For Each ExecuteMsg Variant**:
|
|
158
|
+
- Find handler function (usually `execute_<variant_name>`)
|
|
159
|
+
- Check for access control at start of function
|
|
160
|
+
- Classify by access pattern
|
|
161
|
+
|
|
162
|
+
3. **Map Entry Points**:
|
|
163
|
+
- `execute` dispatcher → enumerate variants (state-changing)
|
|
164
|
+
- `query` → **SKIP** (read-only, no state changes)
|
|
165
|
+
- `sudo` → all variants are governance-level
|
|
166
|
+
- `reply` → contract-only callbacks
|
|
167
|
+
|
|
168
|
+
## CosmWasm-Specific Considerations
|
|
169
|
+
|
|
170
|
+
1. **Message Info**: `info.sender` is the caller address
|
|
171
|
+
2. **Query Has No Sender**: Queries are stateless, no access control
|
|
172
|
+
3. **Sudo Is Privileged**: Only callable by chain governance
|
|
173
|
+
4. **Submessages**: `reply` handles responses from submessages
|
|
174
|
+
5. **IBC**: IBC entry points for cross-chain messages
|
|
175
|
+
|
|
176
|
+
## Common Gotchas
|
|
177
|
+
|
|
178
|
+
1. **Instantiate Race**: First caller sets owner if not careful
|
|
179
|
+
2. **Migration Admin**: Separate from contract admin
|
|
180
|
+
3. **Cw20 Callbacks**: `Cw20ReceiveMsg` is a callback pattern
|
|
181
|
+
4. **IBC Callbacks**: `ibc_packet_receive` etc. are entry points
|
|
182
|
+
5. **Admin vs Owner**: May be different addresses
|
package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-aptos.md
ADDED
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
# Move Entry Point Detection (Aptos)
|
|
2
|
+
|
|
3
|
+
## Entry Point Identification (State-Changing Only)
|
|
4
|
+
|
|
5
|
+
In Move, `public` functions can be invoked from transaction scripts (Aptos) and typically modify state. In addition, all `entry` functions are entrypoints. Package-protected (`public package`) and friend (`friend` or `public friend`) functions should be excluded.
|
|
6
|
+
|
|
7
|
+
### Aptos Move
|
|
8
|
+
```move
|
|
9
|
+
// Public entry functions are entry points
|
|
10
|
+
public entry fun transfer(from: &signer, to: address, amount: u64) { }
|
|
11
|
+
|
|
12
|
+
// Public functions callable by other modules
|
|
13
|
+
public fun helper(): u64 { }
|
|
14
|
+
|
|
15
|
+
// Entry-only functions (can't be called by other modules)
|
|
16
|
+
entry fun private_entry(account: &signer) { }
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
### Visibility Rules
|
|
20
|
+
| Visibility | Include? | Notes |
|
|
21
|
+
|------------|----------|-------|
|
|
22
|
+
| `public entry fun` | **Yes** | Transaction entry point (state-changing) |
|
|
23
|
+
| `entry fun` | **Yes** | Transaction-only entry point |
|
|
24
|
+
| `public fun` | No | Module-callable only, not direct entry |
|
|
25
|
+
| `fun` (private) | No | Not externally callable |
|
|
26
|
+
| `public(friend) fun` | No | Friend modules only |
|
|
27
|
+
|
|
28
|
+
## Access Control Patterns
|
|
29
|
+
|
|
30
|
+
### Signer-Based Control (Aptos)
|
|
31
|
+
```move
|
|
32
|
+
// Admin check via signer
|
|
33
|
+
public entry fun admin_action(admin: &signer) {
|
|
34
|
+
assert!(signer::address_of(admin) == @admin_address, E_NOT_ADMIN);
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
// Owner check via resource
|
|
38
|
+
public entry fun owner_action(owner: &signer) acquires Config {
|
|
39
|
+
let config = borrow_global<Config>(@module_addr);
|
|
40
|
+
