Back to Security & Vulnerability Analysis
code-maturity-assessor
code qualitysecurity auditcode reviewsoftware maturityTrail of Bitssmart contracttechnical debtcode assessment
Install this skill
npx skills add trailofbits/skillsWorks across Claude Code, Cursor, Codex, Copilot & Antigravity
The code-maturity-assessor evaluates software projects against a structured, nine-point security framework developed by Trail of Bits. It functions as a methodical audit tool that systematically inspects smart contracts or modules across critical dimensions including arithmetic safety, access control, decentralization, and low-level code implementation. Unlike casual code reviews, this skill mandates a rigorous, evidence-based rating for each category. It identifies specific gaps in test coverage, formal verification practices, and documentation standards, transforming qualitative observations into a quantified maturity score. By scanning the file structure and analyzing implementation patterns, the assessor provides a clear roadmap for remediation. It forces a complete evaluation of the codebase, preventing developers from ignoring complex architectural risks like MEV vulnerabilities or improper upgrade mechanisms in their deployed contracts.
When to Use This Skill
- β’Conducting a baseline security review before a mainnet smart contract launch
- β’Evaluating the technical debt of a project during acquisition or partnership
- β’Standardizing security posture across multiple internal development teams
- β’Preparing a project for a third-party professional security audit
How to Invoke This Skill
Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:
- βRun the code maturity assessment on this repository
- βEvaluate our smart contracts using the Trail of Bits 9-category framework
- βGenerate a maturity scorecard for the current project codebase
- βAssess my project's code maturity and provide an improvement roadmap
- βIs my codebase mature according to security standards?
Pro Tips
- π‘Provide access to all relevant files, including `test/` directories and `docs/` folders, for the most comprehensive assessment.
- π‘Be prepared to answer clarifying questions about your team's development processes or architectural decisions that aren't explicit in the code.
- π‘Focus on implementing the highest-priority recommendations first to achieve maximum impact on code maturity and security.
What this skill does
- β’Assigns evidence-backed ratings for nine distinct security and structural categories
- β’Maps findings to specific file paths and line numbers
- β’Generates a prioritized improvement roadmap categorized by effort level
- β’Analyzes implementation patterns against defined security standards
- β’Evaluates architectural decentralization and upgrade safety
When not to use it
- βReplacing a professional human-led security audit or bug bounty program
- βAnalyzing non-contract languages or general-purpose web applications
- βPerforming real-time threat detection for live blockchain transactions
Example workflow
- Initialize the assessor on the target contract directory
- Allow the tool to index project structure and test suites
- Review findings for each of the nine assessment categories
- Discuss and clarify borderline ratings with the agent
- Generate the final scorecard and improvement report
Prerequisites
- βThe target codebase must be accessible to the agent
- βAccess to the repository's documentation and test suite is required for accurate rating
Pitfalls & limitations
- !Over-reliance on automated logic without providing human context for architectural decisions
- !Ignoring the interactive clarification phase, which is essential for accurate scoring
- !Assuming an 'all clear' from the tool replaces the need for deep adversarial testing
FAQ
Does this tool replace a human auditor?
No. It provides a structured baseline and identifies clear security gaps, but it is not a substitute for deep manual analysis or formal penetration testing.
What happens if I don't have tests?
The tool will mark the testing and verification category as 'Missing' or 'Weak' and highlight this as a high-priority improvement item in your roadmap.
Can it analyze any programming language?
It is specialized for contracts and modules within the Trail of Bits security framework context; it is not intended for generic application code.
How it compares
While a generic prompt asks for general feedback, this tool enforces a disciplined, non-negotiable assessment of all nine specific security categories to ensure no critical failure point is overlooked.
Source & trust
β 5.7k starsπ CC-BY-SA-4.0π Updated 2026-06-15
π Full skill instructions β original source: trailofbits/skills
# Code Maturity Assessor
## Purpose
I will systematically assess this codebase's maturity using Trail of Bits' 9-category framework by analyzing the code and evaluating it against established criteria. I'll provide evidence-based ratings and actionable recommendations.
