Stats
Actions
Tags
From building-secure-contracts
Runs Trail of Bits' 5-step smart contract security workflow: Slither scans, upgradeability/ERC checks, visual diagrams, property docs for fuzzing, manual reviews.
How this skill is triggered — by the user, by Claude, or both
Slash command
/building-secure-contracts:secure-workflow-guideThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
Use this: On every check-in, before deployment, or when you want a security review
Covers a security workflow including:
Run Slither with 70+ built-in detectors to find common vulnerabilities:
Goal: Clean Slither report or documented triages
Detect and validate applicable features:
Note: Only runs checks that apply to your codebase
Generate 3 security diagrams:
Review each diagram for security concerns
Help document critical security properties:
Then set up testing:
Note: Most important activity for security
Analyze areas automated tools miss:
Search codebase for these patterns and flag risks
For detailed instructions, commands, and explanations for each step, see WORKFLOW_STEPS.md.
When invoked, I will:
Adapts based on:
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked |
| "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs |
| "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks |
| "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping |
| "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure |
| "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns |
| "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A |
| "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references |
When I complete the workflow, you'll get a comprehensive security report covering:
For a complete example workflow report, see EXAMPLE_REPORT.md.
Security Report:
Action Plan:
Workflow Checklist:
Trail of Bits Resources:
Other Security:
Let me know when you're ready and I'll run through the workflow with your codebase!
npx claudepluginhub trailofbits/skills --plugin building-secure-contractsGuides through Trail of Bits' 5-step secure development workflow for smart contracts. Runs Slither scans, checks upgradeability/ERC conformance/token integration, generates security diagrams, documents fuzzing properties, reviews manual areas.
Guides secure Solidity development with best practices for vulnerability prevention, reentrancy, overflow, access control, and audit readiness.
Audits Solidity smart contracts against all 10 OWASP Smart Contract Top 10 vulnerability classes using Slither static analysis and Foundry invariant testing, with specific detection commands and remediation steps.