AI-powered Solana security skills for programs where account validation, PDA derivation, CPI safety, and runtime semantics decide whether the code is actually safe.
Built on the v2 packaging and workflow model from pashov/skills, then adapted for Solana-specific security review.
Supported AI Platforms:
Install https://github.com/sanbir/solana-auditor-skills/ and run solana-auditor with all different agents possible on the codebase
run the solana-auditor skill with all the different agents possible on *specified files*
update skill to latest version
This repo is for Solana program security across Anchor, native Rust, and similar layouts.
It prioritizes the bug classes that repeatedly cause real Solana incidents:
- missing signer / writable / owner checks
- PDA seed confusion, canonical bump mistakes, and zombie-account lifecycle bugs
- CPI trust-boundary mistakes and stale-account reads after CPI
- Token / Token-2022 integration mismatches
- initialization frontruns and authority-transfer mistakes
- liquidation, oracle, fee, and slippage logic flaws
- account reloading, state drift, and compute-driven denial of service
It is not meant to be a generic Rust helper. The focus is protocol security under Solana runtime constraints.
| Skill | Description |
|---|---|
| solana-auditor | Fast security feedback for Solana programs with coverage for account validation, PDA/CPI safety, signer authority, and Token / Token-2022 edge cases. |
We welcome improvements and fixes. See CONTRIBUTING.md for the PR process.
Report vulnerabilities via Security Policy. This project follows the Code of Conduct. MIT © contributors.
If you are securing Solana systems and want to discuss improvements, open an issue or reach out via the maintainer profile on GitHub.