secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Stars4.9k

Favorites0

Comments0

AddedApr 30, 2026

CategorySecurity Audit

Install Command

npx skills add trailofbits/skills --skill secure-workflow-guide

Curation Score

This skill scores 84/100, which means it is a solid directory listing for users working on smart contract security workflows. The repository gives clear trigger conditions, a concrete 5-step process, and example outputs that should help agents execute with less guesswork than a generic prompt, though users should expect some manual setup because it does not ship an install command or helper scripts.

84/100

Strengths

Clear operational trigger: the skill explicitly says to use it on every check-in, before deployment, or when a security review is needed.
Strong workflow specificity: it lays out a 5-step secure development process with named tools like Slither, slither-check-upgradeability, slither-check-erc, and slither-prop.
Good agent leverage: the included workflow steps and example report show what outputs to produce and how to interpret findings, reducing execution ambiguity.

Cautions

No install command or scripts are provided, so users may need to infer how to wire the skill into their environment.
Support files are limited to two resources and there are no references, which reduces depth for edge-case implementation or verification.

Security Solidity Smart Contracts Slither Audit Workflows Diagrams

Overview

Overview of secure-workflow-guide skill

The secure-workflow-guide skill helps you run Trail of Bits’ 5-step secure development workflow on a Solidity codebase, not just a one-off scan. It is best for smart contract teams, auditors, and builders who want a repeatable path from “what looks risky?” to “what should we verify next?” before deployment or release.

What this skill is for

The secure-workflow-guide skill centers on practical security triage: detect known issues, identify which specialized checks apply, inspect structure visually, document security properties, and review manual attack surfaces. That makes it especially useful for a secure-workflow-guide for Security Audit when you need coverage that goes beyond generic prompt advice.

Who should use it

Use it if your repo contains Solidity contracts, upgradeable patterns, ERC tokens, or integrations that need security review. It is a strong fit when you already have code and want a workflow that helps you prioritize findings, choose the right follow-up checks, and avoid running irrelevant tools.

What makes it different

Unlike a generic “review this contract” prompt, secure-workflow-guide is workflow-shaped. It gives you a security sequence: Slither-first triage, special-feature checks only where applicable, diagram-based inspection, property documentation, and manual review guidance. That structure reduces guesswork and helps prevent shallow audits that miss contract-specific risks.

How to Use secure-workflow-guide skill

Install and trigger it cleanly

Install with:

npx skills add trailofbits/skills --skill secure-workflow-guide

Then invoke the secure-workflow-guide skill with a concrete repo and a specific security goal. The best prompts name the contract type, the suspected architecture, and the decision you need. For example: “Run secure-workflow-guide on this UUPS staking system and focus on upgrade safety, access control, and ERC20 assumptions.”

Give the skill the right input

The secure-workflow-guide usage works best when you provide:

the target repository or contract path
whether the code is upgradeable, token-like, or integration-heavy
what stage you are in: pre-merge, pre-deploy, or audit prep
any known concern such as initialization, auth, or proxy storage layout

A weak prompt is “check this project.” A stronger one is “Use secure-workflow-guide on contracts/ and prioritize upgradeability, token handling, and high-severity Slither findings.”

Read these files first

Start with SKILL.md, then inspect resources/WORKFLOW_STEPS.md for the exact 5-step sequence and resources/EXAMPLE_REPORT.md to see the expected output shape. If you want to understand the repository quickly, those two resources are more useful than skimming the whole tree.

Use the workflow in order

Do not jump straight to special checks. The secure-workflow-guide guide is designed to start with known issues, then branch into only the checks your codebase actually needs. That order matters because it keeps you from wasting time on irrelevant analyses and helps surface the highest-value fixes first.

secure-workflow-guide skill FAQ

Is secure-workflow-guide only for Solidity?

It is built around Solidity smart contract review. If your project is not an EVM contract codebase, the secure-workflow-guide skill will usually be a poor fit and a generic code review prompt may be better.

How is this different from a normal prompt?

A normal prompt can ask for a review, but secure-workflow-guide encodes a security workflow: scan, classify, inspect, document, and verify. That makes it better when you want consistent audit prep rather than an ad hoc opinion.

Is it beginner-friendly?

Yes, if you can point it at a repo and name your goal. You do not need to know every Slither plugin in advance. The skill is more helpful when you can describe the contract shape, because the secure-workflow-guide skill can then choose the right branches of the workflow.

When should I not use it?

Do not use it as a substitute for formal audit judgment, and do not expect it to validate non-contract systems like frontend or backend app logic. It is strongest when the question is, “What security workflow should I run on this Solidity codebase?”

