From building-secure-contracts
Runs Trail of Bits' 5-step smart contract security workflow: Slither scans, upgradeability/ERC checks, visual diagrams, property docs for fuzzing, manual reviews.
npx claudepluginhub trailofbits/skills --plugin building-secure-contractsThis skill uses the workspace's default tool permissions.
Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
Guides through Trail of Bits' 5-step secure development workflow for smart contracts. Runs Slither scans, checks upgradeability/ERC conformance/token integration, generates security diagrams, documents fuzzing properties, reviews manual areas.
Applies Solidity security best practices to prevent vulnerabilities like reentrancy, overflows, and access control issues when writing or auditing smart contracts.
Applies Solidity smart contract security best practices, prevents vulnerabilities like reentrancy, overflows, access control issues, and prepares for audits.
Share bugs, ideas, or general feedback.
Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
Use this: On every check-in, before deployment, or when you want a security review
Covers a security workflow including:
Run Slither with 70+ built-in detectors to find common vulnerabilities:
Goal: Clean Slither report or documented triages
Detect and validate applicable features:
Note: Only runs checks that apply to your codebase
Generate 3 security diagrams:
Review each diagram for security concerns
Help document critical security properties:
Then set up testing:
Note: Most important activity for security
Analyze areas automated tools miss:
Search codebase for these patterns and flag risks
For detailed instructions, commands, and explanations for each step, see WORKFLOW_STEPS.md.
When invoked, I will:
Adapts based on:
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked |
| "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs |
| "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks |
| "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping |
| "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure |
| "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns |
| "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A |
| "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references |
When I complete the workflow, you'll get a comprehensive security report covering:
For a complete example workflow report, see EXAMPLE_REPORT.md.
Security Report:
Action Plan:
Workflow Checklist:
Trail of Bits Resources:
Other Security:
Let me know when you're ready and I'll run through the workflow with your codebase!