Skill Gallery
Back to list
trailofbits

secure-workflow-guide

by trailofbits

Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows

1,725🍴 140📅 Jan 23, 2026
agent-skillsutility-developmenttool-buildingproductivity-enhancementworkflow-improvementintegration-support
View on GitHubRun in Manus

SKILL.md

name: secure-workflow-guide description: Guide you through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas. (project, gitignored)

Secure Workflow Guide

Purpose

I'll guide you through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.

Use this: On every check-in, before deployment, or when you want a security review

The 5-Step Workflow

I'll guide you through a comprehensive security workflow covering:

Step 1: Check for Known Security Issues

Run Slither with 70+ built-in detectors to find common vulnerabilities:

  • Parse findings by severity
  • Explain each issue with file references
  • Recommend fixes
  • Help triage false positives

Goal: Clean Slither report or documented triages

Step 2: Check Special Features

Detect and validate applicable features:

  • Upgradeability: slither-check-upgradeability (17 upgrade risks)
  • ERC conformance: slither-check-erc (6 common specs)
  • Token integration: Recommend token-integration-analyzer skill
  • Security properties: slither-prop for ERC20

Note: Only runs checks that apply to your codebase

Step 3: Visual Security Inspection

Generate 3 security diagrams:

  • Inheritance graph: Identify shadowing and C3 linearization issues
  • Function summary: Show visibility and access controls
  • Variables and authorization: Map who can write to state variables

Review each diagram for security concerns

Step 4: Document Security Properties

Help document critical security properties:

  • State machine transitions and invariants
  • Access control requirements
  • Arithmetic constraints and precision
  • External interaction safety
  • Standards conformance

Then set up testing:

  • Echidna: Property-based fuzzing with invariants
  • Manticore: Formal verification with symbolic execution
  • Custom Slither checks: Project-specific business logic

Note: Most important activity for security

Step 5: Manual Review Areas

Analyze areas automated tools miss:

  • Privacy: On-chain secrets, commit-reveal needs
  • Front-running: Slippage protection, ordering risks, MEV
  • Cryptography: Weak randomness, signature issues, hash collisions
  • DeFi interactions: Oracle manipulation, flash loans, protocol assumptions

Search codebase for these patterns and flag risks

For detailed instructions, commands, and explanations for each step, see WORKFLOW_STEPS.md.

How I Work

When invoked, I will:

  1. Explore your codebase to understand structure
  2. Run Step 1: Slither security scan
  3. Detect and run Step 2: Special feature checks (only what applies)
  4. Generate Step 3: Visual security diagrams
  5. Guide Step 4: Security property documentation
  6. Analyze Step 5: Manual review areas
  7. Provide action plan: Prioritized fixes and next steps

I'll adapt based on:

  • What tools you have installed
  • What's applicable to your project
  • Where you are in development

Rationalizations (Do Not Skip)

RationalizationWhy It's WrongRequired Action
"Slither not available, I'll check manually"Manual checking misses 70+ detector patternsInstall and run Slither, or document why it's blocked
"Can't generate diagrams, I'll describe the architecture"Descriptions aren't visual - diagrams reveal patterns text missesExecute slither --print commands, generate actual visual outputs
"No upgrades detected, skip upgradeability checks"Proxies and upgrades are often implicit or plannedVerify with codebase search before skipping Step 2 checks
"Not a token, skip ERC checks"Tokens can be integrated without obvious ERC inheritanceCheck for token interactions, transfers, balances before skipping
"Can't set up Echidna now, suggesting it for later"Property-based testing is Step 4, not optionalDocument properties now, set up fuzzing infrastructure
"No DeFi interactions, skip oracle/flash loan checks"DeFi patterns appear in unexpected places (price feeds, external calls)Complete Step 5 manual review, search codebase for patterns
"This step doesn't apply to my project""Not applicable" without verification = missed vulnerabilitiesVerify with explicit codebase search before declaring N/A
"I'll provide generic security advice instead of running workflow"Generic advice isn't actionable, workflow finds specific issuesExecute all 5 steps, generate project-specific findings with file:line references

Example Output

When I complete the workflow, you'll get a comprehensive security report covering:

  • Step 1: Slither findings with severity, file references, and fix recommendations
  • Step 2: Special feature validation results (upgradeability, ERC conformance, etc.)
  • Step 3: Visual diagrams analyzing inheritance, functions, and state variable authorization
  • Step 4: Documented security properties and testing setup (Echidna/Manticore)
  • Step 5: Manual review findings (privacy, front-running, cryptography, DeFi risks)
  • Action plan: Critical/high/medium priority tasks with effort estimates
  • Workflow checklist: Progress on all 5 steps

For a complete example workflow report, see EXAMPLE_REPORT.md.

What You'll Get

Security Report:

  • Slither findings with severity and fixes
  • Special feature validation results
  • Visual diagrams (PNG/PDF)
  • Manual review findings

Action Plan:

  • Critical issues to fix immediately
  • Security properties to document
  • Testing to set up (Echidna/Manticore)
  • Manual areas to review

Workflow Checklist:

  • Clean Slither report
  • Special features validated
  • Visual inspection complete
  • Properties documented
  • Manual review done

Getting Help

Trail of Bits Resources:

  • Office Hours: Every Tuesday (schedule)
  • Empire Hacking Slack: #crytic and #ethereum channels

Other Security:

  • Remember: Security is about more than smart contracts
  • Off-chain security (owner keys, infrastructure) equally critical

Ready to Start

Let me know when you're ready and I'll run through the workflow with your codebase!

Score

Total Score

95/100

Based on repository quality metrics

SKILL.md

SKILL.mdファイルが含まれている

+20
LICENSE

ライセンスが設定されている

+10
説明文

100文字以上の説明がある

+10
人気

GitHub Stars 1000以上

+15
最近の活動

1ヶ月以内に更新

+10
フォーク

10回以上フォークされている

+5
Issue管理

オープンIssueが50未満

+5
言語

プログラミング言語が設定されている

+5
タグ

1つ以上のタグが設定されている

+5

Reviews

💬

Reviews coming soon