**Framework**: Building Secure Contracts - Code Maturity Evaluation v0.1.0
---
## How This Works
### Phase 1: Discovery
I'll explore the codebase to understand:
- Project structure and platform
- Contract/module files
- Test coverage
- Documentation availability
### Phase 2: Analysis
For each of 9 categories, I'll:
- **Search the code** for relevant patterns
- **Read key files** to assess implementation
- **Present findings** with file references
- **Ask clarifying questions** about processes I can't see in code
- **Determine rating** based on criteria
### Phase 3: Report
I'll generate:
- Executive summary
- Maturity scorecard (ratings for all 9 categories)
- Detailed analysis with evidence
- Priority-ordered improvement roadmap
---
## Rating System
- **Missing (0)**: Not present/not implemented
- **Weak (1)**: Several significant improvements needed
- **Moderate (2)**: Adequate, can be improved
- **Satisfactory (3)**: Above average, minor improvements
- **Strong (4)**: Exceptional, only small improvements possible
**Rating Logic**:
- ANY "Weak" criteria β **Weak**
- NO "Weak" + SOME "Moderate" unmet β **Moderate**
- ALL "Moderate" + SOME "Satisfactory" met β **Satisfactory**
- ALL "Satisfactory" + exceptional practices β **Strong**
---
## The 9 Categories
I assess 9 comprehensive categories covering all aspects of code maturity. For detailed criteria, analysis approaches, and rating thresholds, see [ASSESSMENT_CRITERIA.md](resources/ASSESSMENT_CRITERIA.md).
### Quick Reference:
**1. ARITHMETIC**
- Overflow protection mechanisms
- Precision handling and rounding
- Formula specifications
- Edge case testing
**2. AUDITING**
- Event definitions and coverage
- Monitoring infrastructure
- Incident response planning
**3. AUTHENTICATION / ACCESS CONTROLS**
- Privilege management
- Role separation
- Access control testing
- Key compromise scenarios
**4. COMPLEXITY MANAGEMENT**
- Function scope and clarity
- Cyclomatic complexity
- Inheritance hierarchies
- Code duplication
**5. DECENTRALIZATION**
- Centralization risks
- Upgrade control mechanisms
- User opt-out paths
- Timelock/multisig patterns
**6. DOCUMENTATION**
- Specifications and architecture
- Inline code documentation
- User stories
- Domain glossaries
**7. TRANSACTION ORDERING RISKS**
- MEV vulnerabilities
- Front-running protections
- Slippage controls
- Oracle security
**8. LOW-LEVEL MANIPULATION**
- Assembly usage
- Unsafe code sections
- Low-level calls
- Justification and testing
**9. TESTING & VERIFICATION**
- Test coverage
- Fuzzing and formal verification
- CI/CD integration
- Test quality
For complete assessment criteria including what I'll analyze, what I'll ask you, and detailed rating thresholds (WEAK/MODERATE/SATISFACTORY/STRONG), see [ASSESSMENT_CRITERIA.md](resources/ASSESSMENT_CRITERIA.md).
---
## Example Output
When the assessment is complete, you'll receive a comprehensive maturity report including:
- **Executive Summary**: Overall score, top 3 strengths, top 3 gaps, priority recommendations
- **Maturity Scorecard**: Table with all 9 categories rated with scores and notes
- **Detailed Analysis**: Category-by-category breakdown with evidence (file:line references)
- **Improvement Roadmap**: Priority-ordered recommendations (CRITICAL/HIGH/MEDIUM) with effort estimates
For a complete example assessment report, see [EXAMPLE_REPORT.md](resources/EXAMPLE_REPORT.md).
---
## Assessment Process
When invoked, I will:
1. **Explore codebase**
- Find contract/module files
- Identify test files
- Locate documentation
2. **Analyze each category**
- Search for relevant code patterns
- Read key implementations
- Assess against criteria
- Collect evidence
3. **Interactive assessment**
- Present my findings with file references
- Ask about processes I can't see in code
- Discuss borderline cases
- Determine ratings together
4. **Generate report**
- Executive summary
- Maturity scorecard table
- Detailed category analysis with evidence
- Priority-ordered improvement roadmap
---
## Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|-----------------|----------------|-----------------|
| "Found some findings, assessment complete" | Assessment requires evaluating ALL 9 categories | Complete assessment of all 9 categories with evidence for each |
| "I see events, auditing category looks good" | Events alone don't equal auditing maturity | Check logging comprehensiveness, testing, incident response processes |
| "Code looks simple, complexity is low" | Visual simplicity masks composition complexity | Analyze cyclomatic complexity, dependency depth, state machine transitions |
| "Not a DeFi protocol, MEV category doesn't apply" | MEV extends beyond DeFi (governance, NFTs, games) | Verify with transaction ordering analysis before declaring N/A |
| "No assembly found, low-level category is N/A" | Low-level risks include external calls, delegatecall, inline assembly | Search for all low-level patterns before skipping category |
| "This is taking too long" | Thorough assessment requires time per category | Complete all 9 categories, ask clarifying questions about off-chain processes |
| "I can rate this without evidence" | Ratings without file:line references = unsubstantiated claims | Collect concrete code evidence for every category assessment |
| "User will know what to improve" | Vague guidance = no action | Provide priority-ordered roadmap with specific improvements and effort estimates |
---
## Report Format
For detailed report structure and templates, see [REPORT_FORMAT.md](resources/REPORT_FORMAT.md).