assert!(signer::address_of(owner) == config.owner, E_NOT_OWNER);
|
|
41
|
+
}
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
### Capability Pattern (Aptos)
|
|
45
|
+
```move
|
|
46
|
+
// Capability resource
|
|
47
|
+
struct AdminCap has key, store {}
|
|
48
|
+
|
|
49
|
+
// Requires capability
|
|
50
|
+
public entry fun admin_action(admin: &signer) acquires AdminCap {
|
|
51
|
+
assert!(exists<AdminCap>(signer::address_of(admin)), E_NO_CAP);
|
|
52
|
+
}
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
### Access Control Classification
|
|
56
|
+
| Pattern | Classification |
|
|
57
|
+
|---------|----------------|
|
|
58
|
+
| `signer::address_of(s) == @admin` | Admin |
|
|
59
|
+
| `signer::address_of(s) == config.owner` | Owner |
|
|
60
|
+
| `exists<AdminCap>(addr)` | Admin (capability) |
|
|
61
|
+
| `exists<GovernanceCap>(addr)` | Governance |
|
|
62
|
+
| `exists<GuardianCap>(addr)` | Guardian |
|
|
63
|
+
| `&signer` with no checks | Review Required |
|
|
64
|
+
|
|
65
|
+
## Contract-Only Detection
|
|
66
|
+
|
|
67
|
+
### Friend Functions
|
|
68
|
+
```move
|
|
69
|
+
// Only callable by friend modules
|
|
70
|
+
public(friend) fun internal_callback() { }
|
|
71
|
+
|
|
72
|
+
// Friend declaration
|
|
73
|
+
friend other_module;
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
### Module-to-Module Patterns
|
|
77
|
+
```move
|
|
78
|
+
// Functions designed for other modules
|
|
79
|
+
public fun on_transfer_hook(amount: u64): bool {
|
|
80
|
+
// Called by token module
|
|
81
|
+
}
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
## Extraction Strategy
|
|
85
|
+
|
|
86
|
+
### Aptos
|
|
87
|
+
1. Parse all `.move` files
|
|
88
|
+
2. Find `module` declarations
|
|
89
|
+
3. Extract functions with `public entry` or `entry` visibility
|
|
90
|
+
4. Check function body for:
|
|
91
|
+
- `signer::address_of` comparisons → Role-based
|
|
92
|
+
- `exists<*Cap>` checks → Capability-based
|
|
93
|
+
- No access checks → Public (Unrestricted)
|
|
94
|
+
|
|
95
|
+
## Move-Specific Considerations
|
|
96
|
+
|
|
97
|
+
1. **Resource Model**: Access control often through resource ownership
|
|
98
|
+
2. **Capabilities**: `Cap` suffix typically indicates capability pattern
|
|
99
|
+
3. **Acquires**: `acquires Resource` shows what global resources are accessed
|
|
100
|
+
4. **Generic Types**: Type parameters may carry capability constraints
|
|
101
|
+
5. **Friend Visibility**: `public(friend)` limits callers to declared friends
|
|
102
|
+
|
|
103
|
+
## Common Gotchas
|
|
104
|
+
|
|
105
|
+
1. **Init Functions**: `init` or `initialize` often create initial capabilities
|
|
106
|
+
2. **Module Upgrades**: Check upgrade capability ownership
|
|
107
|
+
3. **Phantom Types**: Type parameters with `phantom` don't affect runtime
|
package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-sui.md
ADDED
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
# Move Entry Point Detection (Sui)
|
|
2
|
+
|
|
3
|
+
## Entry Point Identification (State-Changing Only)
|
|
4
|
+
|
|
5
|
+
In Move, `public` functions can be invoked from programmable transaction blocks (Sui) or transaction scripts (Aptos) and typically modify state. In addition, private `entry` functions are entrypoints. Package-protected (`public(package) fun`) and private (`fun`) functions should be excluded.