How to Improve secure-workflow-guide skill

Give it sharper context

The biggest quality gains come from telling the secure-workflow-guide skill what matters most: upgrade safety, token behavior, authorization, initialization, or external integrations. If the first output feels broad, narrow the task to one contract family or one risk class.

Provide concrete artifacts, not just intent

If you can, point to specific contracts, proxy names, token standards, or assumptions you want checked. “Review the staking system” is weaker than “Review Staking.sol and StakingProxy.sol for initialization, role gating, and storage compatibility.” The second prompt improves secure-workflow-guide usage because it reduces ambiguity in the checks it should prioritize.

Iterate from findings, not from the whole repo

After the first pass, feed back the most important results and ask for the next decision: fix prioritization, false-positive triage, or deeper manual review. That is usually better than asking for a completely fresh run. For secure-workflow-guide for Security Audit, the best outputs come from narrowing the scope after the first report, not expanding it blindly.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

supabase-postgres-best-practices

by supabase

supabase-postgres-best-practices is a Supabase Postgres optimization skill for query tuning, indexing, schema design, RLS performance, locking, and connection management.

Database Engineering

Favorites 0GitHub 1.7k

token-integration-analyzer

by trailofbits

token-integration-analyzer is a security-review skill for token implementations and token integrations. It checks ERC20/ERC721 conformity, weird token patterns, owner privileges, scarcity, and non-standard token handling for Security Audit workflows. Use the token-integration-analyzer guide to reduce guesswork and assess compatibility risk.

Security Audit

Favorites 0GitHub 4.9k

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

audit-website

by squirrelscan

The audit-website skill uses the squirrel CLI to audit websites and webapps across 230+ rules for SEO, technical, content, performance, security, links, and site health, then returns actionable LLM-ready reports.

UX Audit

Favorites 0GitHub 68

skill-comply

by affaan-m

skill-comply is a compliance-testing skill that checks whether an agent follows a skill, rule, or agent definition in real runs. It generates specs from markdown, runs three prompt strictness levels, classifies tool-call timelines, and reports compliance rates with evidence. Useful for skill-comply for Compliance Review.

Compliance Review

Favorites 0GitHub 156.3k

security-scan

by affaan-m

The security-scan skill audits your Claude Code .claude/ configuration for secrets, risky MCP setup, injection-prone instructions, dangerous bypass flags, and weak agent or hook definitions using AgentShield. Use it for repeatable security checks before committing or onboarding.

Security Audit

Favorites 0GitHub 156.3k

perl-security

by affaan-m

perl-security helps you review Perl code for safer input handling, taint mode, shell execution, DBI placeholders, and web security issues like XSS, SQLi, and CSRF. Use this perl-security skill for Security Audit work, remediation planning, and secure development when user-controlled data reaches sensitive sinks.

Security Audit

Favorites 0GitHub 156.2k

laravel-security

by affaan-m

The laravel-security skill is a practical Laravel security checklist for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment. Use it for audits, feature reviews, and hardening work in Laravel apps.

Security Audit

Favorites 0GitHub 156.2k

healthcare-eval-harness

by affaan-m

healthcare-eval-harness is a patient safety evaluation harness for healthcare app deployments. It helps teams verify CDSS accuracy, PHI exposure, data integrity, clinical workflow behavior, and integration compliance before release. Critical failures block deployment, making it useful for healthcare-eval-harness for Model Evaluation and CI safety gates.

Model Evaluation

Favorites 0GitHub 156.2k

github-ops

by affaan-m

github-ops is a GitHub operations skill for triaging issues, managing PRs, checking CI failures, preparing releases, and monitoring repository health with the gh CLI. Use the github-ops skill when you need repeatable github-ops usage for a real repository, with auth via gh auth login and clear repo context.

Github

Favorites 0GitHub 156.2k

ecc-tools-cost-audit

by affaan-m

ecc-tools-cost-audit is an evidence-first audit skill for ECC Tools cost spikes, runaway PR creation, quota bypass, premium-model leakage, and duplicate jobs. Use it for Backend Development investigations that trace a request from webhook to worker to billing decision and prove where spend is being created.

Backend Development

Favorites 0GitHub 156.1k

defi-amm-security

by affaan-m

defi-amm-security is a focused security checklist for Solidity AMMs, liquidity pools, LP vaults, and swap flows. It helps auditors and engineers review reentrancy, CEI ordering, donation or inflation attacks, oracle assumptions, slippage, admin controls, and integer math with less guesswork than a generic prompt.

Security Audit

Favorites 0GitHub 156.1k