blockchain-intelligence-playbook
Blockchain intelligence — skill index
This repository splits topics into focused skills (load the specific skill when the task is narrow). Shared rules: educational patterns only; no sanctions evasion, harassment, or non-consensual doxxing; not legal/investment advice.
Choosing a skill (quick map)
| If the user is asking about… | Start here |
|---|---|
| Crime types, ethics, reporting, CEX/stablecoin limits | crypto-investigation-compliance |
| Phalcon Compliance product documentation URL | phalcon-compliance-documentation |
Chainalysis Sanctions API / public oracle, Chainalysis.md |
chainalysis-sanctions-screening |
| FATF AML/CFT glossary terms (CDD, STR, PEP, etc.) | fatf-glossary-reference |
| Arkham “leading crypto analysis tools” research / trader tool landscape | arkham-leading-crypto-analysis-tools |
| Becoming an EVM smart contract auditor (cmichel.io guide) | cmichel-smart-contract-auditor-guide |
| Risk indicators, exposure %, address/tx screening templates | risk-exposure-screening-concepts |
| Structuring-like frequency, large transfers, transit / rapid movement | behavioral-risk-screening-concepts |
| Address tags/markers, CSV screening, blacklist vs whitelist UX | address-screening-workflow-concepts |
| Transaction hash screening, deposit/withdrawal direction, STR exports | transaction-screening-workflow-concepts |
| General OSINT tool discovery (non-chain) | bellingcat-investigation-toolkit |
| Dune Sim + Analytics — workflows, multichain realtime vs SQL | dune-sim-onchain-analytics |
| End-to-end on-chain forensics persona | on-chain-investigator-agent |
| Solana txs, ATAs, SPL | solana-tracing-specialist |
| Helius/Range/Tavily docs, MCP, graph UI (React Flow), x402 (PayAI), Solana policy institute | solana-onchain-intelligence-resources |
| Range MCP wallet investigation steps, sanctions, transfers | range-ai-investigation-playbook |
| Solana entity clustering / Jito / launchpads | solana-clustering-advanced |
| Cross-chain bridges and unified graphs | cross-chain-clustering-techniques-agent |
| Broad DeFi audit + rug/governance | defi-security-audit-agent |
| Admin takeover, blind signing, Solana durable nonces (mitigations) | defi-admin-takeover-mitigation-lessons |
| EVM Solidity contracts (Ethereum/L2) | evm-solidity-defi-triage-agent |
| Solana programs (Anchor, PDAs, CPIs) | solana-defi-vulnerability-analyst-agent |
| Sealevel Attacks repo (Solana exploit pattern examples) | sealevel-attacks-solana |
| Neodyme Solana Security Workshop (workshop.neodyme.io) | neodyme-solana-security-workshop |
| Osec “Solana: An Auditor’s Introduction” (runtime primer) | osec-solana-auditor-introduction |
@armaniferrante X post 1411589629384355840 (primary-source citation) |
armaniferrante-x-status-solana-reference |
| Honeypot / sell restrictions | honeypot-detection-techniques |
| Launch rug red flags | rug-pull-pattern-detection-agent |
| Flash-loan incidents | flash-loan-exploit-investigator-agent |
| Sandwich MEV post-mortems | sandwich-attack-investigator-agent |
| MEV infrastructure / searchers | mev-bot-infrastructure-analysis-agent |
| MEV + rug overlap hypotheses | mev-bot-rug-coordination-investigator-agent |
| Web crawling | katana-web-crawling |
| Classic AFL / lcamtuf fuzzing docs (C/C++ coverage-guided) | lcamtuf-afl-documentation |
| Agent Skills spec / SKILL.md format / agentskills.io | agentskills-specification |
| Scrapy/Python on-chain datasets, transfer subgraphs (BlockchainSpider) | blockchain-spider-toolkit |
| MoTS / KYT transaction semantics, WWW 2023 paper reproduction | mots-transaction-semantics |
| Impersonator (EVM/Solana dApp connect as any address, dev/testing) | impersonator-dapp-devtools |
When in doubt, load on-chain-investigator-agent or this index.
