justpeppe/iota-move-security-audit
.agents/skills/iota-move-security-audit/SKILL.md
Activate when the user asks to audit, review for security, or check correctness of a Move package on IOTA. Produces a structured security report with passed checks, warnings, and critical issues.
testing
Updated Apr 17, 2026
$ install --global
skillsauthnpx skillsauth add justpeppe/IOTA-Project iota-move-security-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:59 PM2.1s1 file scanned
SKILL.md
- name:
- iota-move-security-audit
- description:
- >
- tags:
- [iota, move, security, audit, smart-contract, review]
- trigger:
- >
- Triggered by:
- audita questo codice", "è sicuro questo modulo?",
Goal
Audit a Move package for security vulnerabilities specific to IOTA's object model, capability system, and type safety. Output a structured, actionable report.
Audit Checklist
1. Object Model Integrity
- [ ] Every struct with
keyhasid: UIDas first field. - [ ]
object::new(ctx)is used for all UID creation (no hardcoded IDs). - [ ] Shared objects use
transfer::share_object, nottransfer::transfer. - [ ] Frozen objects are truly immutable and never passed as
&mut.
2. Capability Security
- [ ] Admin/capability structs are not publicly constructible.
- [ ] Capabilities are created only in
initor behind capability guards. - [ ]
AdminCapis transferred only to the deployer ininit. - [ ] No capability is stored inside a shared object.
3. Access Control
- [ ] Privileged
entryfunctions require a capability parameter. - [ ] Sender checks use
tx_context::sender(ctx)withassert!. - [ ] No function allows unauthorized mutation of shared objects.
4. Error Handling
- [ ] All
assert!use named constants, not bare numbers. - [ ] Every error constant has a unique value and descriptive name.
- [ ] No silent failures — errors abort explicitly.
5. One-Time Witness (OTW)
- [ ] OTW struct name matches module name in ALL_CAPS.
- [ ] OTW struct has no fields and only
dropability. - [ ] OTW is consumed immediately in
init(never stored).
6. Dynamic Fields & Shared Objects
- [ ]
dynamic_field::borrow/borrow_mutuse matching key types. - [ ] Shared registry objects are not accidentally deleted.
- [ ] Dynamic field
removeis only called when the object truly exits.
7. Arithmetic Safety
- [ ] No unchecked subtraction that could underflow.
- [ ] Bounds validated before arithmetic on user-supplied values.
8. Type-State Patterns
- [ ] Lifecycle transitions enforced with phantom types or separate structs, not runtime flags alone.
Output Format
## 🔐 Security Audit Report: `<module_name>`
**Audited by**: iota-move-security-audit skill
**Date**: <today>
### ✅ Passed Checks
- ...
### ⚠️ Warnings (non-critical, but improve)
- ...
### ❌ Critical Issues (must fix before deploy)
- **Issue**: description
**Location**: `function_name` line ~N
**Fix**: concrete code suggestion
### 📋 Recommendations
- ...
Constraints
- Always audit the entire module, not just the flagged function.
- Provide a concrete
Fix:for every critical issue with example code. - Do not mark a check as ✅ unless verified in the actual code.
- After the report, ask: "Vuoi che corregga automaticamente i critical issues?"
Related Skills
justpeppe/web-design-guidelines
development
VerifiedTrustedCommunity
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
SKILL.mdUpdated Apr 17, 2026
justpeppe/ui-visual-validator
development
VerifiedTrustedCommunity
Rigorous visual validation expert specializing in UI testing, design system compliance, and accessibility verification. Masters screenshot analysis, visual regression testing, and component validation. Use PROACTIVELY to verify UI modifications have achieved their intended goals through comprehensive visual analysis.
SKILL.mdUpdated Apr 17, 2026
justpeppe/ui-ux-pro-max
tools
VerifiedTrustedCommunity
UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 9 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind, shadcn/ui). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient. Integrations: shadcn/ui MCP for component search and examples.
SKILL.mdUpdated Apr 17, 2026
justpeppe/ui-ux-designer
tools
VerifiedTrustedCommunity
Create interface designs, wireframes, and design systems. Masters user research, accessibility standards, and modern design tools. Specializes in design tokens, component libraries, and inclusive design. Use PROACTIVELY for design systems, user flows, or interface optimization.
SKILL.mdUpdated Apr 17, 2026