|
|
6
|
+
|
|
7
|
+
```move
|
|
8
|
+
// Public functions
|
|
9
|
+
public fun compute(obj: &mut Object): u64 { }
|
|
10
|
+
|
|
11
|
+
// Entry functions in Sui
|
|
12
|
+
public entry fun transfer(ctx: &mut TxContext) { }
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
### Visibility Rules
|
|
16
|
+
| Visibility | Include? | Notes |
|
|
17
|
+
|------------|----------|-------|
|
|
18
|
+
| `public entry fun` | **Yes** | Callable from transactions and modules |
|
|
19
|
+
| `public fun` | **Yes** | Callable from transactions and modules |
|
|
20
|
+
| `entry fun` | **Yes** | Callable from transactions, but not other modules |
|
|
21
|
+
| `fun` (private) | No | Not externally callable |
|
|
22
|
+
| `public(package) fun` | No | Only callable by other modules in the same package |
|
|
23
|
+
|
|
24
|
+
## Access Control Patterns
|
|
25
|
+
|
|
26
|
+
```move
|
|
27
|
+
// Object types have the key ability
|
|
28
|
+
public struct MyObject has key { id: ID, ... }
|
|
29
|
+
|
|
30
|
+
// Capability objects typically have names that end with "Cap"
|
|
31
|
+
public struct AdminCap has key { id: ID, ... }
|
|
32
|
+
|
|
33
|
+
// Shared objects are created via `public_share
|
|
34
|
+
public struct Pool has key { id: ID, ... }
|
|
35
|
+
|
|
36
|
+
// Object ownership provides access control
|
|
37
|
+
public fun use_owned_object(obj: &mut MyObject) {
|
|
38
|
+
// Only owner of obj can call this
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
// Shared object - anyone can access
|
|
42
|
+
public fun use_shared(pool: &mut Pool) { }
|
|
43
|
+
|
|
44
|
+
// Shared Pool object gated by capability - only owner of AdminCap can call
|
|
45
|
+
public fun capability_gate(_cap: &AdminCap, pool: &mut Pool) {}
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
### Access Control Classification
|
|
49
|
+
| Pattern | Classification |
|
|
50
|
+
|---------|----------------|
|
|
51
|
+
| Owned object parameter | Owner of object |
|
|
52
|
+
| Shared object | Public (Unrestricted) |
|
|
53
|
+
|
|
54
|
+
## Contract-Only Detection
|
|
55
|
+
|
|
56
|
+
### Package-protected Functions
|
|
57
|
+
```move
|
|
58
|
+
// Only callable by other modules in the same Move package
|
|
59
|
+
public(protected) fun internal_fun() { }
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## Extraction Strategy
|
|
63
|
+
|
|
64
|
+
1. Parse all `.move` files
|
|
65
|
+
2. Find `module` declarations
|
|
66
|
+
3. Extract `public`, `public entry`, and `entry` functions
|
|
67
|
+
4. Extract object type declarations (`struct`'s that have the `key` ability)
|
|
68
|
+
5. Determine whether each object type is **owned** (passed as parameter to `transfer` or `public_transfer` functions) or **shared** (passed as parameter to `share` or `public_share` functions)
|
|
69
|
+
6. Analyze parameters:
|
|
70
|
+
- Owned object type with "XCap" in name -> X role (e.g., AdminCap = Admin role, GuardianCap = Guardian role)
|
|
71
|
+
- Owned object type without "Cap" in name -> Owner role
|
|
72
|
+
- Shared object type -> Public
|
|
73
|
+
|
|
74
|
+
## Move-Specific Considerations
|
|
75
|
+
|
|
76
|
+
1. **Object Model**: Access control typically through object ownership (rather than runtime assertions)
|
|
77
|
+
2. **Capabilities**: `Cap` suffix typically indicates capability pattern
|
|
78
|
+
4. **Generic Types**: Type parameters may carry capability constraints
|
|
79
|
+
