Stats
Actions
Tags
From sui-dev-agents
Generates adversarial attack tests for SUI Move contracts — access control bypass, integer overflow, object manipulation, economic exploits, reentrancy, and DoS vectors.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sui-dev-agents:sui-red-teamThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Adversarial security testing for SUI Move contracts — think like a hacker, break before they do.**
Adversarial security testing for SUI Move contracts — think like a hacker, break before they do.
This skill runs automated attack rounds against Move contracts, generating malicious test code that actively tries to exploit vulnerabilities. Unlike static analysis, red-team testing executes real attacks.
/sui-red-team → 10 rounds (default), delete test files after
/sui-red-team 20 → 20 rounds
/sui-red-team --rounds 5 → 5 rounds
/sui-red-team --keep-tests → Keep attack tests in tests/red-team/
For each round N of {total_rounds}:
sui move test --filter "red_team_round_{N}"EXPLOITED — vulnerability foundexpected_failure or abort → DEFENDED — contract correctly blockedSUSPICIOUS--keep-tests)| # | Category | Attack Vectors |
|---|---|---|
| 1 | Access Control | Call admin func without Cap, forge Cap, wrong sender, stolen shared object |
| 2 | Integer Abuse | 0 value, MAX_U64, overflow trigger, underflow trigger, precision loss |
| 3 | Object Manipulation | Wrong object ID, shared object contention, object double-use, orphan objects |
| 4 | Economic Attack | Flash loan sim, price manipulation, fee bypass, dust attack, rounding exploit |
| 5 | Input Fuzzing | Empty vector, max-length string, special bytes (0x00, 0xFF), deeply nested |
| 6 | Ordering Attack | Tx ordering dependency, epoch manipulation, timelock bypass, front-running sim |
| 7 | Type Confusion | Wrong generic param, phantom type abuse, ability constraint bypass |
| 8 | Denial of Service | Gas exhaustion, large loop trigger, storage bloat, recursive call depth |
Red Team Report ({N} rounds)
============================
🔴 EXPLOITED ({count}):
Round X: [sources/module.move:line] function_name() vulnerability description
→ Attack: description of successful exploit
→ Fix: suggested remediation
🟡 SUSPICIOUS ({count}):
Round X: [sources/module.move:line] description of anomaly
→ Concern: why this is suspicious
🟢 DEFENDED ({count}):
Round X: Category — defense description ✓
Summary: {exploited} exploits / {suspicious} suspicious / {defended} defended
Confidence: {confidence}% (based on round coverage)
Generated test files use the naming pattern:
tests/red_team_round_{N}_{category}.move
With --keep-tests, files persist in tests/red-team/ directory for later review or extension.
sui-fork (v1.72+)sui replay --forking-mode plus sui-fork lets a red-teamer replay a target transaction under a chosen sender address — without that user's keys. Use to:
See sui-tester for the base replay command. The red-team angle is using it on adversarial scenarios, not happy-path regressions.
sui-security-guard for static analysis complementsui-deployer should check red-team report❌ Running too few rounds
❌ Ignoring SUSPICIOUS results
❌ Not re-testing after fixes
sui move test --filter "red_team_round_{N}"See reference.md for attack pattern details and examples.md for attack test code examples.
npx claudepluginhub first-mover-tw/sui-dev-agents --plugin sui-dev-agentsProvides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.