Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

plamentsv/external-precondition-audit

Name: external-precondition-audit
Author: plamentsv

agents/skills/aptos/external-precondition-audit/SKILL.md

npx skillsauth add plamentsv/plamen external-precondition-audit

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

EXTERNAL_PRECONDITION_AUDIT Skill

Trigger Pattern: Any external module interaction detected in attack_surface.md Inject Into: Breadth agents (merged via M5 hierarchy) Constraint: Interface-level inference only -- no production fetch required

For every external module the protocol interacts with:

1. Interface-Level Requirement Inference

From the use imports and function calls to external modules, infer what the external module requires:

| External Function Called | Module::Function | Parameters Passed | Likely Preconditions (from signature + abort codes) | Our Protocol Validates? | |--------------------------|-----------------|-------------------|-----------------------------------------------------|------------------------|

Inference method: Read the function signature, type parameters, ability constraints, and abort conditions. Example: coin::withdraw<CoinType>(account: &signer, amount: u64) -> infer that account must have sufficient balance, CoinType must be initialized, amount must be > 0. Check abort codes in framework source if available.

Aptos-specific patterns:

&signer parameters: does external module require the signer to own a specific resource?
Generic type parameters <T>: does external module require T to be registered/initialized?
Object<T> parameters: does external module validate object ownership or type?
Abort conditions: enumerate all assert! / abort in external function that could revert our call

2. Return Value Consumption

| External Call | Return Type | How Protocol Uses Return | Failure Mode if Return Unexpected | |--------------|-------------|-------------------------|----------------------------------|

For each return value:

What happens if it returns 0? What happens if it returns MAX_U64?
What happens if the external call aborts?
For Option<T> returns: does our protocol handle none correctly?
For FungibleAsset returns: is metadata validated after receiving?
For Object<T> returns: is the object type verified before use?
For each external data structure received (Vec, array, Map, list): (a) What ordering/uniqueness does the consuming code assume? (b) Does the external contract's spec guarantee that ordering? (c) What happens if the assumption is violated (unsorted, duplicates, gaps)?

3. State Dependency Mapping

| Protocol State | Depends on External State | External Module Upgradeable? | State Can Change Without Our Knowledge? | |---------------|--------------------------|-----------------------------|-----------------------------------------|

For each dependency:

Upgrade risk: Aptos modules are upgradeable by default (compatible policy). Can the external module add new abort conditions to a function we call? Can it change return value semantics within compatible upgrade bounds?
Immutability check: Is the external module published as immutable? If so, behavior is frozen.
State mutation timing: Can external module state change between our module's read and use within the same transaction? (e.g., another instruction in a multi-instruction transaction modifies external state)
Framework dependency: If depending on aptos_framework modules, are there governance-controlled parameters that could change? (e.g., transaction_fee, staking_config)

Instantiation Parameters

{CONTRACTS}           -- List of modules to analyze
{EXTERNAL_MODULES}    -- External modules identified during recon
{FRAMEWORK_DEPS}      -- aptos_framework / aptos_std / aptos_token dependencies

Output Schema

For each finding:

## Finding [EP-N]: Title

**Verdict**: CONFIRMED / PARTIAL / REFUTED / CONTESTED
**Step Execution**: S1,S2,S3 | X(reasons) | ?(uncertain)
**Rules Applied**: [R1:Y, R4:Y, R8:Y]
**Severity**: Critical/High/Medium/Low/Info
**Location**: module::function (source_file.move:LineN)

**External Dependency**: {module::function}
**Failure Mode**: {what breaks}

**Description**: What's wrong
**Impact**: What can happen (abort DoS, wrong state, fund loss)
**Evidence**: Code showing dependency and missing validation

Step Execution Checklist

| Section | Required | Completed? | |---------|----------|------------| | 1. Interface-Level Requirement Inference | YES | Y/N/? | | 2. Return Value Consumption | YES | Y/N/? | | 3. State Dependency Mapping | YES | Y/N/? |

plamentsv/external-precondition-audit

agents/skills/aptos/external-precondition-audit/SKILL.md

Trigger Pattern Any external module interaction detected in attack_surface.md - Inject Into Breadth agents (merged via M5 hierarchy)

225 stars

testing

Updated May 14, 2026

$ install --global

skillsauth

npx skillsauth add plamentsv/plamen external-precondition-audit

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 14, 2026, 5:27 AM162.5s1 file scanned