5. **Package Visibility**: `public(pacakge)` limits callers to modules in the same package
|
|
80
|
+
|
|
81
|
+
## Common Gotchas
|
|
82
|
+
|
|
83
|
+
1. **Module Initializers**: `init` functions often create singletone shared objects and initial capabilities
|
|
84
|
+
2. **Object Wrapping**: Wrapped objects transfer ownership
|
|
85
|
+
3. **Shared vs Owned**: Shared objects can be accessed by anyone, owned objects only by a transaction sent by the owner
|
|
86
|
+
4. **Package Upgrades**: Upgrades can introduce new types and functions and change old ones in type-compatible ways
|
|
87
|
+
5. **Phantom Types**: Type parameters with `phantom` don't affect runtime
|
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
# Solana Entry Point Detection
|
|
2
|
+
|
|
3
|
+
## Entry Point Identification (State-Changing Only)
|
|
4
|
+
|
|
5
|
+
In Solana, most program instructions modify state. **Exclude** view-only patterns:
|
|
6
|
+
- Instructions that only read account data without `mut` references
|
|
7
|
+
- Pure computation functions that don't write to accounts
|
|
8
|
+
|
|
9
|
+
### Native Solana Programs
|
|
10
|
+
```rust
|
|
11
|
+
// Single entrypoint macro
|
|
12
|
+
entrypoint!(process_instruction);
|
|
13
|
+
|
|
14
|
+
pub fn process_instruction(
|
|
15
|
+
program_id: &Pubkey,
|
|
16
|
+
accounts: &[AccountInfo],
|
|
17
|
+
instruction_data: &[u8],
|
|
18
|
+
) -> ProgramResult {
|
|
19
|
+
// Dispatch to handlers based on instruction_data
|
|
20
|
+
}
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
### Anchor Framework
|
|
24
|
+
```rust
|
|
25
|
+
#[program]
|
|
26
|
+
mod my_program {
|
|
27
|
+
use super::*;
|
|
28
|
+
|
|
29
|
+
// Each pub fn is an entry point
|
|
30
|
+
pub fn initialize(ctx: Context<Initialize>) -> Result<()> { }
|
|
31
|
+
pub fn transfer(ctx: Context<Transfer>, amount: u64) -> Result<()> { }
|
|
32
|
+
}
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
### Entry Point Detection Rules
|
|
36
|
+
| Pattern | Include? | Notes |
|
|
37
|
+
|---------|----------|-------|
|
|
38
|
+
| `entrypoint!(fn_name)` | **Yes** | Native program entry |
|
|
39
|
+
| `pub fn` inside `#[program]` mod with `mut` accounts | **Yes** | Anchor state-changing |
|
|
40
|
+
| `pub fn` inside `#[program]` mod (view-only) | No | Exclude if no `mut` accounts |
|
|
41
|
+
| Functions in `processor.rs` matching instruction enum | **Yes** | Native pattern |
|
|
42
|
+
| Internal helper functions | No | Not externally callable |
|
|
43
|
+
|
|
44
|
+
## Access Control Patterns
|
|
45
|
+
|
|
46
|
+
### Anchor Constraints
|
|
47
|
+
```rust
|
|
48
|
+
#[derive(Accounts)]
|
|
49
|
+
pub struct AdminOnly<'info> {
|
|
50
|
+
#[account(mut)]
|
|
51
|
+
pub admin: Signer<'info>,
|
|
52
|
+
|
|
53
|
+
#[account(
|
|
54
|
+
constraint = config.admin == admin.key() @ ErrorCode::Unauthorized
|
|
55
|
+
)]
|
|
56
|
+
pub config: Account<'info, Config>,
|
|
57
|
+
}
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
### Common Access Control Patterns
|
|
61
|
+
| Pattern | Classification |
|
|
62
|
+
|---------|----------------|
|
|
63
|
+
| `constraint = X.admin == signer.key()` | Admin |
|
|
64
|
+
| `constraint = X.owner == signer.key()` | Owner |
|
|
65
|
+
| `constraint = X.authority == signer.key()` | Authority (Admin-level) |
|
|
66
|
+
| `constraint = X.governance == signer.key()` | Governance |
|
|
67
|
+
| `constraint = X.guardian == signer.key()` | Guardian |
|
|
68
|
+
| `has_one = admin` | Admin |
|
