Execute qualquer Skill no Manus
com um clique

Execute qualquer Skill no Manus com um clique

solidity-security

Estrelas0

Forks0

Atualizado21 de março de 2026 às 07:44

[AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any Solidity contract (.sol files). Covers private key handling, access control, reentrancy prevention, gas safety, and pre-audit checklists. Trigger: any task involving creating, editing, or reviewing .sol source files.

Instalação

Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.

Executar no Manus

Fonte

esokullu

esokullu/learn-skills.dev

Abrir repositório GitHub Ver repositórios do creator

Download

Executar no Manus

Ocupações relacionadasSOC

Baseado na classificação ocupacional SOC

Analistas de segurança da informaçãoInformática e Matemática·SOC 15-1212

Explorador de arquivos

13 arquivos

SKILL.md

readonly

name	solidity-security
description	[AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any Solidity contract (.sol files). Covers private key handling, access control, reentrancy prevention, gas safety, and pre-audit checklists. Trigger: any task involving creating, editing, or reviewing .sol source files.

Solidity Security Standards

Language Rule

Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.

Private Key Protection

Store private keys in .env, load via source .env — never pass keys as CLI arguments
Never expose private keys in logs, screenshots, conversations, or commits
Provide .env.example with placeholder values for team reference
Add .env to .gitignore — verify with git status before every commit

Security Decision Rules

When writing or reviewing Solidity code, apply these rules:

Situation	Required Action
External ETH/token transfer	Use `ReentrancyGuard` + Checks-Effects-Interactions (CEI) pattern
ERC20 token interaction	Use `SafeERC20` — call `safeTransfer` / `safeTransferFrom`, never raw `transfer` / `transferFrom`
Owner-only function	Inherit `Ownable2Step` (preferred) or `Ownable` from OZ 4.9.x — `Ownable2Step` prevents accidental owner loss
Multi-role access	Use `AccessControl` from `@openzeppelin/contracts/access/AccessControl.sol`
Token approval	Use `safeIncreaseAllowance` / `safeDecreaseAllowance` from `SafeERC20` — never raw `approve`
Price data needed	Use Chainlink `AggregatorV3Interface` if feed exists; otherwise TWAP with min-liquidity check — never use spot pool price directly
Upgradeable contract	Prefer UUPS (`UUPSUpgradeable`) over TransparentProxy; always use `Initializable`
Solidity version < 0.8.0	Must use `SafeMath` — but strongly prefer upgrading to 0.8.20+
Emergency scenario	Inherit `Pausable`, add `whenNotPaused` to user-facing functions; keep admin/emergency functions unpaused
Whitelist / airdrop	Use `MerkleProof` for gas-efficient verification — never store full address lists on-chain
Signature-based auth	Use `ECDSA` + `EIP712` — never roll custom signature verification
Signature content	Signature must bind `chainId` + `nonce` + `msg.sender` + `deadline` — prevent replay and cross-chain reuse
Cross-chain bridge / third-party dependency	Audit all inherited third-party contract code — never assume dependencies are safe
Deprecated / legacy contracts	Permanently `pause` or `selfdestruct` deprecated contracts — never leave unused contracts callable on-chain

Reentrancy Protection

All contracts with external calls: inherit ReentrancyGuard, add nonReentrant modifier
- Import: @openzeppelin/contracts/security/ReentrancyGuard.sol (OZ 4.9.x)
Always apply CEI pattern even with ReentrancyGuard:
1. Checks — validate all conditions (require)
2. Effects — update state variables
3. Interactions — external calls last

Input Validation

Reject address(0) for all address parameters
Reject zero amounts for fund transfers
Validate array lengths match when processing paired arrays
Bound numeric inputs to reasonable ranges (prevent dust attacks, gas griefing)

Gas Control

Deployment commands must include --gas-limit (recommended >= 3,000,000)
Monitor gas with forge test --gas-report — review before every PR
Configure optimizer in foundry.toml: optimizer = true, optimizer_runs = 200
Avoid unbounded loops over dynamic arrays — use pagination or pull patterns

Pre-Audit Checklist

Before submitting code for review or audit, verify:

Access & Control:

