secure-workflow-guide
Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
Install
mkdir -p .claude/skills/secure-workflow-guide && curl -L -o skill.zip "https://mcp.directory/api/skills/download/1143" && unzip -o skill.zip -d .claude/skills/secure-workflow-guide && rm skill.zipInstalls to .claude/skills/secure-workflow-guide
About this skill
Secure Workflow Guide
Purpose
Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
Use this: On every check-in, before deployment, or when you want a security review
The 5-Step Workflow
Covers a security workflow including:
Step 1: Check for Known Security Issues
Run Slither with 70+ built-in detectors to find common vulnerabilities:
- Parse findings by severity
- Explain each issue with file references
- Recommend fixes
- Help triage false positives
Goal: Clean Slither report or documented triages
Step 2: Check Special Features
Detect and validate applicable features:
- Upgradeability: slither-check-upgradeability (17 upgrade risks)
- ERC conformance: slither-check-erc (6 common specs)
- Token integration: Recommend token-integration-analyzer skill
- Security properties: slither-prop for ERC20
Note: Only runs checks that apply to your codebase
Step 3: Visual Security Inspection
Generate 3 security diagrams:
- Inheritance graph: Identify shadowing and C3 linearization issues
- Function summary: Show visibility and access controls
- Variables and authorization: Map who can write to state variables
Review each diagram for security concerns
Step 4: Document Security Properties
Help document critical security properties:
- State machine transitions and invariants
- Access control requirements
- Arithmetic constraints and precision
- External interaction safety
- Standards conformance
Then set up testing:
- Echidna: Property-based fuzzing with invariants
- Manticore: Formal verification with symbolic execution
- Custom Slither checks: Project-specific business logic
Note: Most important activity for security
Step 5: Manual Review Areas
Analyze areas automated tools miss:
- Privacy: On-chain secrets, commit-reveal needs
- Front-running: Slippage protection, ordering risks, MEV
- Cryptography: Weak randomness, signature issues, hash collisions
- DeFi interactions: Oracle manipulation, flash loans, protocol assumptions
Search codebase for these patterns and flag risks
For detailed instructions, commands, and explanations for each step, see WORKFLOW_STEPS.md.
How I Work
When invoked, I will:
- Explore your codebase to understand structure
- Run Step 1: Slither security scan
- Detect and run Step 2: Special feature checks (only what applies)
- Generate Step 3: Visual security diagrams
- Guide Step 4: Security property documentation
- Analyze Step 5: Manual review areas
- Provide action plan: Prioritized fixes and next steps
Adapts based on:
- What tools you have installed
- What's applicable to your project
- Where you are in development
Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked |
| "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs |
| "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks |
| "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping |
| "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure |
| "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns |
| "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A |
| "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references |
Example Output
When I complete the workflow, you'll get a comprehensive security report covering:
- Step 1: Slither findings with severity, file references, and fix recommendations
- Step 2: Special feature validation results (upgradeability, ERC conformance, etc.)
- Step 3: Visual diagrams analyzing inheritance, functions, and state variable authorization
- Step 4: Documented security properties and testing setup (Echidna/Manticore)
- Step 5: Manual review findings (privacy, front-running, cryptography, DeFi risks)
- Action plan: Critical/high/medium priority tasks with effort estimates
- Workflow checklist: Progress on all 5 steps
For a complete example workflow report, see EXAMPLE_REPORT.md.
What You'll Get
Security Report:
- Slither findings with severity and fixes
- Special feature validation results
- Visual diagrams (PNG/PDF)
- Manual review findings
Action Plan:
- Critical issues to fix immediately
- Security properties to document
- Testing to set up (Echidna/Manticore)
- Manual areas to review
Workflow Checklist:
- Clean Slither report
- Special features validated
- Visual inspection complete
- Properties documented
- Manual review done
Getting Help
Trail of Bits Resources:
- Office Hours: Every Tuesday (schedule)
- Empire Hacking Slack: #crytic and #ethereum channels
Other Security:
- Remember: Security is about more than smart contracts
- Off-chain security (owner keys, infrastructure) equally critical
Ready to Start
Let me know when you're ready and I'll run through the workflow with your codebase!
More by trailofbits
View all →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
rust-coding-skill
UtakataKyosui
Guides Claude in writing idiomatic, efficient, well-structured Rust code using proper data modeling, traits, impl organization, macros, and build-speed best practices.
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.