|
69
|
+
| `has_one = owner` | Owner |
|
|
70
|
+
| `has_one = authority` | Authority |
|
|
71
|
+
| `Signer` account with no constraints | Review Required |
|
|
72
|
+
|
|
73
|
+
### Native Access Control
|
|
74
|
+
```rust
|
|
75
|
+
// Check signer
|
|
76
|
+
if !accounts[0].is_signer {
|
|
77
|
+
return Err(ProgramError::MissingRequiredSignature);
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
// Check specific authority
|
|
81
|
+
if accounts[0].key != &expected_authority {
|
|
82
|
+
return Err(ProgramError::InvalidAccountData);
|
|
83
|
+
}
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### Access Control Macros (Anchor)
|
|
87
|
+
```rust
|
|
88
|
+
#[access_control(is_admin(&ctx))]
|
|
89
|
+
pub fn admin_function(ctx: Context<AdminAction>) -> Result<()> { }
|
|
90
|
+
|
|
91
|
+
fn is_admin(ctx: &Context<AdminAction>) -> Result<()> {
|
|
92
|
+
require!(ctx.accounts.admin.key() == ADMIN_PUBKEY, Unauthorized);
|
|
93
|
+
Ok(())
|
|
94
|
+
}
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
## Contract-Only Detection (CPI Patterns)
|
|
98
|
+
|
|
99
|
+
### Cross-Program Invocation Sources
|
|
100
|
+
```rust
|
|
101
|
+
// Functions expected to be called via CPI
|
|
102
|
+
pub fn on_token_transfer(ctx: Context<TokenCallback>, amount: u64) -> Result<()> {
|
|
103
|
+
// Should verify calling program
|
|
104
|
+
require!(
|
|
105
|
+
ctx.accounts.calling_program.key() == expected_program::ID,
|
|
106
|
+
ErrorCode::InvalidCaller
|
|
107
|
+
);
|
|
108
|
+
}
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
### CPI Verification Patterns
|
|
112
|
+
```rust
|
|
113
|
+
// Verify CPI caller
|
|
114
|
+
let calling_program = ctx.accounts.calling_program.key();
|
|
115
|
+
require!(calling_program == &spl_token::ID, InvalidCaller);
|
|
116
|
+
|
|
117
|
+
// Check instruction sysvar for CPI
|
|
118
|
+
let ix = load_current_index_checked(&ctx.accounts.instruction_sysvar)?;
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
## Extraction Strategy
|
|
122
|
+
|
|
123
|
+
1. **Detect Framework**:
|
|
124
|
+
- Check `Cargo.toml` for `anchor-lang` → Anchor
|
|
125
|
+
- Check for `entrypoint!` macro → Native
|
|
126
|
+
|
|
127
|
+
2. **For Anchor**:
|
|
128
|
+
- Find `#[program]` module
|
|
129
|
+
- Extract all `pub fn` within it
|
|
130
|
+
- Parse `#[derive(Accounts)]` structs for constraints
|
|
131
|
+
|
|
132
|
+
3. **For Native**:
|
|
133
|
+
- Find instruction enum (usually in `instruction.rs`)
|
|
134
|
+
- Map variants to handler functions in `processor.rs`
|
|
135
|
+
- Check each handler for signer/authority checks
|
|
136
|
+
|
|
137
|
+
4. **Classify**:
|
|
138
|
+
- No authority constraints → Public (Unrestricted)
|
|
139
|
+
- `has_one`, `constraint` with authority → Role-based
|
|
140
|
+
- CPI-only patterns → Contract-Only
|
|
141
|
+
|
|
142
|
+
## Solana-Specific Considerations
|
|
143
|
+
|
|
144
|
+
1. **Account Validation**: Access control often via account constraints, not function-level
|
|
145
|
+
2. **PDA Authority**: Program Derived Addresses can act as authorities
|
|
146
|
+
3. **Signer vs Authority**: `Signer` alone doesn't mean admin—check what the signer controls
|
|
147
|
+
4. **Instruction Data**: Native programs dispatch based on instruction discriminator
|
|
148
|
+
|
|
149
|
+
## Common Gotchas
|
|
150
|
+
|
|
151
|
+
1. **Initialize Patterns**: `is_initialized` checks—first caller may set authority
|
|
152
|
+