All external/public functions have nonReentrant where applicable
No tx.origin used for authentication (use msg.sender)
No delegatecall to untrusted addresses
Owner transfer uses Ownable2Step (not Ownable) to prevent accidental loss
Contracts with user-facing functions inherit Pausable with pause() / unpause()

Token & Fund Safety:

All ERC20 interactions use SafeERC20 (safeTransfer / safeTransferFrom)
No raw token.transfer() or require(token.transfer()) patterns
Token approvals use safeIncreaseAllowance, not raw approve
All external call return values checked

Code Quality:

Events emitted for every state change
No hardcoded addresses — use config or constructor params
.env is in .gitignore

Oracle & Price (if applicable):

Price data sourced from Chainlink feed or TWAP — never raw spot price
Oracle has minimum liquidity check — revert if pool reserves too low
Price deviation circuit breaker in place

Testing:

forge test passes with zero failures
forge coverage shows adequate coverage on security-critical paths
Fuzz tests cover arithmetic edge cases (zero, max uint, boundary values)

Security Verification Commands

# Run all tests with gas report
forge test --gas-report

# Fuzz testing with higher runs for critical functions
forge test --fuzz-runs 10000

# Check test coverage
forge coverage

# Dry-run deployment to verify no runtime errors
forge script script/Deploy.s.sol --fork-url $RPC_URL -vvvv

# Static analysis (if slither installed)
slither src/

Mais deste repositório

mesmo repositório

ad-brief

esokullu/learn-skills.dev

Builds an ad brief for any platform. Researches the user's product, audience, market, and KPIs proactively, then asks the user to confirm and fill gaps. Saves the result as .agents/ad-brief.md for future sessions. Not for writing ad copy, choosing platforms, configuring campaigns, or analyzing results.

2026-03-210

adkit

esokullu/learn-skills.dev

Reference for the AdKit CLI (`adkit-cli` on npm, `adkit` command). Maps commands to ad operations: creating campaigns, ad sets, and ads on Meta, managing drafts, uploading media, searching interests. Load when the user wants to execute ad operations through the terminal or when `adkit` is installed and the user is ready to publish. Not for strategy, copywriting, creative advice, or learning about ads.

2026-03-210

meta-ads

esokullu/learn-skills.dev

Meta (Facebook & Instagram) advertising strategy for AI agents. Covers fundamentals, ad creative best practices, campaign structure, audience targeting, budget management, and performance analysis. Use when the user wants to plan, create, launch, or optimize Meta ads, or when they need to understand how the platform works before spending money. Not for Google Ads, TikTok Ads, LinkedIn Ads, or general marketing strategy outside Meta.

2026-03-210

agentix-ceo

esokullu/learn-skills.dev

Manage your team — create roles, assign tasks, spawn workers, and monitor progress

2026-03-210

seo-content-brief

esokullu/learn-skills.dev

SEO content brief creation with keyword research, search intent analysis, and content structure. Covers SERP analysis, heading hierarchy, word count targets, and internal linking strategy. Use for: content briefs, SEO writing, blog strategy, content planning, keyword targeting. Triggers: seo content brief, content brief, seo brief, keyword research, search intent, content strategy, blog brief, seo writing, content planning, keyword targeting, serp analysis, content outline, seo article, blog seo

2026-03-210

twitter-thread-creation

esokullu/learn-skills.dev

Twitter/X thread writing with hook tweets, thread structure, and engagement optimization. Covers tweet formatting, character limits, media attachments, and posting strategies. Use for: Twitter threads, X posts, tweet storms, Twitter content, social media writing. Triggers: twitter thread, tweet thread, x thread, twitter post, tweet writing, thread creation, tweet storm, twitter content, x post, twitter writing, twitter hook, tweet formatting, thread structure

2026-03-210

name	solidity-security
description	[AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any Solidity contract (.sol files). Covers private key handling, access control, reentrancy prevention, gas safety, and pre-audit checklists. Trigger: any task involving creating, editing, or reviewing .sol source files.

Solidity Security Standards

Language Rule

Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.

