keep-starknet-strange/controller-cli
skills/controller-cli/SKILL.md
Guidance for installing and operating the Cartridge Controller CLI (`controller`) to create human-approved sessions and execute Starknet transactions with JSON output, explicit network selection, scoped policies, paymaster control, and error recovery.
$ install --global
skillsauthnpx skillsauth add keep-starknet-strange/starknet-agentic controller-cliInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 10:59 AM7.9s4 files scanned
SKILL.md
- name:
- controller-cli
- description:
- Guidance for installing and operating the Cartridge Controller CLI (`controller`) to create human-approved sessions and execute Starknet transactions with JSON output, explicit network selection, scoped policies, paymaster control, and error recovery.
- license:
- Apache-2.0
- author:
- keep-starknet-strange
- version:
- 1.0.0
- org:
- keep-starknet-strange
- compatibility:
- controller-cli >=0.1.x, Python 3.8+
- user-invocable:
- true
Cartridge Controller CLI
Use this skill when you need to run the Cartridge Controller CLI (controller-cli) to create a scoped session (human-approved) and then execute Starknet transactions via that session.
When to Use
- Operating Cartridge Controller sessions with explicit network and least-privilege policies.
- Running
controllerorcontroller_safe.pyfor human-approved Starknet transactions.
When NOT to Use
- General Starknet scripting that does not rely on Cartridge Controller.
- Contract authoring, testing, deployment, or security audit workflows.
Related modules: skills catalog.
Non-Negotiable Rules
- Always pass
--jsonand treat outputs as JSON. - Always be explicit about network. Never rely on defaults:
--chain-id SN_MAIN|SN_SEPOLIA, or--rpc-url <explicit url>.
controller registerrequires human browser authorization. Do not automate/bypass it.- Use least-privilege policies only. Do not add token transfer permissions unless explicitly requested.
- Transaction links: use Voyager only:
- Mainnet:
https://voyager.online/tx/0x... - Sepolia:
https://sepolia.voyager.online/tx/0x...
- Mainnet:
Quick Start
curl -fsSL https://raw.githubusercontent.com/cartridge-gg/controller-cli/main/install.sh | bash
export PATH="$PATH:$HOME/.local/bin"
controller --version
Safer Wrapper (Recommended)
This skill includes a small wrapper that enforces the rules above and normalizes output:
python3 scripts/controller_safe.py status
python3 scripts/controller_safe.py register --preset loot-survivor --chain-id SN_MAIN
python3 scripts/controller_safe.py execute 0xCONTRACT entrypoint 0xCALLDATA --rpc-url https://api.cartridge.gg/x/starknet/sepolia
Behavior:
- Adds
--jsonif missing. - Refuses to run
call|execute|register|transactionwithout--chain-idor--rpc-url. - Parses stdout as JSON.
- If
.status == "error", printserror_code,message,recovery_hintand exits non-zero.
Deterministic Workflow
1) Generate Keypair
controller generate --json
The private key is stored locally (typically ~/.config/controller-cli/).
2) Check Session Status
controller status --json
Common states:
no_session(no keypair)keypair_only(needs registration)active(registered and not expired)
3) Register Session (Human Approval Required)
Requirement: a human must approve in a browser.
Option A (preferred): preset policies:
controller register --preset loot-survivor --chain-id SN_MAIN --json
Option B: least-privilege policy file:
controller register --file policy.json --rpc-url https://api.cartridge.gg/x/starknet/sepolia --json
Authorization output includes short_url and/or authorization_url:
- Display
short_urlif present; otherwise displayauthorization_url. - Ask the user to open it and approve.
- The CLI blocks until approved or timeout (typically ~6 minutes).
4) Execute Transaction
Single call (positional args: contract, entrypoint, calldata):
controller execute 0xCONTRACT transfer 0xRECIPIENT,0xAMOUNT_LOW,0xAMOUNT_HIGH \
--rpc-url https://api.cartridge.gg/x/starknet/sepolia \
--json
Multiple calls from file:
controller execute --file calls.json --rpc-url https://api.cartridge.gg/x/starknet/sepolia --json
Optional confirmation wait:
controller execute --file calls.json --rpc-url https://api.cartridge.gg/x/starknet/sepolia --wait --timeout 300 --json
5) Read-Only Call (No Session Needed)
controller call 0xCONTRACT balance_of 0xADDRESS --chain-id SN_SEPOLIA --json
6) Transaction Status
controller transaction 0xTX_HASH --chain-id SN_SEPOLIA --wait --timeout 300 --json
7) Lookup Usernames / Addresses
controller lookup --usernames alice,bob --json
controller lookup --addresses 0x123...,0x456... --json
Network Selection
Always be explicit about network.
Supported networks:
| Chain ID | RPC URL |
| --- | --- |
| SN_MAIN | https://api.cartridge.gg/x/starknet/mainnet |
| SN_SEPOLIA | https://api.cartridge.gg/x/starknet/sepolia |
Priority order:
--rpc-urlflag- Stored session RPC URL (from registration)
- Config default (lowest)
If network is ambiguous:
- Run
controller status --json - Match the session
chain_id, or ask the user
Paymaster Control
Default behavior uses the paymaster (free execution). If the paymaster is unavailable, the transaction fails (no silent fallback).
To self-pay with user funds:
controller execute ... --no-paymaster --json
Amount Encoding (u256)
Many ERC20-style amounts are u256 split into (low, high) u128 limbs.
For values that fit in u128 (most cases): set high = 0x0.
Example calldata:
0xRECIPIENT,0x64,0x0
Error Handling
Errors are JSON:
{
"status": "error",
"error_code": "ErrorType",
"message": "...",
"recovery_hint": "..."
}
Always branch on error_code and follow recovery_hint.
Common recoveries:
NoSession: runcontroller generate --jsonSessionExpired: re-runcontroller register ... --jsonManualExecutionRequired: policy does not authorize the call; tighten/adjust policy and re-registerCallbackTimeout: user did not approve quickly enough; re-runregisterand retry
Input Validation
Addresses must be 0x-prefixed hex.
python3 scripts/validate_hex_address.py 0xabc...
Related Skills
keep-starknet-strange/snip-36
data-ai
VerifiedTrustedCommunity
SNIP-36 virtual block proving on Starknet. Trigger on "virtual block", "SNIP-36", "off-chain proof", "anonymous vote", "heavy computation off-chain", "prove a transaction". Covers Cairo virtual contract, proof server, starknet.js integration, and on-chain verification.
79SKILL.mdUpdated May 19, 2026
keep-starknet-strange/starkzap-sdk
development
VerifiedTrustedCommunity
Reference for integrating or maintaining applications built with keep-starknet-strange/starkzap, including StarkSDK setup, onboarding, wallet lifecycle, sponsored transactions, ERC20 flows, staking, and transaction builder usage.
79SKILL.mdUpdated Apr 6, 2026
keep-starknet-strange/starknet-wallet
testing
VerifiedTrustedCommunity
Create and manage Starknet wallets for AI agents. Transfer tokens, check balances, manage session keys, deploy accounts, and interact with smart contracts using native Account Abstraction.
79SKILL.mdUpdated Apr 6, 2026
keep-starknet-strange/starknet-mini-pay
development
VerifiedTrustedCommunity
Simple P2P payments on Starknet. Generate QR codes, payment links, invoices, and transfer ETH/STRK/USDC. Like Lightning, but native.
79SKILL.mdUpdated Apr 6, 2026