Bug Report: 9 verified issues across IC Skills (build-breaking, security, broken URLs) - From Claude #1
Description
Summary
Verified audit of llms-full.txt found 9 issues — 5 build-breaking/security, 4 degraded/potentially breaking. Verified against the live content at https://dfinity.github.io/icskills/llms-full.txt on 2026-02-25.
| # | Issue | Severity | Skills Affected |
|---|---|---|---|
| 1 | Missing [lib] crate-type = ["cdylib"] in Rust Cargo.toml |
🔴 Build-breaking | 6 skills |
| 2 | Missing Nat64 import (EVM RPC Motoko) |
🔴 Build-breaking | 1 skill |
| 3 | Heap storage security bug (Internet Identity Rust) | 🔴 Security vulnerability | 1 skill |
| 4 | SNS token distribution math error | 🔴 Validation-blocking | 1 skill |
| 5 | Deprecated @dfinity/* npm packages |
🟡 Future-breaking | 1 skill |
| 6 | icp.json vs icp.yaml config format mismatch |
🟡 Likely breaking | All 12 skills |
| 7 | Broken GitHub repository URLs (404) | 🔴 Completely broken | llms.txt + site |
| 8 | Questionable ic-vetkeys crate reference |
🟡 Potentially breaking | 1 skill |
| 9 | ic-stable-structures version inconsistency |
🟡 Breaking when combined | 2 skills |
Issue 1: Missing [lib] crate-type = ["cdylib"] in Rust Cargo.toml
Severity: 🔴 Build-breaking
Skills affected: HTTPS Outcalls, ICRC Ledger, vetKD, Stable Memory, Cycles & Canister Management, Internet Identity
Without [lib] crate-type = ["cdylib"] in Cargo.toml, cargo build --target wasm32-unknown-unknown produces an rlib, not a valid .wasm module. Deployment fails:
Error: Failed to build canister 'backend'.
Could not find wasm file at: target/wasm32-unknown-unknown/release/backend.wasm
The ckBTC and EVM RPC Rust skills correctly include it. The other 6 skills only show [dependencies] with no [package] or [lib] section.
Fix: Add [package] and [lib] sections to all 6 affected Cargo.toml examples:
+[package]
+name = "backend"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
[dependencies]
ic-cdk = "0.18"
candid = "0.10"Issue 2: Missing Motoko Import in EVM RPC
Severity: 🔴 Build-breaking
Skill affected: EVM RPC Integration
The Motoko code uses Nat64 (let maxResponseBytes : Nat64 = 1000;) but doesn't import it. The HTTPS Outcalls Motoko code correctly imports Nat64 "mo:core/Nat64".
Fix:
import EvmRpc "canister:evm_rpc";
import Runtime "mo:core/Runtime";
import Text "mo:core/Text";
+import Nat64 "mo:core/Nat64";Issue 3: Heap-Storage Security Vulnerability in Internet Identity Rust Backend
Severity: 🔴 Security vulnerability
Skill affected: Internet Identity Auth
The Rust backend stores OWNER in thread_local! heap memory:
thread_local! {
static OWNER: RefCell<Option<Principal>> = RefCell::new(None);
}On canister upgrade, heap memory is wiped, OWNER resets to None, and any caller can reclaim ownership by calling init_owner(). This is a privilege escalation vulnerability.
The Motoko version uses persistent actor which handles this automatically.
Fix: Use ic-stable-structures::StableCell or add #[pre_upgrade]/#[post_upgrade] hooks to persist the owner across upgrades.
Issue 4: SNS Token Distribution Math Error
Severity: 🔴 Validation-blocking
Skill affected: SNS DAO Launch
The sns_init.yaml allocations sum to 10,200,000 tokens but the total field says 10,000,000 tokens (200,000 token / 20 trillion e8s discrepancy). SNS validation rejects configs where allocations don't sum exactly to total.
| Allocation | Tokens |
|---|---|
| Developer neurons | 2,000,000 |
| Investor neurons | 500,000 |
| Governance (treasury) | 5,200,000 |
| Swap | 2,500,000 |
| Sum | 10,200,000 |
| Declared total | 10,000,000 |
Fix: Either reduce governance to 5,000,000 tokens or increase total to 10,200,000 tokens.
Issue 5: Deprecated @dfinity/* npm Packages
Severity: 🟡 Future-breaking
Skill affected: Internet Identity Auth
The skill references @dfinity/auth-client, @dfinity/agent, @dfinity/identity, and @dfinity/principal in prerequisites and code. These were deprecated in December 2025 in favor of the @icp-sdk/* namespace (@icp-sdk/auth, @icp-sdk/agent, etc.).
Fix: Update all package references and imports. Verify API compatibility with @icp-sdk/auth 5.x.
Issue 6: Config File Format Mismatch (icp.json vs icp.yaml)
Severity: 🟡 Likely breaking (needs verification)
Skills affected: All 12 skills (28+ occurrences)
Every skill uses icp.json with JSON syntax. However, icp-cli v0.1.0-beta.5 release notes reference icp.yaml as the config format.
Fix: Verify whether icp-cli accepts icp.json as a fallback. If not, convert all 28+ config examples to YAML syntax in icp.yaml files.
Issue 7: Broken GitHub Repository URLs
Severity: 🔴 Completely broken
Skill affected: llms.txt, llms-full.txt, website structured data
All GitHub URLs in llms.txt return 404:
https://github.com/dfinity/icskills→ 404- All 12
raw.githubusercontent.comskill links → 404 CONTRIBUTING.mdlink → 404
The "How to use" section — the primary instruction for AI agents — is completely non-functional.
Fix: Make the repo public, or rewrite URLs to point to the GitHub Pages domain.
Issue 8: Questionable ic-vetkeys Crate Reference
Severity: 🟡 Potentially breaking
Skill affected: vetKD Encryption
The vetKD Cargo.toml lists ic-vetkeys = "0.1" but the code itself warns: "⚠ This crate may not be published on crates.io yet." For "zero hallucinations" documentation, including a dependency that may not exist is contradictory.
Fix: Verify the crate exists on crates.io, use a git dependency, or make the raw management canister approach the primary example.
Issue 9: ic-stable-structures Version Inconsistency
Severity: 🟡 Breaking when combining skills
Skills affected: Multi-Canister Architecture (0.6), Stable Memory (0.7)
These versions have breaking API differences. An agent combining code from both skills gets compilation errors.
Fix: Standardize on 0.7 across all skills.
Executing JavaScript...Getting DOM...Stopping...
Stop Agent