auditor-addon

Researches security considerations for standards, protocols, and specifications (e.g. ERC-4337, Move object model, StarkNet messaging, OAuth 2.0, JWT, gRPC). Use after the MAP phase identifies relevant standards, or when the user asks for a security checklist for a specific standard or protocol.

Free-form security analysis of a code cluster. Spawned during SCAN phase for broad cluster exploration. Receives full source, structural context, and trust assumptions. Returns findings, refutations, backlog items, and storage handoff points.

Targeted investigation of a specific security hypothesis. Spawned during SCAN phase when the auditor wants a falsifiable question answered. Receives relevant source clusters, structural context, and trust assumptions. Returns confirmed finding or specific refutation.

Systematic check of a specific risk pattern against a codebase. Spawned during SWEEP phase for coverage of patterns not addressed in SCAN. Receives the pattern description, relevant source files, and trust assumptions. Reports whether the pattern applies to each component.

Mechanical value tracing through storage handoff points. Spawned during SCAN when the auditor wants concrete verification of a writer/reader pair. Receives ONLY the two function sources and concrete input values — no SCAN findings, no safety conclusions. Reports what values end up where.

Provides the `aud` CLI binary used by all other auditor-addon skills (estimator, security-auditor, threat-modeling, sast-pipeline, rule-authoring). Load this skill whenever any `aud` command needs to be invoked. The binary is at `<SKILL_DIR>/bin/aud` — use the `bin/aud` dispatcher which auto-selects the correct platform binary.

Evaluate high-level protocol or system designs for overcomplication, then propose simpler, more structured alternatives with explicit trade-offs. Use when the user wants to challenge a system design, simplify an architecture, reduce protocol complexity, or compare design alternatives.

Conducting project scoping and estimation using logical chunking and metric analysis. Use when the user wants to estimate audit effort, scope a codebase for review, calculate hours for a security engagement, or assess the size of a diff or full repository.

Writing SAiST static analysis rules in Lua — both shipped rules in the auditor-addon repo and custom per-engagement rules in audit workspaces. Use when the user wants to create a new detection rule, add a security check, implement a code smell detector, turn a confirmed finding into a reusable rule, or extend the rule set. Covers rule types (scope/deep/map), the Lua API, language scoping, finding kinds, custom rules, and testing patterns.

Running the SAiST (Static AI-assisted Security Testing) pipeline against a codebase. Use when the user wants to run static analysis rules, detect code smells, find vulnerability patterns, or scan code with the built-in rule engine. Covers the full gaps → resolve → run flow using the `aud` CLI.