near/agent-skills
Overview
This skill provides a comprehensive security audit workflow for NEAR Protocol smart contracts written in Rust. It combines automated scanning with focused manual review to find and prioritize vulnerabilities that affect correctness, safety, and funds. The goal is clear findings with exploitability assessment and actionable remediation for developers and auditors.
How this skill works
First, run Rust static analysis and NEAR-aware scanners to identify common patterns like reentrancy, unsafe math, unhandled promises, and access control gaps. Next, perform manual review of business logic, cross-contract interactions, and economic attack surfaces. Each finding is validated for true positive status, exploitability, and recommended fixes, then compiled into a structured report with severity and remediation.
When to use it
- Before mainnet deployment of NEAR contracts written in Rust
- During security reviews after major feature changes or refactors
- When third-party integrations or callbacks are added
- For pre-release audits requested by auditors or stakeholders
- When handling funds, tokens, or privileged access in contract logic
Best practices
- Run both automated NEAR-aware tools and manual code walkthroughs; tools find patterns, humans assess logic.
- Treat cross-contract calls as untrusted boundaries: check callbacks, use #[private], and reserve gas for callbacks.
- Use assert_one_yocto and explicit owner/caller checks on sensitive methods.
- Avoid native integer types in JSON interfaces; use string-encoded amounts or safe wrappers.
- Persist collection changes immediately and use distinct storage prefixes to prevent collisions.
Example use cases
- Detecting and fixing reentrancy where state changes occur after external calls.
- Verifying callbacks are marked private and protected with appropriate gas and deposit assertions.
- Finding and remediating storage collisions between collections after a refactor.
- Reviewing token transfer and staking logic for unsafe arithmetic or floating point use.
- Assessing gas griefing risks in loops and ensuring prepaid gas for cross-contract flows.
FAQ
High priority includes missing #[private] callbacks, reentrancy (state change after external call), native integer types in JSON interfaces, unsaved collection changes, missing owner checks, missing assert_one_yocto, storage prefix collisions, and missing #[init].
What tools should I run first?
Start with Rust static analyzers and NEAR-focused scanners that detect patterns like reentrancy, unhandled promises, and storage issues, then follow with manual review of business logic and cross-contract flows.
How do you validate a reported issue?
Validate by reproducing the pattern in code, reasoning about exploitability, checking call flow and state transitions, and proposing a minimal remediation with code examples when possible.
8 skills
This skill conducts automated and manual NEAR contract audits to identify vulnerabilities and guide secure Rust smart contract fixes.
This skill helps you integrate verifiable private AI inference with NEAR AI Cloud, ensuring encrypted prompts, attested hardware, and signed responses.
This skill guides you to create NEAR dApps, integrate wallet connections, and build frontend interactions for NEAR smart contracts.
This skill enables efficient NEAR Protocol development with a TypeScript toolkit for view, call, transfer, and type-safe contracts.
This skill helps NEAR dApps integrate multiple wallets securely via sandboxed executors, enabling easy signing and transaction flows.
This skill helps you design and deploy NEAR AI powered agents and workflows with architecture, integration, and security best practices.
This skill enables cross-chain token swaps using NEAR Intents 1Click API to fetch quotes, generate deposits, and track status across chains.
This skill helps React developers integrate NEAR wallet connectivity and perform view, change, transfers, and signing using near-connect-hooks.