solana-vulnerability-scanner
by trailofbitssolana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.
This skill scores 86/100 because it provides a credible, Solana-specific auditing workflow that an agent can trigger with low guesswork. For directory users, that means it is worth installing if they need focused review of Solana/Anchor security issues, especially CPI, PDA, and account-validation bugs, though they should expect a specialized scanner rather than a broad security framework.
- Clearly scoped to Solana/Anchor auditing, with explicit use cases like CPI review, PDA validation, signer/ownership checks, and pre-launch security assessment.
- Substantial operational guidance: the skill includes platform-detection cues, code indicators, and a detailed vulnerability-pattern reference file with concrete examples and mitigations.
- Strong triggerability for agents: the frontmatter and body specify when to use it and what patterns to inspect, reducing ambiguity versus a generic prompt.
- No install command, scripts, or automated tooling are provided, so this is guidance-heavy rather than an executable scanner workflow.
- The repository appears narrowly focused on six critical vulnerability patterns, so it may miss broader Solana review needs outside those covered cases.
Overview of solana-vulnerability-scanner skill
solana-vulnerability-scanner is a focused audit skill for reviewing Solana programs for security issues that are easy to miss in a generic Rust code review. It is best for engineers, auditors, and security teams checking native Solana or Anchor programs before deployment, especially when the code uses CPI, PDA logic, signer checks, account ownership checks, or instruction introspection.
The solana-vulnerability-scanner skill is not a broad smart-contract linter; it is designed to surface a small set of high-impact Solana-specific mistakes and help you decide whether a program is safe enough to ship or needs deeper manual review.
What the skill catches
The repository centers on six critical vulnerability patterns, including arbitrary CPI, improper PDA validation, missing signer or ownership checks, and sysvar spoofing. That makes solana-vulnerability-scanner useful when your main question is not “does this code compile?” but “can an attacker redirect trust assumptions in Solana’s account model?”
Best-fit use cases
Use solana-vulnerability-scanner for Security Audit work on launch-bound programs, upgrade reviews, protocol integrations, and any code path where accounts are trusted to represent a specific program, authority, or sysvar. It is less useful for generic business logic review or non-Solana Rust crates.
What makes it different
The value of solana-vulnerability-scanner is its Solana-specific decision logic. It helps you focus on the account-validation and CPI edges that drive real exploitability, rather than wasting time on advice that would apply to any Rust repository.
How to Use solana-vulnerability-scanner skill
Install the skill
Install solana-vulnerability-scanner with:
npx skills add trailofbits/skills --skill solana-vulnerability-scanner
That install path matters because the skill lives under plugins/building-secure-contracts/skills/solana-vulnerability-scanner in the trailofbits/skills repo, so you should expect a security-audit workflow rather than a generic coding assistant prompt.
Feed it the right target and scope
The best solana-vulnerability-scanner usage starts with a clear audit target: repository name, program entrypoints, framework type, and the trust boundary you care about. Strong inputs look like: “Audit this Anchor program for arbitrary CPI, PDA derivation mistakes, and missing signer checks in the initialize and withdraw flows.”
Weak inputs like “scan this Solana app” usually miss the specific accounts and instructions that matter.
Read the right files first
For solana-vulnerability-scanner install and review, start with SKILL.md, then inspect resources/VULNERABILITY_PATTERNS.md. That resource file gives you the concrete checks and examples the skill is built around, which is more useful than guessing from file names alone.
Also skim the program files that define:
- CPI calls using
invoke()orinvoke_signed() #[derive(Accounts)]structs in Anchor- PDA derivation and seed validation
- account ownership and signer constraints
- sysvar or program account checks
A practical workflow
Use the skill in two passes. First, ask it to identify likely vulnerability classes and the instructions affected. Second, ask it to review each flagged path with account-level detail, such as which account is user-controlled, which program ID is expected, and whether the validation happens before the CPI or state change.
A good prompt shape is:
“Review these Solana/Anchor instructions for the six critical vulnerabilities in solana-vulnerability-scanner. Focus on account validation, CPI targets, PDA seeds, and sysvar trust. Return findings by instruction, explain exploitability, and note false positives.”
solana-vulnerability-scanner skill FAQ
Is solana-vulnerability-scanner only for Anchor?
No. The skill covers both native Solana Rust programs and Anchor-based programs. That said, Anchor code often expresses checks more declaratively, so the review focus shifts toward whether constraints are complete and whether program and account types are correctly constrained.
How is this different from a normal code review prompt?
A normal prompt may notice suspicious logic, but solana-vulnerability-scanner is tuned to the Solana account model and the specific ways attackers abuse CPI, PDA handling, and account validation. The result is better coverage of the issues that matter most in a Solana security audit.
Is it beginner-friendly?
Yes, if you can identify the program entrypoints and the main instruction accounts. Beginners get the most value by using solana-vulnerability-scanner as a guided checklist, then asking follow-up questions about any flagged instruction rather than trying to audit the whole repository at once.
When should I not use it?
Do not rely on solana-vulnerability-scanner as your only review for tokenomics, business logic, or governance design. It is strongest on security-critical Solana patterns, not on broader protocol correctness or economic modeling.
How to Improve solana-vulnerability-scanner skill
Give it the exact instruction path
The biggest quality jump comes from naming the instruction, expected authority, and account roles. Instead of “check my program,” say which handler you want reviewed and which accounts should be trusted, mutable, signer-gated, or program-owned. That helps solana-vulnerability-scanner separate real exposure from harmless plumbing.
Include the trust assumptions up front
If an account is supposed to be the token program, system program, metadata program, or a specific PDA, say so. If an account can be user-supplied, say that too. Strong trust assumptions make solana-vulnerability-scanner output more precise because many Solana bugs are really missing validation bugs.
Ask for exploitability, not just findings
To improve solana-vulnerability-scanner usage, ask for the attack path and the precondition that makes each issue exploitable. That forces the output to distinguish “style issue” from “security bug,” which is what you need in a Security Audit workflow.
Iterate with concrete code regions
If the first pass flags a CPI or PDA pattern, rerun the review on the specific function and its Accounts struct. The best results come from narrowing the scope to one instruction at a time, then asking whether the account constraints, program IDs, and seeds fully match the intended trust model.