2. **Upgrade Authority**: Programs can be upgraded—check upgrade authority
|
|
153
|
+
3. **Multisig**: Some operations require multiple signers
|
|
154
|
+
4. **CPI Safety**: Functions callable via CPI should verify calling program
|
|
155
|
+
5. **Freeze Authority**: Token accounts may have freeze authority
|
package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solidity.md
ADDED
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
# Solidity Entry Point Detection
|
|
2
|
+
|
|
3
|
+
## Entry Point Identification (State-Changing Only)
|
|
4
|
+
|
|
5
|
+
### Include: State-Changing Functions
|
|
6
|
+
```solidity
|
|
7
|
+
function name() external { } // State-changing entry point
|
|
8
|
+
function name() external payable { } // State-changing, receives ETH
|
|
9
|
+
function name() public { } // State-changing entry point
|
|
10
|
+
```
|
|
11
|
+
|
|
12
|
+
### Exclude: Read-Only Functions
|
|
13
|
+
```solidity
|
|
14
|
+
function name() external view { } // EXCLUDE - cannot modify state
|
|
15
|
+
function name() external pure { } // EXCLUDE - no state access
|
|
16
|
+
function name() public view { } // EXCLUDE - cannot modify state
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
### Visibility and Mutability Matrix
|
|
20
|
+
| Visibility | Mutability | Include? | Notes |
|
|
21
|
+
|------------|------------|----------|-------|
|
|
22
|
+
| `external` | (none) | **Yes** | State-changing entry point |
|
|
23
|
+
| `external` | `payable` | **Yes** | State-changing, receives ETH |
|
|
24
|
+
| `external` | `view` | No | Read-only, exclude |
|
|
25
|
+
| `external` | `pure` | No | No state access, exclude |
|
|
26
|
+
| `public` | (none) | **Yes** | State-changing entry point |
|
|
27
|
+
| `public` | `payable` | **Yes** | State-changing, receives ETH |
|
|
28
|
+
| `public` | `view` | No | Read-only, exclude |
|
|
29
|
+
| `public` | `pure` | No | No state access, exclude |
|
|
30
|
+
| `internal` | any | No | Not externally callable |
|
|
31
|
+
| `private` | any | No | Not externally callable |
|
|
32
|
+
|
|
33
|
+
### Special Entry Points
|
|
34
|
+
- `receive() external payable` — Receives plain ETH transfers
|
|
35
|
+
- `fallback() external` — Catches unmatched function calls
|
|
36
|
+
- `constructor()` — One-time initialization (not recurring entry point)
|
|
37
|
+
|
|
38
|
+
## Access Control Patterns
|
|
39
|
+
|
|
40
|
+
### OpenZeppelin Patterns
|
|
41
|
+
```solidity
|
|
42
|
+
// Ownable
|
|
43
|
+
modifier onlyOwner() { require(msg.sender == owner); }
|
|
44
|
+
|
|
45
|
+
// AccessControl
|
|
46
|
+
modifier onlyRole(bytes32 role) { require(hasRole(role, msg.sender)); }
|
|
47
|
+
|
|
48
|
+
// Common role constants
|
|
49
|
+
bytes32 public constant ADMIN_ROLE = keccak256("ADMIN_ROLE");
|
|
50
|
+
bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE");
|
|
51
|
+
bytes32 public constant PAUSER_ROLE = keccak256("PAUSER_ROLE");
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
### Common Modifier Names → Role Classification
|
|
55
|
+
| Modifier Pattern | Classification |
|
|
56
|
+
|------------------|----------------|
|
|
57
|
+
| `onlyOwner` | Admin/Owner |
|
|
58
|
+
| `onlyAdmin` | Admin |
|
|
59
|
+
| `onlyRole(ADMIN_ROLE)` | Admin |
|
|
60
|
+
| `onlyRole(GOVERNANCE_ROLE)` | Governance |
|
|
61
|
+
| `onlyGovernance` | Governance |
|
|
62
|
+
| `onlyGuardian` | Guardian |
|
|
63
|
+
| `onlyPauser`, `whenNotPaused` | Guardian/Pauser |
|
|
64
|
+
