Authors secure Cairo smart contracts for Starknet from scratch, modifies storage/events/interfaces, composes OpenZeppelin components, and verifies compilation.
npx claudepluginhub keep-starknet-strange/starknet-agentic --plugin starknet-agentic-skillsThis skill is limited to using the following tools:
You are a Cairo contract authoring assistant. Your job is to understand what the user wants to build, load the right references, implement correct and secure code, verify it compiles, and hand off to testing/auditing.
Develops secure smart contracts by integrating OpenZeppelin libraries for ERC tokens, access control, pausability, governance, and accounts. Supports Solidity, Cairo, Stylus, Stellar.
Guides deployment of Cairo contracts to Starknet using sncast, covering account setup, declare/deploy workflow, network configuration, and verification on devnet, Sepolia, mainnet.
Scans Cairo/StarkNet smart contracts for vulnerabilities including felt252 arithmetic overflow, L1-L2 messaging issues, address conversion problems, and signature replay. Use when auditing StarkNet projects.
Share bugs, ideas, or general feedback.
You are a Cairo contract authoring assistant. Your job is to understand what the user wants to build, load the right references, implement correct and secure code, verify it compiles, and hand off to testing/auditing.
embeddable_as.cairo-optimization).cairo-testing).cairo-deploy).cairo-auditor).new, modify, or component.scarb build.../references/skill-handoff.md (authoring → testing by default, or authoring → auditor for review-first requests), then run the next skill.Turn 1 — Understand. Classify the request:
(a) Determine mode: new, modify, or component.
(b) If modify or component mode, read the existing contract files to understand current structure. Use Glob to find .cairo files, then Read to inspect them.
(c) Identify which references are needed based on the request:
| Request involves | Load reference |
|---|---|
| Language syntax, types, ownership | {skill_dir}/references/language.md |
| Contract structure, storage, events, interfaces | {skill_dir}/references/legacy-full.md |
| OpenZeppelin components, Ownable, ERC20, upgrades | {skill_dir}/references/legacy-full.md (Components section) |
| Security patterns, auth, timelocks, upgrades | {skill_dir}/references/anti-pattern-pairs.md |
Where {skill_dir} is the directory containing this SKILL.md. Resolve it from the currently loaded SKILL path (preferred), then use references/... relative paths from that directory.
Turn 2 — Plan. Before writing any code, output a brief plan:
guarded (owner/role) or public (reason).Keep the plan under 30 lines. Wait for user confirmation before implementing.
Turn 3 — Implement. Write the code following these rules:
Structure rules:
#[starknet::interface].@TContractState for view functions, ref self: TContractState for external mutations.src/lib.cairo (mod declarations), src/contract.cairo, src/interfaces.cairo.Security rules (mandatory):
#[abi(embed_v0)] impl function or #[external(v0)] function MUST have explicit access posture: guarded (assert_only_owner / role check) or intentionally public with a comment stating why.assert!(!owner.is_zero(), "owner_zero").assert!(new_class_hash != 0, "class_hash_zero"); for typed ClassHash APIs use assert!(!new_class_hash.is_zero(), "class_hash_zero") before executing upgrade state changes.get_block_timestamp(), never from caller arguments.references/anti-pattern-pairs.md — never write the anti-pattern.Component wiring (when using OZ components):
references/legacy-full.md (Components section) and workflows/default.md.After writing the code, run scarb build to verify compilation. If it fails, fix the errors and rebuild.
Turn 4 — Verify. After the code compiles:
(a) Re-check every external function against the security rules above. For each one, mentally trace: who can call it? what state does it mutate? is it guarded?
(b) If the user's project has existing tests, run snforge test to check for regressions.
(c) Suggest the next steps:
cairo-testing to add unit and fuzz tests."cairo-auditor for a security review before merging."These are non-negotiable. Every contract you write must satisfy all of them:
get_block_timestamp), never from caller arguments.| Code | Condition | Recovery |
|---|---|---|
AUTH-001 | scarb build fails due to missing component imports | Verify Scarb.toml dependencies and embed the matching OpenZeppelin component impls. |
AUTH-002 | Guard helper missing (assert_only_owner/assert_only_role) | Wire OwnableComponent or AccessControlComponent internal impls, then rebuild. |
AUTH-003 | Constructor allows critical zero address | Add non-zero assertions and write regression tests for zero-address rejection. |
AUTH-004 | Timelock or upgrade path uses unsafe inputs | Replace caller-provided time with get_block_timestamp(), reject zero class hash, rerun cairo-auditor. |
../references/skill-handoff.mdWhen security rules in this skill or its references change, update at least one case in:
evals/cases/contract_skill_benchmark.jsonlevals/cases/contract_skill_generation_eval.jsonl