plamentsv/move-safety-core-directives
agents/skills/aptos/move-safety-core-directives/SKILL.md
Lightweight core directives for Aptos Move always-required skills — injected into every breadth agent. Full methodology lives in the dedicated Move-Safety Agent.
$ install --global
skillsauthnpx skillsauth add plamentsv/plamen move-safety-core-directivesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 5:28 AM142.2s1 file scanned
SKILL.md
- name:
- move-safety-core-directives
- description:
- Lightweight core directives for Aptos Move always-required skills — injected into every breadth agent. Full methodology lives in the dedicated Move-Safety Agent.
- type:
- core-directive
Move Safety Core Directives (Aptos)
Purpose: These are the INVENTORY + FLAG directives extracted from the 4 always-required Aptos skills (ABILITY_ANALYSIS, BIT_SHIFT_SAFETY, TYPE_SAFETY, REF_LIFECYCLE). Every breadth agent receives these to flag Move-specific patterns for depth review. The full trace methodology lives in the dedicated Move-Safety Agent (spawned separately). Total: ~130 lines (vs ~950 lines for 4 full skills)
1. Ability Inventory (from ABILITY_ANALYSIS)
Enumerate ALL structs. For each:
| Struct | Module | Abilities | Value-Bearing? | Obligation? | Excess Abilities? | |--------|--------|-----------|---------------|-------------|------------------|
Flag for depth review:
- Struct with
copythat represents economic value (Coin, LP token, shares) → [FLAG:ABILITY-COPY-VALUE] - Struct with
dropthat represents an obligation (receipt, lock, flash loan) → [FLAG:ABILITY-DROP-OBLIGATION] - Struct with
key + storethat should be non-transferable → [FLAG:ABILITY-EXCESS-STORE] - Struct WITHOUT
dropthat has no explicit consumption path → [FLAG:ABILITY-STUCK-VALUE]
2. Bit Shift Inventory (from BIT_SHIFT_SAFETY)
GREP: Search all .move files for << and >>.
For each shift operation:
| Location | Operand Type | Bit Width | Shift Amount Source | User-Controllable? | Bounded? | |----------|-------------|-----------|--------------------|--------------------|----------|
Flag for depth review:
- Shift amount is user-controllable or computed AND unbounded → [FLAG:SHIFT-UNBOUND]
- Shift amount is constant but >= bit width → [FLAG:SHIFT-OVERFLOW-CONST]
- Shift in public/entry function with external input path → [FLAG:SHIFT-EXTERNAL]
3. Generic Type Inventory (from TYPE_SAFETY)
GREP: Search all .move files for fun .*< to find every generic function.
For each generic function:
| Function | Module | Type Params | Constraints | Entry? | Creates/Destroys T? | |----------|--------|-------------|-------------|--------|---------------------|
Flag for depth review:
- Generic function accepting
Coin<T>orFungibleAssetwithout verifying T matches expected type → [FLAG:TYPE-COIN-CONFUSION] - Generic with only
storeconstraint wherekeyor specific type is needed → [FLAG:TYPE-WEAK-CONSTRAINT] - Generic entry function callable by anyone with attacker-chosen type → [FLAG:TYPE-ATTACKER-CHOSEN]
- Phantom type parameter used for access control without runtime verification → [FLAG:TYPE-PHANTOM-GUARD]
4. Ref Lifecycle Inventory (from REF_LIFECYCLE)
GREP: Search for ConstructorRef|TransferRef|MintRef|BurnRef|DeleteRef|ExtendRef|generate_mint_ref|generate_burn_ref|generate_transfer_ref.
For each Ref:
| Ref Type | Created In | Stored Where | Access Control | Public Access? | |----------|-----------|-------------|---------------|----------------|
Flag for depth review:
- MintRef/BurnRef/TransferRef stored in a resource with public accessor → [FLAG:REF-LEAK]
- ConstructorRef used to generate multiple Ref types (MintRef + BurnRef + TransferRef) in same function → [FLAG:REF-OVER-GENERATION]
- ExtendRef stored anywhere (grants signer capability to object) → [FLAG:REF-EXTEND-STORED]
- Any Ref type returned from a public/public(friend) function → [FLAG:REF-RETURNED]
- DeleteRef exists but object holds Balance/FungibleStore → [FLAG:REF-DELETE-WITH-VALUE]
Self-Check
Before completing analysis, verify you produced inventories for ALL 4 sections above. Missing inventories = missing coverage for Move-specific vulnerability classes.
Related Skills
plamentsv/audit-prep
development
VerifiedTrustedCommunity
Prepare Solidity projects for a security audit — test coverage, test quality, NatSpec docs, code hygiene, dependency health, best-practice enforcement, deployment readiness, and project documentation checks. Generates a scored Audit Readiness Report and optionally runs static analysis. Trigger on: "prepare for audit", "audit readiness", "pre-audit check", "audit prep", "NatSpec check", or any request to review a Solidity codebase before a security review.
225SKILL.mdUpdated May 14, 2026
plamentsv/plamen
development
VerifiedTrustedCommunity
Launch the Plamen deterministic Web3 security audit pipeline
225SKILL.mdUpdated May 14, 2026
plamentsv/plamen-wizard
development
VerifiedTrustedCommunity
Run the Plamen smart-contract audit wizard in Codex
225SKILL.mdUpdated May 14, 2026
plamentsv/plamen-l1
testing
VerifiedTrustedCommunity
Launch the Plamen deterministic L1 infrastructure audit pipeline
225SKILL.mdUpdated May 14, 2026