spec-to-code-compliance

by trailofbits

spec-to-code-compliance verifies that code matches written specifications exactly for blockchain audits and Compliance Review. Use the spec-to-code-compliance skill to compare whitepapers, design docs, and implementations, identify missing behavior, and flag undocumented or divergent logic.

Stars5k

Favorites0

Comments0

AddedMay 7, 2026

CategoryCompliance Review

Install Command

npx skills add trailofbits/skills --skill spec-to-code-compliance

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users who need spec-to-code compliance checks for blockchain audits. It gives enough workflow structure, trigger guidance, and output requirements to reduce guesswork versus a generic prompt, though users should still expect a fairly specialized, documentation-heavy process.

78/100

Strengths

Explicit use cases and concrete triggers for comparing code against specifications, whitepapers, and protocol docs.
Strong operational guidance via checklist and required IR/output formats, including completeness thresholds and line-level evidence requirements.
Large, non-placeholder body with multiple supporting resources, indicating a real workflow rather than a demo or stub.

Cautions

Highly specialized to blockchain/specification compliance, so it is not a general code-review or vulnerability-finding skill.
No install command or script-based automation is provided, so adoption depends on the user following the written workflow carefully.

Blockchain Smart Contracts Audit Compliance Documentation Specification Developer Audience

Overview

Overview of spec-to-code-compliance skill

spec-to-code-compliance is a focused audit skill for checking whether code matches a written specification exactly. It is best for blockchain and protocol teams that need evidence-backed compliance review, not generic code review. Use the spec-to-code-compliance skill when you have both the spec and the implementation, and you need to answer a hard question: what is implemented, what is missing, and what diverges in behavior, invariants, or security guarantees.

What this skill is for

This skill is designed for spec-to-code compliance analysis, especially in smart contracts, protocol logic, and other high-stakes codebases with formal docs. It helps identify gaps between whitepapers, design docs, and code, including omitted workflows, changed assumptions, undocumented behavior, and incomplete security enforcement.

Best-fit users and jobs

It is a strong fit for auditors, protocol engineers, security reviewers, and technical PMs preparing for a Compliance Review. If you need to compare intended behavior against live code before launch, this skill gives you a more disciplined workflow than a normal prompt.

Main differentiator

The main value of spec-to-code-compliance is traceability: it pushes the analysis toward explicit spec extraction, code-level evidence, and alignment checks. That makes it more reliable than asking an AI to “review the code” in one pass.

How to Use spec-to-code-compliance skill

Install and activate it

Use the repo install path for the skill, then point the model at the specific codebase and spec documents you want checked. A typical spec-to-code-compliance install starts from the plugin path in trailofbits/skills and then runs the skill in a repo that contains both documentation and source.

Give the skill the right inputs

For good spec-to-code-compliance usage, provide:

the specification source or sources
the target codebase or commit
the exact scope, such as one contract, module, or protocol flow
any known exclusions, assumptions, or review criteria

A weak request is: “Check if this is compliant.” A stronger request is: “Compare docs/whitepaper.md and contracts/Router.sol for swap slippage, deadline handling, and authorization, and flag any behavior not covered by the spec.”

Read these files first

Start with SKILL.md, then read resources/OUTPUT_REQUIREMENTS.md, resources/COMPLETENESS_CHECKLIST.md, and resources/IR_EXAMPLES.md. Those files tell you what the skill expects to extract, how completeness is judged, and what a good compliance record looks like.

Workflow that gets better results

A practical spec-to-code-compliance guide is:

identify the spec sections with requirements, invariants, and workflows
map each requirement to the exact functions, modifiers, and state changes in code
note every mismatch, missing branch, and undocumented assumption
summarize by severity and confidence, not by volume of findings

The biggest quality gain comes from being specific about the behavior under review. If you narrow the scope to one flow, one contract, or one invariant set, the output is usually sharper and easier to verify.

spec-to-code-compliance skill FAQ

Is spec-to-code-compliance only for blockchain code?

No, but it is clearly optimized for blockchain and protocol documentation. If your project does not have formal specs, whitepapers, or design docs, the skill is usually the wrong tool.

How is this different from a normal code review prompt?

A normal prompt may find bugs or summarize code. spec-to-code-compliance is for compliance review: it checks whether implementation matches documented intent, including omissions and mismatched guarantees.

Do beginners need audit experience to use it?

No. Beginners can use the spec-to-code-compliance skill if they can supply the spec and code clearly. The main requirement is not expertise, but good source selection and a bounded question.

When should I not use it?

Do not use it when you only want documentation writing, broad vulnerability hunting, or general understanding of unfamiliar code. If there is no authoritative spec, the analysis will be less meaningful and the fit is weak.

