Cairo/StarkNet Vulnerability Scanner
Skill ActiveScans Cairo/StarkNet smart contracts for 6 critical vulnerabilities including felt252 arithmetic overflow, L1-L2 messaging issues, address conversion problems, and signature replay. Use when auditing StarkNet projects.
To automatically identify and report critical security vulnerabilities in Cairo smart contracts on StarkNet, aiding developers and auditors in securing their projects.
Features
- Scans for 6 critical Cairo/StarkNet vulnerabilities
- Analyzes L1-L2 messaging and contract addresses
- Detects arithmetic overflows and signature replay issues
- Provides detailed findings with locations and recommendations
- Supports Cairo 1.0+ contracts
Use Cases
- Auditing StarkNet smart contracts before deployment
- Reviewing L1-L2 bridge implementations for security flaws
- Validating cross-layer message handling logic
- Assessing signature verification mechanisms in StarkNet contracts
Non-Goals
- Performing dynamic analysis or fuzzing
- Auditing general Solidity or EVM-based smart contracts
- Replacing comprehensive manual security audits
- Providing a full-fledged IDE or development environment
Workflow
- Identify Cairo/StarkNet contracts
- Analyze for 6 critical vulnerability patterns
- Report findings with location and severity
- Provide recommended fixes
- Check L1-L2 interactions
Practices
- Security Auditing
- Smart Contract Development
- Static Analysis
Prerequisites
- Cairo 1.0+ project structure
- Python 3.8+ environment (for Caracal installation)
- pip package manager
Trust
- warning:Issues Attention13 issues opened and 4 closed in the last 90 days indicate a low closure rate, suggesting slower maintainer response.
Installation
First, add the marketplace
/plugin marketplace add trailofbits/skills/plugin install building-secure-contracts@trailofbitsQuality Score
Trust Signals
Similar Extensions
Soul Guardian
100Drift detection + baseline integrity guard for agent workspace files with automatic alerting support
Audit Dependency Versions
100Audit project dependencies for version staleness, security vulnerabilities, and compatibility issues. Covers lock file analysis, upgrade path planning, and breaking change assessment. Use before a release to ensure dependencies are current and secure, during periodic maintenance reviews, after receiving a security advisory, when upgrading to a new language version, before submitting to CRAN or npm, or when inheriting a project to assess its dependency health.
Codex Diff Develop
100Revisa el diff de la rama actual frente a develop en proyectos Drupal 11 siguiendo la metodología Codex (lógica de negocio, edge cases de hooks/queries, seguridad, performance, completitud). Genera un informe .md en la carpeta del IDE detectado (.antigravity/, .cursor/, .vscode/ o docs/) con hallazgos por severidad y soluciones accionables. Usar cuando el usuario pida "Revisión diff develop", "revisión diff develop", "diff develop", "revisar diff", "codex diff" o expresiones similares con intención de auditar cambios contra develop. Triggers: diff develop, codex diff, revisión diff, lint diff develop, auditar diff.
Investigate Capa Root Cause
100Investigate root causes and manage CAPAs (Corrective and Preventive Actions) for compliance deviations. Covers investigation method selection (5-Why, fishbone, fault tree), structured root cause analysis, corrective vs preventive action design, effectiveness verification, and trend analysis. Use when an audit finding requires a CAPA, when a deviation or incident occurs in a validated system, when a regulatory observation needs a formal response, when a data integrity anomaly requires investigation, or when recurring issues suggest a systemic root cause.
Toprank Weekly Review
100Run a weekly SEO review for one registered website, write audit artifacts, and choose the next best safe action.
Janitor Tokens
100Show how many context window tokens each skill consumes. Use when the user asks about token cost, context budget, skill size, or wants to know which skills waste the most context space.