repositories
loading repo index
repositories
loading repo index
repository
loading code, commits, and activity
public Clawd ADK gateway launch mirror
stars
latest
clone command
git clone gitlawb://did:key:z6Mkq5mY...iFZ5/my-project-publ...git clone gitlawb://did:key:z6Mkq5mY.../my-project-publ...2fa351d6docs: add automaton and perps launch sources16d ago| #1 | { |
| #2 | "skillId": "pump-security", |
| #3 | "name": "pump-security", |
| #4 | "description": "Defense-in-depth security across Rust, TypeScript, and Bash for the Pump SDK — cryptographic key handling, memory zeroization, secure file I/O, input validation, privilege management, dependency auditing, and a 60+ item security checklist.", |
| #5 | "category": "security", |
| #6 | "path": "pump-security/SKILL.md", |
| #7 | "url": "https://x402.wtf/api/skills/pump-security", |
| #8 | "tags": [ |
| #9 | "pump", |
| #10 | "solana", |
| #11 | "security" |
| #12 | ], |
| #13 | "requiredEnv": [], |
| #14 | "homepage": "https://github.com/nirholas/pump-fun-sdk", |
| #15 | "attestation": { |
| #16 | "status": "pending", |
| #17 | "isFormallyVerified": false, |
| #18 | "attestationPda": null, |
| #19 | "verificationTimestamp": null |
| #20 | }, |
| #21 | "markdown": "---\nname: pump-security\ndescription: \"Defense-in-depth security across Rust, TypeScript, and Bash for the Pump SDK — cryptographic key handling, memory zeroization, secure file I/O, input validation, privilege management, dependency auditing, and a 60+ item security checklist.\"\nmetadata:\n openclaw:\n homepage: https://github.com/nirholas/pump-fun-sdk\n---\n\n# Security Practices — Cryptographic Safety, Memory Zeroization & Hardened I/O\n\nDefense-in-depth security across Rust, TypeScript, and Bash: key handling, memory zeroization, secure file I/O, input validation, privilege management, and dependency auditing.\n\n## Memory Zeroization\n\n### Rust\n```rust\nuse zeroize::Zeroize;\n\nstruct SecureBytes(Vec<u8>);\n\nimpl Drop for SecureBytes {\n fn drop(&mut self) {\n self.0.zeroize();\n }\n}\n```\n\n### TypeScript\n```typescript\ntry {\n // ... use secretKey\n} finally {\n secretKey.fill(0);\n // Best-effort: GC may have copied the buffer\n}\n```\n\n### Shell\n```bash\nshred -u \"$keypair_file\" 2>/dev/null || rm -P \"$keypair_file\"\n```\n\n## RNG Quality\n\n| Language | Source | Verification |\n|----------|--------|-------------|\n| Rust | `OsRng` | Verify via `solana-sdk` internals |\n| TypeScript | `crypto.getRandomValues` | Node.js built-in CSPRNG |\n| Shell | `solana-keygen` | Delegates to Rust `OsRng` |\n\n## Keypair Integrity Verification\n\n1. Re-derive public key from secret key\n2. Compare derived key with stored public key\n3. Sign a test message with the keypair\n4. Verify the signature with the public key\n5. Validate Base58 encoding roundtrip\n\n## Secure File I/O\n\n- Set permissions to `0o600` before writing content (race-free on Unix)\n- Use `O_CREAT | O_EXCL` to prevent overwrites\n- Write to temp file + atomic rename for crash safety\n- Never write secret keys to stdout unless explicitly requested\n\n## Input Validation\n\n| Input | Validation |\n|-------|-----------|\n| Base58 address | Regex: `^[1-9A-HJ-NP-Za-km-z]{32,44}$` |\n| File paths | Reject `..`, prevent traversal |\n| Tool inputs | Zod schemas in MCP server |\n| Shell arguments | Quoted variables, no eval |\n\n## Security Checklist Summary (60+ items)\n\nKey categories:\n- Cryptographic library allowlist\n- Memory zeroization in all code paths\n- File permission enforcement\n- Input validation and sanitization\n- Error message information leakage prevention\n- Dependency auditing (`cargo audit`, `npm audit`)\n- No network calls during key generation\n- Secret key never in logs, error messages, or telemetry\n\n## Attack Vectors to Test\n\n| Vector | Defense |\n|--------|---------|\n| Weak RNG | Only CSPRNG (OsRng / crypto.getRandomValues) |\n| Memory dump | Zeroize on drop/finally |\n| File permission leak | 0o600 enforcement |\n| Path traversal | Input validation |\n| Shell injection | Quoted variables, no eval |\n| Dependency supply chain | cargo audit, npm audit |\n\n## Patterns to Follow\n\n- Always use approved crypto libraries: `solana-sdk`, `@solana/web3.js`, `solana-keygen`\n- Zeroize key material in all code paths (success, error, early return)\n- Set file permissions before writing content\n- Validate all inputs at the boundary (CLI args, API inputs, file paths)\n- Never log or display secret keys\n- Run dependency audits in CI\n\n## Common Pitfalls\n\n- JavaScript `fill(0)` is best-effort — GC may relocate buffers\n- Rust `String` types may leave copies in memory — use `Vec<u8>` with `Zeroize`\n- `chmod` after `write` has a race window — prefer `fchmod` or umask\n- Error messages must not include secret key material\n- `cargo audit` may miss recently disclosed CVEs — supplement with manual review\n\n" |
| #22 | } |
| #23 |