How to Improve spec-to-code-compliance skill

Focus on the spec claims that matter most

For better spec-to-code-compliance results, prioritize requirements with user impact, security impact, or economic impact: invariants, roles, trust boundaries, state transitions, and explicit MUST/NEVER language. Those are the claims most likely to affect Compliance Review decisions.

Provide concrete evidence boundaries

Give the model the exact document names, code paths, and commit or tag if possible. If you know the review should ignore test helpers, admin scripts, or unrelated modules, say so up front. Clear boundaries reduce false gaps and keep the analysis on the intended implementation surface.

Watch for the common failure modes

The usual weak spots are implicit spec claims, hidden state transitions, and partial matches that look correct at a glance. If the first pass is inconclusive, ask for a tighter alignment table that maps each spec claim to a code location or notes it as unimplemented.

Iterate with a sharper second pass

If the first output is too broad, refine the prompt with one of these:

“Check only authorization and upgrade paths”
“Compare the fee math against the spec formulas”
“List all spec claims that have no code counterpart”

That kind of follow-up turns spec-to-code-compliance from a summary tool into a precise verification workflow.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

token-integration-analyzer

by trailofbits

token-integration-analyzer is a security-review skill for token implementations and token integrations. It checks ERC20/ERC721 conformity, weird token patterns, owner privileges, scarcity, and non-standard token handling for Security Audit workflows. Use the token-integration-analyzer guide to reduce guesswork and assess compatibility risk.

Security Audit

Favorites 0GitHub 4.9k

accessibility-compliance

by wshobson

The accessibility-compliance skill helps teams audit and improve web or mobile UI with practical WCAG 2.2, ARIA, keyboard access, screen reader, and mobile accessibility guidance. Best for UX audits, component fixes, and implementation-ready recommendations.

UX Audit

Favorites 0GitHub 32.6k

skill-comply

by affaan-m

skill-comply is a compliance-testing skill that checks whether an agent follows a skill, rule, or agent definition in real runs. It generates specs from markdown, runs three prompt strictness levels, classifies tool-call timelines, and reports compliance rates with evidence. Useful for skill-comply for Compliance Review.

Compliance Review

Favorites 0GitHub 156.3k

perl-security

by affaan-m

perl-security helps you review Perl code for safer input handling, taint mode, shell execution, DBI placeholders, and web security issues like XSS, SQLi, and CSRF. Use this perl-security skill for Security Audit work, remediation planning, and secure development when user-controlled data reaches sensitive sinks.

Security Audit

Favorites 0GitHub 156.2k

laravel-security

by affaan-m

The laravel-security skill is a practical Laravel security checklist for authn/authz, validation, CSRF, mass assignment, file uploads, secrets, rate limiting, and secure deployment. Use it for audits, feature reviews, and hardening work in Laravel apps.

Security Audit

Favorites 0GitHub 156.2k

customs-trade-compliance

by affaan-m

customs-trade-compliance is a trade compliance skill for customs documentation, HS/HTS classification, duty planning, restricted party screening, and Compliance Review. It helps users turn shipment facts into defensible import/export decisions with less guesswork than a generic prompt.

Compliance Review

Favorites 0GitHub 156.1k

k8s-security-policies

by wshobson

k8s-security-policies helps teams draft Kubernetes NetworkPolicy, Pod Security Standards labels, and RBAC patterns using repo-backed templates and references for hardening and audit-ready rollout planning.

Security Audit

Favorites 0GitHub 32.6k

security-and-hardening

by addyosmani

The security-and-hardening skill helps harden application code before release. Use it for user input, auth, sessions, sensitive data, file uploads, webhooks, and external services, with concrete checks like input validation, parameterized queries, output encoding, secure cookies, HTTPS, and secrets handling.

Security Audit

Favorites 0GitHub 18.7k

cairo-vulnerability-scanner

by trailofbits

cairo-vulnerability-scanner scans Cairo/StarkNet smart contracts for six critical issues, including felt252 arithmetic errors, L1-L2 messaging flaws, address conversion bugs, and signature replay. Use this cairo-vulnerability-scanner skill for Security Audit reviews of StarkNet contracts.

Security Audit

Favorites 0GitHub 4.9k

security

by markdown-viewer

The security skill creates PlantUML security architecture diagrams with AWS stencils for identity, encryption, firewalling, compliance, and threat detection. Use it for IAM flows, zero-trust designs, encryption pipelines, Security Audit diagrams, and review-ready documentation. It is not meant for general cloud infrastructure or generic UML modeling.

Security Audit

Favorites 0GitHub 1.1k

apple-appstore-reviewer

by github

apple-appstore-reviewer helps audit iOS apps for App Store rejection risks, privacy gaps, permissions, subscriptions, and reviewer-blocking flows before submission.

Compliance Review

Favorites 0GitHub 0