program-security-basics
Baseline security checklist for Solana programs: authority checks, input validation, upgrade keys, unsafe patterns, and attack surfaces. Use for design reviews and pre-deploy audits.
Best use case
program-security-basics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Baseline security checklist for Solana programs: authority checks, input validation, upgrade keys, unsafe patterns, and attack surfaces. Use for design reviews and pre-deploy audits.
Teams using program-security-basics should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/program-security-basics/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How program-security-basics Compares
| Feature / Agent | program-security-basics | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Baseline security checklist for Solana programs: authority checks, input validation, upgrade keys, unsafe patterns, and attack surfaces. Use for design reviews and pre-deploy audits.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Program Security Basics Role framing: You are a Solana security reviewer. Your goal is to catch common vulnerabilities before deployment. ## Initial Assessment - Program upgradeability status and key custody? - What assets/value does the program control? Token mints/vaults? - External dependencies via CPI? - Any privileged instructions or admin controls? ## Core Principles - Least privilege: minimize writable/signers; separate admin from user paths. - Validate everything: owners, mints, amounts, timestamps, duplicates, arithmetic overflow. - Never trust client-provided bumps/addresses; derive internally. - Use checked math; handle u64 overflows. - Logs should not leak secrets but should aid audits. ## Workflow 1) Authority model - Identify admin roles; ensure multisig/hardware; document revocation/transfer plan. 2) Account validation - Seeds, owners, signers, mints; uniqueness checks for duplicate accounts. 3) State integrity - Check invariants after mutation; avoid arbitrary realloc; zero-on-close if sensitive. 4) CPI safety - Restrict CPI targets; verify program IDs; pass minimal writable/signers; guard reentrancy via state flags when applicable. 5) Math and bounds - Use checked_add/sub/mul; cap inputs; validate decimals and price bounds. 6) Upgrades - If upgradeable, gate sensitive changes; log version; provide migration plan. 7) Testing - Fuzz/edge tests: overflow, duplicate accounts, replay attempts, CPI abuse. ## Templates / Playbooks - Security checklist table: item | status | evidence (test/log/line). - Admin actions pattern: require multisig + event emission. - Reentrancy guard: set status flag before CPI, clear after (when stateful operations allow). ## Common Failure Modes + Debugging - Missing ownership checks -> theft via arbitrary token accounts. - Insufficient signer checks on admin instructions. - Integer overflow on reward calculations; fix with checked math. - Upgrade authority leaked or lost; document custody and rotate. - CPI to untrusted program; whitelist IDs. ## Quality Bar / Validation - Completed checklist with evidence; admin keys documented. - Tests cover negative cases and boundary conditions. - Upgrades controlled and communicated; version logged. ## Output Format Provide security review notes: threat model, checklist results, findings with severity, and recommended fixes/tests. ## Examples - Simple: Config update ix missing signer check; add has_one authority and test. - Complex: Vault program allowing arbitrary CPI; add whitelist, reduce writable accounts, add reentrancy flag; document upgrade authority and multisig custody.
Related Skills
security-auditor
Activates when user needs security review, vulnerability scanning, or secure coding guidance. Triggers on "security review", "find vulnerabilities", "is this secure", "check for injection", "security audit", "OWASP", "secure this code", or security-related questions.
security-audit
Comprehensive security auditing workflow covering web application testing, API security, penetration testing, vulnerability scanning, and security hardening.
security-audit-scanner
Automated security scanning for Vigil Guard v2.0.0. Use for OWASP Top 10 checks, TruffleHog secret detection, npm/pip vulnerability scanning, 3-branch service security, heuristics-service audit, and CI/CD security pipelines.
security-audit-example
Example security audit skill demonstrating how to audit code for security vulnerabilities. Use when the user asks to perform security reviews, check for vulnerabilities, or audit code security.
security-audit-agent
Performs comprehensive security audits of codebases, identifying vulnerabilities and security best practices
security-assessment
Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
security
Security Engineer and application security expert. Performs threat modeling, security architecture review, penetration testing, vulnerability assessment, and security compliance. Handles OWASP Top 10, authentication security, authorization, encryption, secrets management, HTTPS/TLS, CORS, CSRF, XSS, SQL injection prevention, secure coding practices, security audits, and compliance (GDPR, HIPAA, PCI-DSS, SOC 2). Activates for security, security review, threat model, vulnerability, penetration testing, pen test, OWASP, authentication security, authorization, encryption, secrets, HTTPS, TLS, SSL, CORS, CSRF, XSS, SQL injection, secure coding, security audit, compliance, GDPR, HIPAA, PCI-DSS, SOC 2, security architecture, secrets management, rate limiting, brute force protection, session security, token security, JWT security, is this secure, security check, review security, find vulnerabilities, security scan, security test, hack proof, prevent hacking, protect from attacks, DDoS protection, bot protection, WAF, web application firewall, input validation, sanitize input, escape output, parameterized queries, prepared statements, password hashing, bcrypt, argon2, salt, pepper, secure password, password policy, MFA, 2FA, two factor, multi factor, OAuth security, OIDC, OpenID Connect, SAML, SSO security, API key security, Bearer token, refresh token rotation, token expiration, session hijacking, session fixation, clickjacking, open redirect, SSRF, XXE, insecure deserialization, broken access control, security misconfiguration, sensitive data exposure, insufficient logging, dependency vulnerability, npm audit, snyk, dependabot, CVE, security patch, zero day, security incident, data breach, data leak, privacy, data protection, encryption at rest, encryption in transit, key management, KMS, HSM, certificate management, cert rotation, security headers, CSP, Content Security Policy, X-Frame-Options, X-XSS-Protection, HSTS, Strict-Transport-Security.
security-analysis
Security audit patterns including OWASP Top 10, secret scanning, and language-specific vulnerabilities.
reviewing-security
Executes security design and implementation reviews with threat modeling, OWASP-based checks, and risk-ranked remediation guidance. Activates when reviewing security, threat modeling, checking for vulnerabilities, auditing auth flows, performing OWASP reviews, or assessing security posture. Does not handle code quality or test coverage (code-reviewer), writing production code (backend-developer or frontend-developer), or infrastructure deployment (devops).
redis-security
Master Redis security - authentication, ACL, TLS encryption, network hardening, and production security best practices
QE Security Compliance
Security auditing, vulnerability scanning, and compliance validation for OWASP, SOC2, GDPR, and other standards.
php-security-audit
Analyze a PHP web application or codebase for security vulnerabilities and OWASP compliance. Use when the user asks to audit, check, review, or analyze the security, vulnerabilities, OWASP compliance, or hardening of a PHP, Laravel, Kirby, Livewire, or Blade application. Also use when the user mentions "securite", "security", "OWASP", "injection SQL", "XSS", "CSRF", "faille", "vulnerabilite", "pentest", "hardening", "authentication", or "authorization". Specialized for PHP, Laravel, Kirby CMS, Livewire, Blade, Vite, Tailwind CSS, and SQL databases.