code-maturity-assessor

by trailofbits

code-maturity-assessor provides an evidence-based maturity review using Trail of Bits’ 9-category framework. It assesses arithmetic safety, auditing, access control, complexity, decentralization, documentation, MEV risk, low-level code, and testing, with actionable recommendations for security audit readiness.

Stars4.9k

Favorites0

Comments0

AddedApr 30, 2026

CategorySecurity Audit

Install Command

npx skills add trailofbits/skills --skill code-maturity-assessor

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users who want a structured code-maturity assessment workflow rather than a generic review prompt. The repository gives enough operational detail to understand when to use it, what it analyzes, and what output to expect, though it still leaves some adoption questions around exact triggering and runtime integration.

78/100

Strengths

Strong triggerability: the SKILL.md clearly frames a 9-category Trail of Bits code-maturity assessment with a defined purpose and phase-based workflow.
Good operational clarity: the repository spells out discovery, analysis, and report phases, plus supporting criteria and report format resources.
Useful install decision value: users can see the intended deliverable—a scorecard with evidence-based ratings, file references, and improvement roadmap—before installing.

Cautions

No install command or execution glue: the repo does not show how the skill is invoked in practice, so agents may need some trial-and-error to trigger it correctly.
Some workflow content is truncated in the excerpt, and there are no scripts or reference files to validate automation or external dependencies.

Audit Security Solidity Smart Contracts Testing Quality

Overview

Overview of code-maturity-assessor skill

What code-maturity-assessor does

The code-maturity-assessor skill performs a structured maturity review of a codebase using Trail of Bits’ 9-category framework. It is designed for teams that need an evidence-based scorecard, not a vague code review. If you are deciding whether a project is ready for a security audit, a release gate, or a remediation plan, this skill gives you a repeatable way to assess gaps.

Who should use it

Use the code-maturity-assessor skill if you work on smart contracts or adjacent code where correctness, test depth, access control, and operational readiness matter. It is especially useful for maintainers, security reviewers, and teams preparing a codebase for external review. It is less useful if you want a quick stylistic lint, a generic architecture review, or a broad threat model without code-level evidence.

What makes it decision-useful

The main value is that it separates “looks okay” from “supported by evidence.” The assessment looks for concrete signals such as arithmetic handling, event coverage, decentralization choices, documentation quality, complexity hotspots, and testing practice. That makes it a strong fit when you need to justify priorities to engineers, auditors, or stakeholders.

How to Use code-maturity-assessor skill

Install and scope the skill

Install with npx skills add trailofbits/skills --skill code-maturity-assessor. Then read SKILL.md first, followed by resources/ASSESSMENT_CRITERIA.md, resources/REPORT_FORMAT.md, and resources/EXAMPLE_REPORT.md. Those three files show how the rating rubric works, what the final report should contain, and how detailed the output should be.

Give it a real assessment target

The code-maturity-assessor usage works best when you specify a concrete repository, module, or release candidate. Good inputs name the codebase, platform, and goal: for example, “Assess the maturity of this Solidity protocol before security audit” or “Evaluate the maturity of the access-control and testing layers in contracts/.” If you only ask for “review this project,” the skill has to guess what to inspect first.

Use a prompt that matches the framework

A strong code-maturity-assessor guide prompt should include the scope, urgency, and any known risk areas. For example: “Run a code maturity assessment for a DeFi protocol, focus on arithmetic safety, auditing events, access control, and tests, and flag anything that would block a Security Audit.” That phrasing helps the skill map your objective to the 9 categories instead of producing a generic summary.

Read the report files before relying on output

The most useful repository files are resources/ASSESSMENT_CRITERIA.md, resources/REPORT_FORMAT.md, and resources/EXAMPLE_REPORT.md. Together they show the threshold logic, the expected structure of the scorecard, and the level of evidence each rating needs. For install decisions, this matters because it tells you whether the output will be actionable or just descriptive.

code-maturity-assessor skill FAQ

Is this only for smart contracts?

It is strongest for Solidity and related building-secure-contracts workflows, but the framework can still help on codebases where security, testing, and operational controls are central. If your project is a typical web app with no on-chain logic, the code-maturity-assessor skill may be overkill compared with a conventional code review prompt.

How is this different from a normal prompt?

A normal prompt usually produces an ad hoc review. code-maturity-assessor install gives you a defined rubric, a fixed report shape, and a clear evidence standard. That makes the result easier to compare across repositories or across time.

Is it suitable for a Security Audit precheck?

Yes, code-maturity-assessor for Security Audit is one of its best use cases. It helps identify whether the codebase has enough documentation, test depth, and design clarity to justify moving into a formal audit. It does not replace an audit, but it can prevent wasting audit time on obvious maturity gaps.

