cairo-auditor

Systematic Cairo/Starknet security audit workflow with deterministic preflight, parallel vector specialists, adversarial reasoning, and strict false-positive gating.

9 stars

Best use case

cairo-auditor is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Systematic Cairo/Starknet security audit workflow with deterministic preflight, parallel vector specialists, adversarial reasoning, and strict false-positive gating.

Teams using cairo-auditor should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/cairo-auditor/SKILL.md --create-dirs "https://raw.githubusercontent.com/cartridge-gg/nums/main/.agents/skills/cairo-auditor/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/cairo-auditor/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How cairo-auditor Compares

Feature / Agentcairo-auditorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Systematic Cairo/Starknet security audit workflow with deterministic preflight, parallel vector specialists, adversarial reasoning, and strict false-positive gating.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Cairo Auditor

## When to Use

- Security review for Cairo/Starknet contracts before merge.
- Release-gate audits for account/session/upgrade critical paths.
- Triage of suspicious findings from CI, reviewers, or external reports.

## When NOT to Use

- Feature implementation tasks.
- Deployment-only ops.
- SDK/tutorial requests.

## Rationalizations to Reject

- "Tests passed, so it is secure."
- "This is normal in EVM, so Cairo is the same."
- "It needs admin privileges, so it is not a vulnerability."
- "We can ignore replay or nonce edges for now."

## Modes

- `default`: full in-scope scan with four specialist vector passes.
- `deep`: default + adversarial exploit-path pass.
- `targeted`: explicit file set, same validation gate, faster iteration.

## Quick Start

1. Open [workflows/default.md](workflows/default.md) for standard audits, or [workflows/deep.md](workflows/deep.md) for adversarial mode.
2. Load [agents/vector-scan.md](agents/vector-scan.md), [references/judging.md](references/judging.md), and [references/README.md](references/README.md).
3. Select attack-vector partitions from `references/attack-vectors/attack-vectors-1.md` through `references/attack-vectors/attack-vectors-4.md`.
4. Run deterministic preflight on target repo:

   ```bash
   python scripts/quality/audit_local_repo.py \
     --repo-root /path/to/repo \
     --scan-id local-audit
   ```

5. Format output using [references/report-formatting.md](references/report-formatting.md), then validate against `references/vulnerability-db/README.md`.

## Orchestration (4 Turns)

### Turn 1: Discover

1. Determine mode (`default`, `deep`, `targeted`).
2. Discover in-scope `.cairo` files; exclude tests/mocks/examples/vendor/generated paths.
3. Run deterministic preflight checks to identify likely classes (upgrade/auth/session/external-call).

### Turn 2: Prepare

1. Load specialist instructions and references:
   - [agents/vector-scan.md](agents/vector-scan.md)
   - [references/judging.md](references/judging.md)
   - [references/report-formatting.md](references/report-formatting.md)
2. Build four specialist bundles. Each bundle includes:
   - full in-scope Cairo code,
   - one vector partition:
     - `references/attack-vectors/attack-vectors-1.md`
     - `references/attack-vectors/attack-vectors-2.md`
     - `references/attack-vectors/attack-vectors-3.md`
     - `references/attack-vectors/attack-vectors-4.md`
3. Record line counts per bundle for parallel chunk-reading instructions.

### Turn 3: Spawn

1. Spawn 4 parallel vector specialists (one per bundle) following `agents/vector-scan.md`.
2. In `deep` mode, spawn [agents/adversarial.md](agents/adversarial.md) in parallel.
3. Each specialist must:
   - triage vectors (`Skip/Borderline/Survive`),
   - apply FP gate from [references/judging.md](references/judging.md),
   - output only findings formatted by [references/report-formatting.md](references/report-formatting.md).

### Turn 4: Report

1. Merge outputs.
2. Deduplicate by root cause (keep higher-confidence variant).
3. Run composability pass when multiple findings interact.
4. If Scarb/Sierra is available, run Sierra confirmation for CEI and upgrade classes.
5. Sort by priority and confidence.
6. Emit actionable findings + required regression tests.