Skills in this bundle
| Skill | Use when |
|---|---|
| blockchain-intelligence-playbook | This index — routing when multiple domains apply |
| blockchain-intelligence-fundamentals | What BI is, tool categories (explorers, tracers, etc.), payment rails vs crypto rails |
| address-clustering-attribution | Wallet clustering (UTXO CIH, EVM deposit sweeps), entities/labels/tags, peel/taint concepts, attribution limits |
| cross-chain-clustering-techniques-agent | Multi-chain clustering: bridges, wrapped assets, unified graphs, timing/behavior, confidence scoring |
| blockchain-analytics-operations | Analytics platforms, AML/forensic use cases, tracers/visualizers as product layers |
| dune-sim-onchain-analytics | Standalone Dune skill — Sim vs SQL, EVM/SVM patterns, CUs, subscriptions; llms.txt + OpenAPI for implementation detail |
| blockchain-spider-toolkit | BlockchainSpider — Python/Scrapy dataset collection (EVM/Solana blocks/txs, transfer subgraphs); not web crawling |
| mots-transaction-semantics | MoTS — KYT / transaction semantic vectors & labels (research); upstream notes merge into BlockchainSpider |
| impersonator-dapp-devtools | Impersonator / Solana — WalletConnect-style address presentation for dApp UI testing (no key custody; ethics-heavy) |
| on-chain-research-tokenomics | Holdings/flows/TVL/whales, tokenomics (supply, vesting, utility) |
| crypto-investigation-compliance | Crime taxonomy, ethical OSINT + on-chain workflow, reporting posture |
| phalcon-compliance-documentation | Phalcon Compliance public documentation portal — compliance investigation / monitoring product docs (read live site for features) |
| chainalysis-sanctions-screening | Chainalysis public Sanctions API + EVM oracle — SDN-oriented address checks; live docs/Terms; optional repo Chainalysis.md excerpt |
| fatf-glossary-reference | FATF Glossary — official AML/CFT definitions; terminology alignment (not legal advice) |
| arkham-leading-crypto-analysis-tools | Arkham research — fundamental / technical / on-chain tool survey for traders (not investment advice) |
| cmichel-smart-contract-auditor-guide | cmichel.io — EVM auditor learning path, CTFs, canonical DeFi patterns, FAQ (2021 article; verify stale facts) |
| risk-exposure-screening-concepts | Risk exposure vocabulary: indicator taxonomies, exposure value/%, address vs transaction templates (entity, interaction, blacklist) — educational |
| behavioral-risk-screening-concepts | Behavioral patterns: large-value, high-frequency / structuring-like, transit addresses, rapid-transaction rules — educational |
| address-screening-workflow-concepts | Address inventory: tags vs markers, CSV bulk import, list/detail pages, audit/alert views, blacklist/whitelist semantics — educational |
| transaction-screening-workflow-concepts | Transaction screening: transfer as unit, deposit/withdrawal direction, CSV import, list/detail, rescreen, STR-style export patterns — educational |
| bellingcat-investigation-toolkit | Bellingcat OSINT toolkit: GitBook + GitHub catalog for general investigation tool discovery |
| crypto-market-structures | Max pain, covered-call ETFs, arbitrage, bull/bear flags (non-prescriptive) |
| on-chain-investigator-agent | End-to-end forensic investigator persona: tracing, contracts, scam heuristics, evidence reports, ethics |
| solana-tracing-specialist | Solana-only forensics: ATAs, SPL flows, RPC/indexer patterns, Jito/DEX inner ix, evidence packs |
| solana-onchain-intelligence-resources | Resource router for Solana intel stacks: Helius, Range MCP, Tavily, PayAI x402, React Flow, Solana Foundation skills (llms.txt indexes), Solana Policy Institute (policy/education) |
| range-ai-investigation-playbook | Range AI MCP investigation workflow: risk triage, sanctions, connections, transfers, funding source, entities, cross-chain pivot + one-shot prompt |
| solana-clustering-advanced | Solana entity clustering: graphs, Jito/launchpad heuristics, PDAs, ML validation, confidence scoring |
| solana-clustering-case-study-agent | Solana clustering → case studies: narrative, visuals, CSV/query exports, thread or long-form |
| defi-security-audit-agent | DeFi security / rug-risk triage: contracts, liquidity, governance, bridges, severity reports from public data |
| defi-admin-takeover-mitigation-lessons | Privileged access failures—signer hygiene, Solana durable nonces, oracle/collateral abuse, monitoring—using Chainalysis Drift analysis as case anchor |
| evm-solidity-defi-triage-agent | EVM Solidity DeFi triage: proxies, oracles, reentrancy, access control (Ethereum / L2) |
| honeypot-detection-techniques | Honeypot-style risk: EVM/SPL patterns, static review, fork sim, observational heuristics |
| rug-pull-pattern-detection-agent | Launch rug-risk: liquidity locks/removal, dev/sniper clusters, contract authorities, tiered scores |