### Structure:
1. **Executive Summary**
- Project name and platform
- Overall maturity (average rating)
- Top 3 strengths
- Top 3 critical gaps
- Priority recommendations
2. **Maturity Scorecard**
- Table with all 9 categories
- Ratings and scores
- Key findings notes
3. **Detailed Analysis**
- Per-category breakdown
- Evidence with file:line references
- Gaps and improvement actions
4. **Improvement Roadmap**
- CRITICAL (immediate)
- HIGH (1-2 months)
- MEDIUM (2-4 months)
- Effort estimates and impact
---
## Ready to Begin
**Estimated Time**: 30-40 minutes
**I'll need**:
- Access to full codebase
- Your knowledge of processes (monitoring, incident response, team practices)
- Context about the project (DeFi, NFT, infrastructure, etc.)
Let's assess this codebase!
## Purpose
I will systematically assess this codebase's maturity using Trail of Bits' 9-category framework by analyzing the code and evaluating it against established criteria. I'll provide evidence-based ratings and actionable recommendations.
**Framework**: Building Secure Contracts - Code Maturity Evaluation v0.1.0
---
## How This Works
### Phase 1: Discovery
I'll explore the codebase to understand:
- Project structure and platform
- Contract/module files
- Test coverage
- Documentation availability
### Phase 2: Analysis
For each of 9 categories, I'll:
- **Search the code** for relevant patterns
- **Read key files** to assess implementation
- **Present findings** with file references
- **Ask clarifying questions** about processes I can't see in code
- **Determine rating** based on criteria
### Phase 3: Report
I'll generate:
- Executive summary
- Maturity scorecard (ratings for all 9 categories)
- Detailed analysis with evidence
- Priority-ordered improvement roadmap
---
## Rating System
- **Missing (0)**: Not present/not implemented
- **Weak (1)**: Several significant improvements needed
- **Moderate (2)**: Adequate, can be improved
- **Satisfactory (3)**: Above average, minor improvements
- **Strong (4)**: Exceptional, only small improvements possible
**Rating Logic**:
- ANY "Weak" criteria β **Weak**
- NO "Weak" + SOME "Moderate" unmet β **Moderate**
- ALL "Moderate" + SOME "Satisfactory" met β **Satisfactory**
- ALL "Satisfactory" + exceptional practices β **Strong**
---
## The 9 Categories
I assess 9 comprehensive categories covering all aspects of code maturity. For detailed criteria, analysis approaches, and rating thresholds, see [ASSESSMENT_CRITERIA.md](resources/ASSESSMENT_CRITERIA.md).
### Quick Reference:
**1. ARITHMETIC**
- Overflow protection mechanisms
- Precision handling and rounding
- Formula specifications
- Edge case testing
**2. AUDITING**
- Event definitions and coverage
- Monitoring infrastructure
- Incident response planning
**3. AUTHENTICATION / ACCESS CONTROLS**
- Privilege management
- Role separation
- Access control testing
- Key compromise scenarios
**4. COMPLEXITY MANAGEMENT**
- Function scope and clarity
- Cyclomatic complexity
- Inheritance hierarchies
- Code duplication
**5. DECENTRALIZATION**
- Centralization risks
- Upgrade control mechanisms
- User opt-out paths
- Timelock/multisig patterns
**6. DOCUMENTATION**
- Specifications and architecture
- Inline code documentation
- User stories
- Domain glossaries
**7. TRANSACTION ORDERING RISKS**
- MEV vulnerabilities
- Front-running protections
- Slippage controls
- Oracle security
**8. LOW-LEVEL MANIPULATION**
- Assembly usage
- Unsafe code sections
- Low-level calls
- Justification and testing
**9. TESTING & VERIFICATION**
- Test coverage
- Fuzzing and formal verification
- CI/CD integration
- Test quality
For complete assessment criteria including what I'll analyze, what I'll ask you, and detailed rating thresholds (WEAK/MODERATE/SATISFACTORY/STRONG), see [ASSESSMENT_CRITERIA.md](resources/ASSESSMENT_CRITERIA.md).
---
## Example Output
When the assessment is complete, you'll receive a comprehensive maturity report including:
- **Executive Summary**: Overall score, top 3 strengths, top 3 gaps, priority recommendations
- **Maturity Scorecard**: Table with all 9 categories rated with scores and notes
- **Detailed Analysis**: Category-by-category breakdown with evidence (file:line references)
- **Improvement Roadmap**: Priority-ordered recommendations (CRITICAL/HIGH/MEDIUM) with effort estimates
For a complete example assessment report, see [EXAMPLE_REPORT.md](resources/EXAMPLE_REPORT.md).