Private Key Protection

Store private keys in .env, load via source .env — never pass keys as CLI arguments
Never expose private keys in logs, screenshots, conversations, or commits
Provide .env.example with placeholder values for team reference
Add .env to .gitignore — verify with git status before every commit

Security Decision Rules

When writing or reviewing Solidity code, apply these rules:

Situation	Required Action
External ETH/token transfer	Use `ReentrancyGuard` + Checks-Effects-Interactions (CEI) pattern
ERC20 token interaction	Use `SafeERC20` — call `safeTransfer` / `safeTransferFrom`, never raw `transfer` / `transferFrom`
Owner-only function	Inherit `Ownable2Step` (preferred) or `Ownable` from OZ 4.9.x — `Ownable2Step` prevents accidental owner loss
Multi-role access	Use `AccessControl` from `@openzeppelin/contracts/access/AccessControl.sol`
Token approval	Use `safeIncreaseAllowance` / `safeDecreaseAllowance` from `SafeERC20` — never raw `approve`
Price data needed	Use Chainlink `AggregatorV3Interface` if feed exists; otherwise TWAP with min-liquidity check — never use spot pool price directly
Upgradeable contract	Prefer UUPS (`UUPSUpgradeable`) over TransparentProxy; always use `Initializable`
Solidity version < 0.8.0	Must use `SafeMath` — but strongly prefer upgrading to 0.8.20+
Emergency scenario	Inherit `Pausable`, add `whenNotPaused` to user-facing functions; keep admin/emergency functions unpaused
Whitelist / airdrop	Use `MerkleProof` for gas-efficient verification — never store full address lists on-chain
Signature-based auth	Use `ECDSA` + `EIP712` — never roll custom signature verification
Signature content	Signature must bind `chainId` + `nonce` + `msg.sender` + `deadline` — prevent replay and cross-chain reuse
Cross-chain bridge / third-party dependency	Audit all inherited third-party contract code — never assume dependencies are safe
Deprecated / legacy contracts	Permanently `pause` or `selfdestruct` deprecated contracts — never leave unused contracts callable on-chain

Reentrancy Protection

All contracts with external calls: inherit ReentrancyGuard, add nonReentrant modifier
- Import: @openzeppelin/contracts/security/ReentrancyGuard.sol (OZ 4.9.x)
Always apply CEI pattern even with ReentrancyGuard:
1. Checks — validate all conditions (require)
2. Effects — update state variables
3. Interactions — external calls last

Input Validation

Reject address(0) for all address parameters
Reject zero amounts for fund transfers
Validate array lengths match when processing paired arrays
Bound numeric inputs to reasonable ranges (prevent dust attacks, gas griefing)

Gas Control

Deployment commands must include --gas-limit (recommended >= 3,000,000)
Monitor gas with forge test --gas-report — review before every PR
Configure optimizer in foundry.toml: optimizer = true, optimizer_runs = 200
Avoid unbounded loops over dynamic arrays — use pagination or pull patterns

Pre-Audit Checklist

Before submitting code for review or audit, verify:

Access & Control:

All external/public functions have nonReentrant where applicable
No tx.origin used for authentication (use msg.sender)
No delegatecall to untrusted addresses
Owner transfer uses Ownable2Step (not Ownable) to prevent accidental loss
Contracts with user-facing functions inherit Pausable with pause() / unpause()

Token & Fund Safety:

All ERC20 interactions use SafeERC20 (safeTransfer / safeTransferFrom)
No raw token.transfer() or require(token.transfer()) patterns
Token approvals use safeIncreaseAllowance, not raw approve
All external call return values checked

Code Quality:

Events emitted for every state change
No hardcoded addresses — use config or constructor params
.env is in .gitignore

Oracle & Price (if applicable):

Price data sourced from Chainlink feed or TWAP — never raw spot price
Oracle has minimum liquidity check — revert if pool reserves too low
Price deviation circuit breaker in place

Testing:

forge test passes with zero failures
forge coverage shows adequate coverage on security-critical paths
Fuzz tests cover arithmetic edge cases (zero, max uint, boundary values)

Security Verification Commands

# Run all tests with gas report
forge test --gas-report

# Fuzz testing with higher runs for critical functions
forge test --fuzz-runs 10000

# Check test coverage
forge coverage

# Dry-run deployment to verify no runtime errors
forge script script/Deploy.s.sol --fork-url $RPC_URL -vvvv

# Static analysis (if slither installed)
slither src/