| mev-bot-rug-coordination-investigator-agent | MEV + rug overlap: bundle/block co-occurrence, timing, joint flows, confidence-scored hypotheses |
| flash-loan-exploit-investigator-agent | Flash-loan / atomic exploit post-mortems (EVM + Solana): traces, impact, evidence packs, mitigations |
| sandwich-attack-investigator-agent | Sandwich / DEX MEV post-mortems: same-block or bundle ordering, victim vs searcher metrics, mitigations |
| mev-bot-infrastructure-analysis-agent | MEV infrastructure: searchers, bundles/builders/relays, strategies, profit paths, centralization metrics (public data) |
| solana-defi-vulnerability-analyst-agent | Solana DeFi program risks: Anchor/PDAs/CPIs, oracles, pools, SPL, safe repro / severity reporting |
| sealevel-attacks-solana | sealevel-attacks — Anchor-based exploit / mitigation pattern examples for the Solana VM (educational; defensive use) |
| neodyme-solana-security-workshop | workshop.neodyme.io / neodyme-breakpoint-workshop — Solana security levels, PoC framework, mdBook source (follow site legal notice) |
| osec-solana-auditor-introduction | Osec blog — auditor-oriented runtime intro (BPF, accounts, System Program; 2022; verify docs) |
| armaniferrante-x-status-solana-reference | @armaniferrante X post bookmark — open URL for verbatim text; not a spec |
| katana-web-crawling | ProjectDiscovery Katana install, crawl vs headless, scope, rate limits, pipelines |
| lcamtuf-afl-documentation | lcamtuf AFL — American Fuzzy Lop classic coverage-guided fuzzing docs (C/C++); compare AFL++ for current fork tooling |
| agentskills-specification | agentskills/agentskills — Agent Skills open format; llms.txt index → specification.md, integrate-skills.md |
Quality checklist (all domains)
- Separate fact vs inference vs hypothesis
- Cite sources for claims about entities or legal outcomes
- Prefer primary docs for ETFs, sanctions, and filings
- For clustering/attribution, assume probabilistic outputs
When one subdomain clearly dominates the request, prefer loading that named skill directly instead of this index.
More from agentic-reserve/blockint-skills
evm-solidity-defi-triage-agent
Guides EVM Solidity DeFi triage from public verified source or bytecode—access control, proxies, oracle usage, reentrancy and CEI patterns, DEX/router integrations, and common vulnerability classes. Use when the user asks for Ethereum or L2 smart contract security review, Solidity audit triage, OpenZeppelin proxy risks, or EVM-specific DeFi patterns—not for live exploits or private keys.
10crypto-market-structures
Summarizes descriptive concepts for max pain options theory, covered-call style crypto ETFs, crypto arbitrage families and risks, and bull/bear flag chart patterns—always as non-prescriptive education. Use when the user asks about max pain, premium income ETFs, arbitrage, funding rates, flash loans, or bull/bear flags in crypto trading context.
10honeypot-detection-techniques
Educational techniques to assess honeypot-style token risk from verified source, bytecode clues, and observational on-chain history—EVM ERC-20 patterns (transfer gates, fees, blacklists), Solana SPL and Token-2022 hooks, and safe validation paths. Use when the user asks how to detect honeypots, sell-restricted tokens, scam token mechanics, or static review checklists—not for deploying scams, stealing funds, or advising high-risk mainnet test trades on unknown contracts.
10katana-web-crawling
Guides use of ProjectDiscovery Katana for web crawling and spidering in security testing and recon workflows. Covers installation, standard vs headless mode, scope and rate limits, JSONL output, and piping from httpx or URL lists. Use when the user mentions Katana, projectdiscovery/katana, web crawling, spidering, endpoint discovery, attack surface mapping, or chaining crawlers in automation pipelines.
10solana-defi-vulnerability-analyst-agent
Guides discovery and documentation of Solana DeFi protocol risks from public code and chain state—Anchor/native programs, PDAs, CPIs, oracles, pools, SPL mechanics, and historical tx reconstruction. Use when the user asks for Solana program security review, DeFi vulnerability triage, PDA or CPI safety, oracle or liquidity-pool risk, launchpad/bonding-curve issues, or evidence-backed severity findings without exploits or private keys.
10solana-tracing-specialist
Guides Solana-specific on-chain forensics—ATA resolution, SPL instruction parsing, transaction history via RPC and indexers (e.g. Helius-style APIs), fund-flow graphs, Solana clustering heuristics, and program authority review. Use when the user investigates Solana wallets, SPL tokens, DEX/Jito flows, rug or phishing patterns on Solana, or needs evidence-structured tracing reports with public data only.
10