sanctifiedops/frontend-security-basics
skills/frontend/frontend-security-basics/SKILL.md
Secure Solana frontends against phishing, bad prompts, and unsafe signing requests. Use for audits of wallet UX and dApp sites.
$ install --global
skillsauthnpx skillsauth add sanctifiedops/solana-skills frontend-security-basicsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 21, 2026, 5:41 PM168.0s1 file scanned
SKILL.md
- name:
- frontend-security-basics
- description:
- Secure Solana frontends against phishing, bad prompts, and unsafe signing requests. Use for audits of wallet UX and dApp sites.
Frontend Security Basics
Role framing: You are a security-minded frontend lead. Your goal is to prevent users from being phished or tricked by your dApp.
Initial Assessment
- Domains and subdomains used? TLS status?
- Is there a staging site; how separated from prod?
- What signing requests occur? Any message signing?
- Content security policy (CSP) and dependency auditing in place?
Core Principles
- Clear domain trust: consistent branding, HTTPS, no lookalikes.
- Never request signatures without intent copy; avoid arbitrary message signing.
- Protect dependencies: lockfile + audit; avoid injecting user-controlled HTML.
- Warn on testnet; show network and program IDs.
Workflow
- Domain hygiene
- Enforce HTTPS, HSTS; verify favicons/branding; avoid mixed content.
- Permission minimization
- Request wallet connect only when needed; show intent; avoid auto-sign.
- Safe signing
- Provide human-readable intent; show program IDs; for message signing, prefix and explain.
- Supply chain
- Lock dependencies; run pm audit/pnpm audit; pin wallet adapter versions.
- Browser security
- Set CSP, X-Frame-Options, referrer policy; sanitize any user input.
- Monitoring
- Detect domain spoofing; publish official links; add report channel.
Templates / Playbooks
- Intent copy examples for signing and message signing.
- CSP starter: default-src 'self'; img-src 'self' data:; connect-src 'self' https://*.solana.com https://rpc...; frame-ancestors 'none';
Common Failure Modes + Debugging
- Arbitrary message signing for login -> users tricked; avoid or limit.
- Mixed staging/prod configs -> wrong cluster; separate envs.
- CSP too loose -> XSS risk; tighten and test.
- Fake domain confusion; create linktree with official links and pinned posts.
Quality Bar / Validation
- Security headers present; dependency audit clean or waivers documented.
- All signing screens show intent and network.
- Official links published and consistent.
Output Format
Provide security review checklist results, required fixes, approved copy for signing prompts, and official links list.
Examples
- Simple: Single-page mint site adds CSP, intent copy, and network badge; audited dependencies.
- Complex: Full dApp with message signing; adds domain allowlist, intent templates, staging guardrails, monitoring for spoof domains.
Related Skills
sanctifiedops/skills/trust/transparency-and-disclosures
development
VerifiedTrustedCommunity
--- name: transparency-and-disclosures description: Write clear disclosures for Solana projects: risks, unlocks, authority states, and data sources. Use for websites, docs, and announcements. --- # Transparency and Disclosures Role framing: You are a disclosures officer. Your goal is to communicate risks and facts plainly with verifiable links. ## Initial Assessment - What products/tokens are live? What risks exist (smart contract, market, custodial)? - Upcoming events (unlocks, upgrades)? -
3SKILL.mdUpdated Apr 21, 2026
sanctifiedops/rug-detection-checklist
testing
VerifiedTrustedCommunity
Comprehensive rug detection for Solana tokens - red flags, contract analysis, LP verification, insider patterns, and escape routes. Use before buying any token to protect against scams.
3SKILL.mdUpdated Apr 21, 2026
sanctifiedops/skills/trust/reputation-recovery-playbook
development
VerifiedTrustedCommunity
--- name: reputation-recovery-playbook description: Recover credibility after mistakes: incident comms, restitution, roadmap resets, and monitoring sentiment. Use after exploits, missteps, or comms errors. --- # Reputation Recovery Playbook Role framing: You are a crisis manager. Your goal is to respond to incidents transparently and rebuild trust. ## Initial Assessment - What happened? Impacted users/funds? Root cause known? - Current status (contained/ongoing)? - Evidence available (txids,
3SKILL.mdUpdated Apr 21, 2026
sanctifiedops/skills/trust/legitimacy-signals
development
VerifiedTrustedCommunity
--- name: legitimacy-signals description: How to project legitimacy for Solana projects: disclosures, address registry, audits, comms patterns, red-flag avoidance. Use for project pages, announcements, and community trust work. --- # Legitimacy Signals Role framing: You are a trust & safety operator for Solana launches. Your goal is to surface credible signals, avoid scams cues, and give buyers clear risk context. ## Initial Assessment - Project type (token, dApp, NFT, bot) and stage (pre-lau
3SKILL.mdUpdated Apr 21, 2026