## Reporting Contract

Each finding must include:

- `class_id`
- `severity`
- `confidence`
- `entry_point`
- `attack_path`
- `guard_analysis`
- `affected_files`
- `recommended_fix`
- `required_tests`

## Evidence Priority

1. `references/vulnerability-db/`
2. `references/attack-vectors/`
3. `../datasets/normalized/findings/`
4. `../datasets/distilled/vuln-cards/`
5. `../evals/cases/`

## Output Rule

- Report only findings that pass FP gate.
- Findings with confidence `<75` may be listed as low-confidence notes without a fix block.

Related Skills

cairo-optimization

9
from cartridge-gg/nums

Improves Cairo performance after correctness is established, including hotspot profiling, arithmetic/loop optimization, and bounded-int hardening.

cairo-contract-authoring

9
from cartridge-gg/nums

Guides Cairo smart-contract authoring on Starknet with language fundamentals, safe structure choices, component composition, and implementation workflow references.

add-release-note

9
from cartridge-gg/nums

Add a new release note entry. Keeps the client data file and the docs MDX page in sync, and bumps the version so the in-game modal re-appears for all players.

account-abstraction

9
from cartridge-gg/nums

Starknet account abstraction correctness and security guidance for validate/execute paths, nonces, signatures, and session policies.

ui-ux-pro-max

9
from cartridge-gg/nums

UI/UX design intelligence for web and mobile. Includes 50+ styles, 161 color palettes, 57 font pairings, 161 product types, 99 UX guidelines, and 25 chart types across 10 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind, shadcn/ui, and HTML/CSS). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, and check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, and mobile app. Elements: button, modal, navbar, sidebar, card, table, form, and chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, and flat design. Topics: color systems, accessibility, animation, layout, typography, font pairing, spacing, interaction states, shadow, and gradient. Integrations: shadcn/ui MCP for component search and examples.

ui-architecture

9
from cartridge-gg/nums

UI component patterns for the Nums game client — Radix primitives, elements, containers, theming, Storybook conventions. Use when creating or modifying UI components, adding storybook stories, or working with the design system.

ui-architecture-icon

9
from cartridge-gg/nums

Add SVG icons to the Nums game client — convert SVG, create component, export, update storybook. Use when adding, modifying, or removing icon components.

shadcn

9
from cartridge-gg/nums

Manages shadcn components and projects — adding, searching, fixing, debugging, styling, and composing UI. Provides project context, component docs, and usage examples. Applies when working with shadcn/ui, component registries, presets, --preset codes, or any project with a components.json file. Also triggers for "shadcn init", "create an app with --preset", or "switch to --preset".

render-daily-replay

9
from cartridge-gg/nums

Auto-render a Remotion video replay of a Nums game on Mainnet. Resolves the target `gameId` from Torii (best reward of the day OR best score of the day, OR a specific gameId the user provides), silently auto-fetches the current NUMS price from Ekubo, then runs `pnpm remotion:render:game` with the right props. Use when the user asks to render today's top game, the daily winner, the biggest reward, the highest score, or any specific gameId, without having to assemble the render command by hand.

remotion-best-practices

9
from cartridge-gg/nums

Best practices for Remotion - Video creation in React

nums-remotion-replay

9
from cartridge-gg/nums

Project-specific skill for the Nums Remotion package that generates game replay videos by reusing the existing client React components. Covers the cross-package webpack setup, client-component overrides, Torii data fetching, font loading, render flow quirks, and hosting. Use when working on `remotion/` or the `SlidingNumber` component, adding new compositions, debugging font/animation issues, or setting up hosting for the Remotion Studio. Pairs with the generic `remotion-best-practices` skill.

dojo

9
from cartridge-gg/nums

Dojo Engine framework patterns — World, Systems, Models, Events, Components, Store, permissions, testing with spawn_test_world, and deployment with sozo.