| `onlyMinter` | Minter |
|
|
65
|
+
| `onlyOperator` | Operator |
|
|
66
|
+
| `onlyKeeper` | Keeper |
|
|
67
|
+
| `onlyRelayer` | Relayer |
|
|
68
|
+
| `onlyStrategy`, `onlyStrategist` | Strategist |
|
|
69
|
+
| `onlyVault` | Contract-Only |
|
|
70
|
+
|
|
71
|
+
### Inline Access Control (Flag for Review)
|
|
72
|
+
```solidity
|
|
73
|
+
require(msg.sender == someAddress, "..."); // Check who someAddress is
|
|
74
|
+
require(authorized[msg.sender], "..."); // Dynamic authorization
|
|
75
|
+
require(whitelist[msg.sender], "..."); // Whitelist pattern
|
|
76
|
+
if (msg.sender != admin) revert(); // Inline admin check
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
## Contract-Only Detection
|
|
80
|
+
|
|
81
|
+
### Callback Functions
|
|
82
|
+
```solidity
|
|
83
|
+
// ERC token callbacks
|
|
84
|
+
function onERC721Received(...) external returns (bytes4)
|
|
85
|
+
function onERC1155Received(...) external returns (bytes4)
|
|
86
|
+
function onERC1155BatchReceived(...) external returns (bytes4)
|
|
87
|
+
|
|
88
|
+
// DeFi callbacks
|
|
89
|
+
function uniswapV3SwapCallback(...) external
|
|
90
|
+
function uniswapV3MintCallback(...) external
|
|
91
|
+
function pancakeV3SwapCallback(...) external
|
|
92
|
+
function algebraSwapCallback(...) external
|
|
93
|
+
|
|
94
|
+
// Flash loan callbacks
|
|
95
|
+
function onFlashLoan(...) external returns (bytes32)
|
|
96
|
+
function executeOperation(...) external returns (bool) // Aave
|
|
97
|
+
function receiveFlashLoan(...) external // Balancer
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
### Contract-Caller Checks
|
|
101
|
+
```solidity
|
|
102
|
+
require(msg.sender == address(pool), "..."); // Specific contract
|
|
103
|
+
require(msg.sender != tx.origin, "..."); // Must be contract
|
|
104
|
+
require(tx.origin != msg.sender); // No EOA calls
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
## Extraction Strategy
|
|
108
|
+
|
|
109
|
+
1. Parse all `.sol` files
|
|
110
|
+
2. For each contract/interface/abstract:
|
|
111
|
+
- Extract `external` and `public` functions
|
|
112
|
+
- **Skip** functions with `view` or `pure` modifiers
|
|
113
|
+
- Record function signature: `name(paramTypes)`
|
|
114
|
+
- Record line number
|
|
115
|
+
- Extract all modifiers applied
|
|
116
|
+
3. Classify by modifiers:
|
|
117
|
+
- No access modifiers → Public (Unrestricted)
|
|
118
|
+
- Known role modifier → Appropriate role category
|
|
119
|
+
- Inline `require(msg.sender...)` → Review Required
|
|
120
|
+
- Callback pattern → Contract-Only
|
|
121
|
+
|
|
122
|
+
## Inheritance Considerations
|
|
123
|
+
|
|
124
|
+
- Check parent contracts for modifier definitions
|
|
125
|
+
- A function may inherit access control from overridden function
|
|
126
|
+
- Abstract contracts may define modifiers used by children
|
|
127
|
+
- Interfaces define signatures but not access control
|
|
128
|
+
|
|
129
|
+
## Common Gotchas
|
|
130
|
+
|
|
131
|
+
1. **Initializers**: `initialize()` often has `initializer` modifier but may be unrestricted on first call
|
|
132
|
+
2. **Proxies**: Implementation contracts may have different access patterns than proxies
|
|
133
|
+
3. **Upgrades**: `upgradeTo()`, `upgradeToAndCall()` are high-privilege
|
|
134
|
+
4. **Multicall**: `multicall(bytes[])` allows batching—check what it can call
|
|
135
|
+
5. **Permit**: `permit()` functions enable gasless approvals—check EIP-2612 compliance
|