What should I do if the repo is sparse?

If the repository has limited documentation, thin tests, or unclear structure, expect the skill to ask follow-up questions or mark categories conservatively. In that case, provide extra context about deployment assumptions, off-chain monitoring, governance, and any specs that live outside the repo.

How to Improve code-maturity-assessor skill

Give it evidence-rich inputs

The best way to improve results is to supply the exact files that describe intent: specs, architecture notes, testing strategy, and any security process docs. For code-heavy repos, point it to the main contracts or modules and the test directories. Strong inputs reduce guesswork in categories like arithmetic, complexity, and access control.

Clarify what “maturity” should mean for this repo

A token contract, a DAO, and a DeFi protocol do not fail for the same reasons. Tell the skill what you care about most: release readiness, audit readiness, upgrade safety, or operational monitoring. That lets it weight the 9 categories in a way that matches your risk profile instead of treating every category as equally important.

Watch for the common failure modes

The most common misses are missing specs, undocumented unchecked operations, weak event strategy, and tests that do not cover edge cases. If the first pass is too optimistic, ask for a second pass focused on the weakest category and require file:line evidence. If it is too cautious, provide the missing docs or explain process decisions that are not visible in code.

Iterate after the first report

Use the first assessment as a gap map, then resubmit with the files or context that address the highest-risk findings. This is where the code-maturity-assessor skill becomes more valuable than a one-shot prompt: you can re-run it after adding tests, tightening docs, or clarifying governance, and compare whether the maturity score actually improved.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

supabase-postgres-best-practices

by supabase

supabase-postgres-best-practices is a Supabase Postgres optimization skill for query tuning, indexing, schema design, RLS performance, locking, and connection management.

Database Engineering

Favorites 0GitHub 1.7k

token-integration-analyzer

by trailofbits

token-integration-analyzer is a security-review skill for token implementations and token integrations. It checks ERC20/ERC721 conformity, weird token patterns, owner privileges, scarcity, and non-standard token handling for Security Audit workflows. Use the token-integration-analyzer guide to reduce guesswork and assess compatibility risk.

Security Audit

Favorites 0GitHub 4.9k

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

audit-website

by squirrelscan

The audit-website skill uses the squirrel CLI to audit websites and webapps across 230+ rules for SEO, technical, content, performance, security, links, and site health, then returns actionable LLM-ready reports.

UX Audit

Favorites 0GitHub 68

skill-comply

by affaan-m

skill-comply is a compliance-testing skill that checks whether an agent follows a skill, rule, or agent definition in real runs. It generates specs from markdown, runs three prompt strictness levels, classifies tool-call timelines, and reports compliance rates with evidence. Useful for skill-comply for Compliance Review.

Compliance Review

Favorites 0GitHub 156.3k

security-scan

by affaan-m

The security-scan skill audits your Claude Code .claude/ configuration for secrets, risky MCP setup, injection-prone instructions, dangerous bypass flags, and weak agent or hook definitions using AgentShield. Use it for repeatable security checks before committing or onboarding.

Security Audit

Favorites 0GitHub 156.3k

perl-security

by affaan-m

perl-security helps you review Perl code for safer input handling, taint mode, shell execution, DBI placeholders, and web security issues like XSS, SQLi, and CSRF. Use this perl-security skill for Security Audit work, remediation planning, and secure development when user-controlled data reaches sensitive sinks.

Security Audit

Favorites 0GitHub 156.2k

laravel-security

by affaan-m

The laravel-security skill is a practical Laravel security checklist for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment. Use it for audits, feature reviews, and hardening work in Laravel apps.

Security Audit

Favorites 0GitHub 156.2k

healthcare-eval-harness

by affaan-m

healthcare-eval-harness is a patient safety evaluation harness for healthcare app deployments. It helps teams verify CDSS accuracy, PHI exposure, data integrity, clinical workflow behavior, and integration compliance before release. Critical failures block deployment, making it useful for healthcare-eval-harness for Model Evaluation and CI safety gates.

Model Evaluation

Favorites 0GitHub 156.2k

github-ops

by affaan-m

github-ops is a GitHub operations skill for triaging issues, managing PRs, checking CI failures, preparing releases, and monitoring repository health with the gh CLI. Use the github-ops skill when you need repeatable github-ops usage for a real repository, with auth via gh auth login and clear repo context.

Github

Favorites 0GitHub 156.2k

ecc-tools-cost-audit

by affaan-m

ecc-tools-cost-audit is an evidence-first audit skill for ECC Tools cost spikes, runaway PR creation, quota bypass, premium-model leakage, and duplicate jobs. Use it for Backend Development investigations that trace a request from webhook to worker to billing decision and prove where spend is being created.

Backend Development

Favorites 0GitHub 156.1k