npx claudepluginhub trailofbits/skills-curated --plugin scv-scanThis skill is limited to using the following tools:
Systematically audit a Solidity codebase for vulnerabilities using a four-phase approach that balances thoroughness with efficiency.
references/CHEATSHEET.mdreferences/arbitrary-storage-location.mdreferences/assert-violation.mdreferences/asserting-contract-from-code-size.mdreferences/authorization-txorigin.mdreferences/delegatecall-untrusted-callee.mdreferences/dos-gas-limit.mdreferences/dos-revert.mdreferences/hash-collision.mdreferences/inadherence-to-standards.mdreferences/incorrect-constructor.mdreferences/incorrect-inheritance-order.mdreferences/insufficient-access-control.mdreferences/insufficient-gas-griefing.mdreferences/lack-of-precision.mdreferences/missing-protection-signature-replay.mdreferences/msgvalue-loop.mdreferences/off-by-one.mdreferences/outdated-compiler-version.mdreferences/overflow-underflow.mdCreates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.
Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.
Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.
Systematically audit a Solidity codebase for vulnerabilities using a four-phase approach that balances thoroughness with efficiency.
unchecked blocks, assembly, and type downcasts still wrap_safeMint, ERC1155 safe transfers, and ERC777 hooks all trigger callbacksinitialize() without initializer modifier is itself a critical vulnerabilityreferences/
CHEATSHEET.md # Condensed pattern reference — always read first
reentrancy.md # Full reference files — read selectively in Phase 3
overflow-underflow.md
...
Each full reference file in references/ has these sections:
Before touching any Solidity files, read {baseDir}/skills/scv-scan/references/CHEATSHEET.md in full.
This file contains a condensed entry for every known vulnerability class: name, what to look for (syntactic and semantic), and default severity. Internalize these patterns — they are your detection surface for the sweep phase. Do NOT read any full reference files yet.
Perform two complementary passes over the codebase.
Search for the trigger patterns listed in the cheatsheet under "Grep-able keywords". Use grep or ripgrep to find matches.
For each match, record: file, line number(s), matched pattern, and suspected vulnerability type(s).
This pass catches vulnerabilities that have no reliable grep signature. Read through the codebase searching for any relevant logic similar to that explained in the cheatsheet.
For each finding in this pass, record: file, line number(s), description of the concern, and suspected vulnerability type(s).
Merge results from Pass A and Pass B into a deduplicated candidate list. Each entry should look like:
- File: `path/to/file.sol` L{start}-L{end}
- Suspected: [vulnerability-name] (from CHEATSHEET.md)
- Evidence: [brief description of what was found]
For each candidate in the list:
{baseDir}/skills/scv-scan/references/reentrancy.md). Read it now — not before.For each confirmed finding, output:
### [Vulnerability Name]
**File:** `path/to/file.sol` L{start}-L{end}
**Severity:** Critical | High | Medium | Low | Informational
**Description:** What is vulnerable and why, in 1-3 sentences.
**Code:**
```solidity
// The vulnerable code snippet
Recommendation: Specific fix, referencing the Remediation section of the reference file.
After all findings, include a summary section:
| Severity | Count |
|---|---|
| Critical | N |
| High | N |
| Medium | N |
| Low | N |
| Info | N |
Write the final report to `scv-scan.md`.
## Severity Guidelines
- **Critical**: Direct loss of funds, unauthorized fund extraction, permanent freezing of funds
- **High**: Conditional fund loss, access control bypass, state corruption exploitable under realistic conditions
- **Medium**: Unlikely fund loss, griefing attacks, DoS on non-critical paths, value leak under edge conditions
- **Low**: Best practice violations, gas inefficiency, code quality issues with no direct exploit path
- **Informational**: Unused variables, style issues, documentation gaps
## Key Principles
- **Cheatsheet first, references on-demand.** Never read all full reference files upfront. The cheatsheet gives you ambient awareness; full references are for validation only.
- **Semantic > syntactic.** The hardest bugs don't grep. Cross-function reentrancy, missing access control, incorrect inheritance — these require reading and reasoning, not pattern matching.
- **Trace across boundaries.** Follow state across function calls, contract calls, and inheritance chains. Hidden external calls (safe mint/transfer hooks, ERC-777 callbacks) are as dangerous as explicit `.call()`.
- **One location, multiple bugs.** A single line can be vulnerable to reentrancy AND unchecked return value. Check all applicable references.
- **Version matters.** Always check `pragma solidity` — many vulnerabilities are version-dependent (e.g., overflow is checked by default in >=0.8.0).
- **False positives are noise.** Be rigorous about checking false positive conditions. A shorter report with high-confidence findings is more valuable than a long one padded with maybes.