keep-starknet-strange/account-abstraction
skills/account-abstraction/SKILL.md
Starknet account abstraction correctness and security guidance for validate/execute paths, nonces, signatures, and session policies.
$ install --global
skillsauthnpx skillsauth add keep-starknet-strange/starknet-agentic account-abstractionInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 10:59 AM8.2s4 files scanned
SKILL.md
- name:
- account-abstraction
- description:
- Starknet account abstraction correctness and security guidance for validate/execute paths, nonces, signatures, and session policies.
- license:
- Apache-2.0
- metadata:
- {"author":"starknet-agentic","version":"0.1.1","org":"keep-starknet-strange","source":"starknet-agentic"}
- keywords:
- [starknet, account-abstraction, signatures, nonces, session-keys, policy]
- allowed-tools:
- [Bash, Read, Write, Glob, Grep, Task]
- user-invocable:
- true
Account Abstraction
When to Use
- Reviewing account contract validation and execution paths.
- Designing session-key policy boundaries.
- Validating nonce and signature semantics.
When NOT to Use
- General contract authoring not involving account semantics.
Quick Start
- Confirm
__validate__enforces lightweight, bounded checks. - Confirm
__execute__enforces policy and selector boundaries. - Verify replay protections (nonce/domain separation) for all signature paths.
- Add regression tests for each fixed session-key or policy finding.
- Run
cairo-auditorfor final AA/security pass before merge.
Core Focus
__validate__constraints and DoS resistance.__execute__policy enforcement correctness.- Replay protection and domain separation.
- Privileged selector and self-call protection.
Workflow
- Main account-abstraction workflow: default workflow
References
- Module index: references index
starknet.js Example
import { Account, CallData, RpcProvider } from "starknet";
const provider = new RpcProvider({ nodeUrl: process.env.STARKNET_RPC! });
const account = new Account(provider, process.env.ACCOUNT_ADDRESS!, process.env.PRIVATE_KEY!);
// Validate preview (debug-only): inspect __validate__ behavior with the current nonce.
const nonce = await account.getNonce();
const call = { contractAddress: process.env.TARGET!, entrypoint: "set_limit", calldata: CallData.compile({ value: 7 }) };
await provider.callContract({
contractAddress: account.address,
entrypoint: "__validate__",
calldata: CallData.compile({ calls: [call], nonce }),
});
// Execute path: real transaction that triggers __execute__ and nonce checks.
const tx = await account.execute([call]);
await provider.waitForTransaction(tx.transaction_hash);
Error Codes and Recovery
| Code | Condition | Recovery |
| --- | --- | --- |
| AA-001 | __validate__ is too expensive or stateful | Remove heavy logic from validation; add a test that caps validation steps. |
| AA-002 | __execute__ allows blocked selectors/self-calls | Enforce selector filters and self-call checks; add authorized/unauthorized regression tests. |
| AA-003 | Nonce or domain mismatch causes replay risk | Normalize nonce source/hash domain; add replay and cross-domain tests. |
| AA-999 | Unexpected runtime panic | Capture calldata + caller context, reproduce in unit tests, then escalate to cairo-auditor. |
Related Skills
keep-starknet-strange/snip-36
data-ai
VerifiedTrustedCommunity
SNIP-36 virtual block proving on Starknet. Trigger on "virtual block", "SNIP-36", "off-chain proof", "anonymous vote", "heavy computation off-chain", "prove a transaction". Covers Cairo virtual contract, proof server, starknet.js integration, and on-chain verification.
79SKILL.mdUpdated May 19, 2026
keep-starknet-strange/starkzap-sdk
development
VerifiedTrustedCommunity
Reference for integrating or maintaining applications built with keep-starknet-strange/starkzap, including StarkSDK setup, onboarding, wallet lifecycle, sponsored transactions, ERC20 flows, staking, and transaction builder usage.
79SKILL.mdUpdated Apr 6, 2026
keep-starknet-strange/starknet-wallet
testing
VerifiedTrustedCommunity
Create and manage Starknet wallets for AI agents. Transfer tokens, check balances, manage session keys, deploy accounts, and interact with smart contracts using native Account Abstraction.
79SKILL.mdUpdated Apr 6, 2026
keep-starknet-strange/starknet-mini-pay
development
VerifiedTrustedCommunity
Simple P2P payments on Starknet. Generate QR codes, payment links, invoices, and transfer ETH/STRK/USDC. Like Lightning, but native.
79SKILL.mdUpdated Apr 6, 2026