SKILL.md

name:: external-precondition-audit
description:: Trigger Pattern Any external module interaction detected in attack_surface.md - Inject Into Breadth agents (merged via M5 hierarchy)

EXTERNAL_PRECONDITION_AUDIT Skill

Trigger Pattern: Any external module interaction detected in attack_surface.md Inject Into: Breadth agents (merged via M5 hierarchy) Constraint: Interface-level inference only -- no production fetch required

For every external module the protocol interacts with:

1. Interface-Level Requirement Inference

From the use imports and function calls to external modules, infer what the external module requires:

Aptos-specific patterns:

&signer parameters: does external module require the signer to own a specific resource?
Generic type parameters <T>: does external module require T to be registered/initialized?
Object<T> parameters: does external module validate object ownership or type?
Abort conditions: enumerate all assert! / abort in external function that could revert our call

2. Return Value Consumption

| External Call | Return Type | How Protocol Uses Return | Failure Mode if Return Unexpected | |--------------|-------------|-------------------------|----------------------------------|

For each return value:

What happens if it returns 0? What happens if it returns MAX_U64?
What happens if the external call aborts?
For Option<T> returns: does our protocol handle none correctly?
For FungibleAsset returns: is metadata validated after receiving?
For Object<T> returns: is the object type verified before use?
For each external data structure received (Vec, array, Map, list): (a) What ordering/uniqueness does the consuming code assume? (b) Does the external contract's spec guarantee that ordering? (c) What happens if the assumption is violated (unsorted, duplicates, gaps)?

3. State Dependency Mapping

For each dependency:

Upgrade risk: Aptos modules are upgradeable by default (compatible policy). Can the external module add new abort conditions to a function we call? Can it change return value semantics within compatible upgrade bounds?
Immutability check: Is the external module published as immutable? If so, behavior is frozen.
State mutation timing: Can external module state change between our module's read and use within the same transaction? (e.g., another instruction in a multi-instruction transaction modifies external state)
Framework dependency: If depending on aptos_framework modules, are there governance-controlled parameters that could change? (e.g., transaction_fee, staking_config)

Instantiation Parameters

{CONTRACTS}           -- List of modules to analyze
{EXTERNAL_MODULES}    -- External modules identified during recon
{FRAMEWORK_DEPS}      -- aptos_framework / aptos_std / aptos_token dependencies

Output Schema

For each finding:

## Finding [EP-N]: Title

**Verdict**: CONFIRMED / PARTIAL / REFUTED / CONTESTED
**Step Execution**: S1,S2,S3 | X(reasons) | ?(uncertain)
**Rules Applied**: [R1:Y, R4:Y, R8:Y]
**Severity**: Critical/High/Medium/Low/Info
**Location**: module::function (source_file.move:LineN)

**External Dependency**: {module::function}
**Failure Mode**: {what breaks}

**Description**: What's wrong
**Impact**: What can happen (abort DoS, wrong state, fund loss)
**Evidence**: Code showing dependency and missing validation

Step Execution Checklist

Related Skills

plamentsv/audit-prep

development

VerifiedTrustedCommunity

Prepare Solidity projects for a security audit — test coverage, test quality, NatSpec docs, code hygiene, dependency health, best-practice enforcement, deployment readiness, and project documentation checks. Generates a scored Audit Readiness Report and optionally runs static analysis. Trigger on: "prepare for audit", "audit readiness", "pre-audit check", "audit prep", "NatSpec check", or any request to review a Solidity codebase before a security review.

225SKILL.mdUpdated May 14, 2026

plamentsv/plamen

development

VerifiedTrustedCommunity

Launch the Plamen deterministic Web3 security audit pipeline

225SKILL.mdUpdated May 14, 2026

plamentsv/plamen-wizard

development

VerifiedTrustedCommunity

Run the Plamen smart-contract audit wizard in Codex

225SKILL.mdUpdated May 14, 2026

plamentsv/plamen-wizard

plamentsv/plamen-l1

testing

VerifiedTrustedCommunity

Launch the Plamen deterministic L1 infrastructure audit pipeline

225SKILL.mdUpdated May 14, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/plamentsv/plamen.git

# Copy into Claude Code skills folder (global)
cp -r plamen/agents/skills/aptos/external-precondition-audit ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

plamentsv/plamen

225 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT