secure-workflow-guide
$
npx mdskill add trailofbits/skills/secure-workflow-guideExecute Trail of Bits security scans to prevent contract vulnerabilities.
- Detects common smart contract flaws and validates special features like upgradeability
- Depends on Slither engine for analysis and custom detectors for specific checks
- Prioritizes findings by severity while filtering irrelevant issues based on code context
- Delivers actionable reports with visual diagrams, file references, and recommended fixes
SKILL.md
.github/skills/secure-workflow-guideView on GitHub ↗
--- name: secure-workflow-guide description: Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas. --- # Secure Workflow Guide ## Purpose Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development. **Use this**: On every check-in, before deployment, or when you want a security review --- ## The 5-Step Workflow Covers a security workflow including: ### Step 1: Check for Known Security Issues Run Slither with 70+ built-in detectors to find common vulnerabilities: - Parse findings by severity - Explain each issue with file references - Recommend fixes - Help triage false positives **Goal**: Clean Slither report or documented triages ### Step 2: Check Special Features Detect and validate applicable features: - **Upgradeability**: slither-check-upgradeability (17 upgrade risks) - **ERC conformance**: slither-check-erc (6 common specs) - **Token integration**: Recommend token-integration-analyzer skill - **Security properties**: slither-prop for ERC20 **Note**: Only runs checks that apply to your codebase ### Step 3: Visual Security Inspection Generate 3 security diagrams: - **Inheritance graph**: Identify shadowing and C3 linearization issues - **Function summary**: Show visibility and access controls - **Variables and authorization**: Map who can write to state variables Review each diagram for security concerns ### Step 4: Document Security Properties Help document critical security properties: - State machine transitions and invariants - Access control requirements - Arithmetic constraints and precision - External interaction safety - Standards conformance Then set up testing: - **Echidna**: Property-based fuzzing with invariants - **Manticore**: Formal verification with symbolic execution - **Custom Slither checks**: Project-specific business logic **Note**: Most important activity for security ### Step 5: Manual Review Areas Analyze areas automated tools miss: - **Privacy**: On-chain secrets, commit-reveal needs - **Front-running**: Slippage protection, ordering risks, MEV - **Cryptography**: Weak randomness, signature issues, hash collisions - **DeFi interactions**: Oracle manipulation, flash loans, protocol assumptions Search codebase for these patterns and flag risks For detailed instructions, commands, and explanations for each step, see [WORKFLOW_STEPS.md](resources/WORKFLOW_STEPS.md). --- ## How I Work When invoked, I will: 1. **Explore your codebase** to understand structure 2. **Run Step 1**: Slither security scan 3. **Detect and run Step 2**: Special feature checks (only what applies) 4. **Generate Step 3**: Visual security diagrams 5. **Guide Step 4**: Security property documentation 6. **Analyze Step 5**: Manual review areas 7. **Provide action plan**: Prioritized fixes and next steps Adapts based on: - What tools you have installed - What's applicable to your project - Where you are in development --- ## Rationalizations (Do Not Skip) | Rationalization | Why It's Wrong | Required Action | |-----------------|----------------|-----------------| | "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked | | "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs | | "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks | | "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping | | "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure | | "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns | | "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A | | "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references | --- ## Example Output When I complete the workflow, you'll get a comprehensive security report covering: - **Step 1**: Slither findings with severity, file references, and fix recommendations - **Step 2**: Special feature validation results (upgradeability, ERC conformance, etc.) - **Step 3**: Visual diagrams analyzing inheritance, functions, and state variable authorization - **Step 4**: Documented security properties and testing setup (Echidna/Manticore) - **Step 5**: Manual review findings (privacy, front-running, cryptography, DeFi risks) - **Action plan**: Critical/high/medium priority tasks with effort estimates - **Workflow checklist**: Progress on all 5 steps For a complete example workflow report, see [EXAMPLE_REPORT.md](resources/EXAMPLE_REPORT.md). --- ## What You'll Get **Security Report**: - Slither findings with severity and fixes - Special feature validation results - Visual diagrams (PNG/PDF) - Manual review findings **Action Plan**: - [ ] Critical issues to fix immediately - [ ] Security properties to document - [ ] Testing to set up (Echidna/Manticore) - [ ] Manual areas to review **Workflow Checklist**: - [ ] Clean Slither report - [ ] Special features validated - [ ] Visual inspection complete - [ ] Properties documented - [ ] Manual review done --- ## Getting Help **Trail of Bits Resources**: - Office Hours: Every Tuesday ([schedule](https://meetings.hubspot.com/trailofbits/office-hours)) - Empire Hacking Slack: #crytic and #ethereum channels **Other Security**: - Remember: Security is about more than smart contracts - Off-chain security (owner keys, infrastructure) equally critical --- ## Ready to Start Let me know when you're ready and I'll run through the workflow with your codebase!
More from trailofbits/skills
- address-sanitizer>
- aflpp>
- agentic-actions-auditorAudits GitHub Actions workflows for security vulnerabilities in AI agent integrations including Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference. Detects attack vectors where attacker-controlled input reaches AI agents running in CI/CD pipelines, including env var intermediary patterns, direct expression injection, dangerous sandbox configurations, and wildcard user allowlists. Use when reviewing workflow files that invoke AI coding agents, auditing CI/CD pipeline security for prompt injection risks, or evaluating agentic action configurations.
- algorand-vulnerability-scannerScans Algorand smart contracts for 11 common vulnerabilities including rekeying attacks, unchecked transaction fees, missing field validations, and access control issues. Use when auditing Algorand projects (TEAL/PyTeal).
- ask-questions-if-underspecifiedClarify requirements before implementing. Use when serious doubts arise.
- atheris>
- audit-augmentation>
- audit-context-buildingEnables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug finding.
- audit-prep-assistantPrepares codebases for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes dead code, ensures accessibility, and generates documentation (flowcharts, user stories, inline comments).
- burpsuite-project-parserSearches and explores Burp Suite project files (.burp) from the command line. Use when searching response headers or bodies with regex patterns, extracting security audit findings, dumping proxy history or site map data, or analyzing HTTP traffic captured in a Burp project.