---
## Assessment Process
When invoked, I will:
1. **Explore codebase**
- Find contract/module files
- Identify test files
- Locate documentation
2. **Analyze each category**
- Search for relevant code patterns
- Read key implementations
- Assess against criteria
- Collect evidence
3. **Interactive assessment**
- Present my findings with file references
- Ask about processes I can't see in code
- Discuss borderline cases
- Determine ratings together
4. **Generate report**
- Executive summary
- Maturity scorecard table
- Detailed category analysis with evidence
- Priority-ordered improvement roadmap
---
## Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|-----------------|----------------|-----------------|
| "Found some findings, assessment complete" | Assessment requires evaluating ALL 9 categories | Complete assessment of all 9 categories with evidence for each |
| "I see events, auditing category looks good" | Events alone don't equal auditing maturity | Check logging comprehensiveness, testing, incident response processes |
| "Code looks simple, complexity is low" | Visual simplicity masks composition complexity | Analyze cyclomatic complexity, dependency depth, state machine transitions |
| "Not a DeFi protocol, MEV category doesn't apply" | MEV extends beyond DeFi (governance, NFTs, games) | Verify with transaction ordering analysis before declaring N/A |
| "No assembly found, low-level category is N/A" | Low-level risks include external calls, delegatecall, inline assembly | Search for all low-level patterns before skipping category |
| "This is taking too long" | Thorough assessment requires time per category | Complete all 9 categories, ask clarifying questions about off-chain processes |
| "I can rate this without evidence" | Ratings without file:line references = unsubstantiated claims | Collect concrete code evidence for every category assessment |
| "User will know what to improve" | Vague guidance = no action | Provide priority-ordered roadmap with specific improvements and effort estimates |
---
## Report Format
For detailed report structure and templates, see [REPORT_FORMAT.md](resources/REPORT_FORMAT.md).
### Structure:
1. **Executive Summary**
- Project name and platform
- Overall maturity (average rating)
- Top 3 strengths
- Top 3 critical gaps
- Priority recommendations
2. **Maturity Scorecard**
- Table with all 9 categories
- Ratings and scores
- Key findings notes
3. **Detailed Analysis**
- Per-category breakdown
- Evidence with file:line references
- Gaps and improvement actions
4. **Improvement Roadmap**
- CRITICAL (immediate)
- HIGH (1-2 months)
- MEDIUM (2-4 months)
- Effort estimates and impact
---
## Ready to Begin
**Estimated Time**: 30-40 minutes
**I'll need**:
- Access to full codebase
- Your knowledge of processes (monitoring, incident response, team practices)
- Context about the project (DeFi, NFT, infrastructure, etc.)
Let's assess this codebase!
How to Use This Skill Unit
Option A: Project-Specific (Recommended)
- Click "Download" above
- In your project, create the directory:
.agent/skills/code-maturity-assessor/ - Save the file as
SKILL.md - The agent will automatically discover the skill based on its description.
Option B: Global Installation (All Agents)
Save the file to these locations to make it available across all projects:
- Claude Code:
~/.claude/skills/trailofbits/skills/code-maturity-assessor/SKILL.md - Cursor:
~/.cursor/skills/trailofbits/skills/code-maturity-assessor/SKILL.md - Antigravity:
~/.gemini/antigravity/skills/trailofbits/skills/code-maturity-assessor/SKILL.md
π Install with CLI:npx skills add trailofbits/skills
Recommended Rules
View more rules βπ Refactoring Agent - Safe Code Improvement
Agentic AIRefactoringClean Code
You are an expert refactoring agent specialized in safely improving code quality without changing behavior. Apply systematic reasoning to identify ref...
π Code Review Agent - Thorough & Constructive Reviewer
Agentic AICode ReviewQuality Assurance
You are an expert code review agent that provides thorough, constructive, and actionable feedback. Apply systematic reasoning to evaluate code quality...
π Security Audit Agent - Vulnerability Detection
Agentic AISecurityVulnerability
You are an expert security audit agent specialized in identifying vulnerabilities and security risks. Apply systematic reasoning following OWASP guide...
Recommended Workflows
View more workflows βSetup Prettier & ESLint from Scratch
ESLintPrettierCode Quality
--- description: Configure linting and formatting (ESLint 9 Flat Config) --- 1. **Install Dependencies**: - Install ESLint, Prettier, and configs....
Debug TypeScript 'any' Proliferation
TypeScriptCode QualityTypes
--- description: Find and eliminate implicit 'any' types for better type safety --- 1. **Enable Strict Mode**: - Update `tsconfig.json` to catch i...
Automatic commit message generator
GitAIAutomation
--- description: Automatic commit message generator and fast AI-powered commit for all current changes --- // turbo-all This workflow automatically ...
