plamentsv/config-correctness
agents/skills/injectable/l1/config-correctness/SKILL.md
L1 trigger - audits configuration constants, documented bounds, feature-gated values, and unused protocol limits for semantic drift.
$ install --global
skillsauthnpx skillsauth add plamentsv/plamen config-correctnessInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 5:35 AM180.7s1 file scanned
SKILL.md
- name:
- config-correctness
- description:
- L1 trigger - audits configuration constants, documented bounds, feature-gated values, and unused protocol limits for semantic drift.
Injectable Skill: Config Correctness
L1 trigger:
L1_PATTERN=trueAND (config/ORsettingsORconstantsORDEFAULT_ORMAX_ORMIN_OR protocol docs/comments detected) Inject Into:depth-edge-case,depth-state-traceLanguage: Go and Rust Finding prefix:[CFG-N]
Purpose
Configuration bugs are often single-line semantic drift: a limit exists but is not used, a default is testnet-only but ships in production, a doc comment says one bound while code enforces another, or a feature flag changes protocol-visible enum values. This skill is a bounded enumeration pass, not a new agent.
1. Configuration Inventory
Build a table of security-relevant constants and runtime config fields:
| Config/Constant | Declared Value | Documented Value / Comment | Runtime Use Sites | Verdict | |-----------------|----------------|-----------------------------|-------------------|---------|
Include:
DEFAULT_*,MAX_*,MIN_*,*_LIMIT,*_TIMEOUT,*_INTERVAL,*_FACTOR;- chain parameters, genesis/testnet/mainnet defaults, peer/network limits, RPC limits, difficulty/EMA/oracle knobs;
- feature-flag or platform-conditional values that affect serialization, consensus, object layout, or API output.
2. Required Checks
For each row:
- Doc/code drift: compare the declared value with nearby comments, docs, config examples, and protocol constants.
- Unused limit: if a max/min/factor exists, find the enforcement site. If no enforcement path exists, flag it.
- Network-mode drift: verify testnet/devnet defaults cannot silently apply to production mode.
- Unit drift: verify seconds vs milliseconds, bytes vs chunks, slots vs blocks, and percentage vs basis-point units.
- Feature/platform drift: verify feature flags or OS-specific types do not change externally visible enum values, byte layout, consensus fields, or API semantics.
- Boundary effect: substitute the configured min/max/equality point into the function that consumes it.
Tag evidence as [CFG-DOC-DRIFT:{file}:{line}], [CFG-UNUSED-LIMIT:{file}:{line}], [CFG-UNIT:{file}:{line}], or [CFG-FEATURE-DRIFT:{file}:{line}].
3. Non-Finding Rules
Do not report harmless style differences. A config finding needs at least one concrete consequence: consensus divergence, DoS, stale security bound, unexpected production exposure, cross-platform incompatibility, or user/API misbehavior.
4. Output
Use normal finding format. If no finding exists, still emit the inventory table with SAFE rows and concrete file:line evidence for the checked constants.
Related Skills
plamentsv/audit-prep
development
VerifiedTrustedCommunity
Prepare Solidity projects for a security audit — test coverage, test quality, NatSpec docs, code hygiene, dependency health, best-practice enforcement, deployment readiness, and project documentation checks. Generates a scored Audit Readiness Report and optionally runs static analysis. Trigger on: "prepare for audit", "audit readiness", "pre-audit check", "audit prep", "NatSpec check", or any request to review a Solidity codebase before a security review.
225SKILL.mdUpdated May 14, 2026
plamentsv/plamen
development
VerifiedTrustedCommunity
Launch the Plamen deterministic Web3 security audit pipeline
225SKILL.mdUpdated May 14, 2026
plamentsv/plamen-wizard
development
VerifiedTrustedCommunity
Run the Plamen smart-contract audit wizard in Codex
225SKILL.mdUpdated May 14, 2026
plamentsv/plamen-l1
testing
VerifiedTrustedCommunity
Launch the Plamen deterministic L1 infrastructure audit pipeline
225SKILL.mdUpdated May 14, 2026