Back to Security & Vulnerability Analysis
secure-workflow-guide
securitysmart contractsblockchainauditSlithersecure developmentworkflowweb3
Install this skill
npx skills add trailofbits/skillsWorks across Claude Code, Cursor, Codex, Copilot & Antigravity
The secure-workflow-guide operationalizes the Trail of Bits auditing methodology for smart contract developers. Instead of providing general security advice, this agent forces a structured five-stage evaluation of your Solidity codebase. It executes static analysis using Slither to detect common vulnerabilities, validates upgradeability patterns, and generates structural diagrams to map function visibility and state access. The process goes beyond automated scanning by assisting in the formalization of security invariants and property-based testing setup. By following these steps, you translate abstract security goals into actionable technical audits, ensuring that common pitfalls—like improper inheritance, unauthorized state modifications, or front-running risks—are identified before deployment. This agent acts as a checklist-driven auditor that produces concrete, file-referenced reports based on your project's architecture rather than generic best practices.
When to Use This Skill
- •Preparing a smart contract project for an external security audit
- •Running a routine safety check before merging a new feature branch
- •Verifying compliance with common token standards and proxy patterns
- •Setting up property-based testing with Echidna and Manticore
How to Invoke This Skill
Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:
- “Run the full Trail of Bits security workflow on my repo
- “Perform a secure development review of my smart contracts
- “Help me audit this codebase using the 5-step security guide
- “Check my smart contract for security vulnerabilities and architectural risks
- “Guide me through the secure workflow for this deployment
Pro Tips
- 💡Run this skill early and often in your development process to catch issues proactively, saving significant refactoring time later.
- 💡Pay close attention to the explanations for Slither findings and understand how to triage false positives, documenting why an issue might not be a true vulnerability for your context.
- 💡Combine the automated checks with the manual security areas review step to ensure comprehensive coverage that tools alone cannot provide.
What this skill does
- •Execute Slither scans with specific severity triage and fix recommendations
- •Generate visual inheritance and function summary diagrams
- •Validate ERC standards and upgradeability proxy safety
- •Assist in defining formal security invariants for fuzzing
- •Conduct guided manual review for MEV and cryptographic risks
When not to use it
- ✕When you need a high-level summary of business logic without technical security analysis
- ✕When your project does not use Solidity or the EVM
Example workflow
- Initialize the agent within your repository root
- Execute Slither analysis to address automated findings
- Generate architectural diagrams to confirm state variable access
- Formalize core security invariants for property-based testing
- Review identified manual risks like slippage or oracle manipulation
Prerequisites
- –Slither
- –Echidna
- –Manticore
- –Python environment
Pitfalls & limitations
- !Assuming automated tools like Slither find every logical vulnerability
- !Skipping visual diagram review just because the code seems simple
- !Failing to document security invariants, which weakens the testing phase
FAQ
Does this tool replace a professional audit?
No, this guide helps you prepare your code to a professional standard, which makes an actual audit more efficient and effective.
What happens if I don't have Manticore or Echidna installed?
The agent will guide you through the process, but you will need to install these tools to complete the property-based testing and formal verification steps.
Can I skip the visual diagram generation?
It is not recommended, as diagrams often reveal implicit inheritance or access control flaws that are difficult to spot in raw code.
How it compares
Unlike generic AI prompts that offer vague security suggestions, this tool forces a rigid, evidence-based workflow that requires file-specific documentation and tool-backed verification.
📄 Full skill instructions — original source: trailofbits/skills
# Secure Workflow Guide
## Purpose
I'll guide you through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
**Use this**: On every check-in, before deployment, or when you want a security review
---
## The 5-Step Workflow
I'll guide you through a comprehensive security workflow covering:
### Step 1: Check for Known Security Issues
Run Slither with 70+ built-in detectors to find common vulnerabilities:
- Parse findings by severity
- Explain each issue with file references
- Recommend fixes
- Help triage false positives
**Goal**: Clean Slither report or documented triages
### Step 2: Check Special Features
Detect and validate applicable features:
- **Upgradeability**: slither-check-upgradeability (17 upgrade risks)
- **ERC conformance**: slither-check-erc (6 common specs)
- **Token integration**: Recommend token-integration-analyzer skill
- **Security properties**: slither-prop for ERC20
**Note**: Only runs checks that apply to your codebase
### Step 3: Visual Security Inspection
Generate 3 security diagrams:
- **Inheritance graph**: Identify shadowing and C3 linearization issues
- **Function summary**: Show visibility and access controls
- **Variables and authorization**: Map who can write to state variables
Review each diagram for security concerns
### Step 4: Document Security Properties
Help document critical security properties:
- State machine transitions and invariants
- Access control requirements
- Arithmetic constraints and precision
- External interaction safety
- Standards conformance
Then set up testing:
- **Echidna**: Property-based fuzzing with invariants
- **Manticore**: Formal verification with symbolic execution
- **Custom Slither checks**: Project-specific business logic
**Note**: Most important activity for security
### Step 5: Manual Review Areas
Analyze areas automated tools miss:
- **Privacy**: On-chain secrets, commit-reveal needs
- **Front-running**: Slippage protection, ordering risks, MEV
- **Cryptography**: Weak randomness, signature issues, hash collisions
- **DeFi interactions**: Oracle manipulation, flash loans, protocol assumptions
Search codebase for these patterns and flag risks
For detailed instructions, commands, and explanations for each step, see [WORKFLOW_STEPS.md](resources/WORKFLOW_STEPS.md).
---
## How I Work
When invoked, I will:
1. **Explore your codebase** to understand structure
2. **Run Step 1**: Slither security scan
3. **Detect and run Step 2**: Special feature checks (only what applies)
4. **Generate Step 3**: Visual security diagrams
5. **Guide Step 4**: Security property documentation
6. **Analyze Step 5**: Manual review areas
7. **Provide action plan**: Prioritized fixes and next steps
I'll adapt based on:
- What tools you have installed
- What's applicable to your project
- Where you are in development
---
## Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|-----------------|----------------|-----------------|
| "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked |
| "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs |
| "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks |
| "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping |
| "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure |
| "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns |
| "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A |
| "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references |
---
## Example Output
When I complete the workflow, you'll get a comprehensive security report covering:
- **Step 1**: Slither findings with severity, file references, and fix recommendations
- **Step 2**: Special feature validation results (upgradeability, ERC conformance, etc.)
- **Step 3**: Visual diagrams analyzing inheritance, functions, and state variable authorization
- **Step 4**: Documented security properties and testing setup (Echidna/Manticore)
- **Step 5**: Manual review findings (privacy, front-running, cryptography, DeFi risks)
- **Action plan**: Critical/high/medium priority tasks with effort estimates
- **Workflow checklist**: Progress on all 5 steps
For a complete example workflow report, see [EXAMPLE_REPORT.md](resources/EXAMPLE_REPORT.md).
---
## What You'll Get
**Security Report**:
- Slither findings with severity and fixes
- Special feature validation results
- Visual diagrams (PNG/PDF)
- Manual review findings
**Action Plan**:
- [ ] Critical issues to fix immediately
- [ ] Security properties to document
- [ ] Testing to set up (Echidna/Manticore)
- [ ] Manual areas to review
**Workflow Checklist**:
- [ ] Clean Slither report
- [ ] Special features validated
- [ ] Visual inspection complete
- [ ] Properties documented
- [ ] Manual review done
---
## Getting Help
**Trail of Bits Resources**:
- Office Hours: Every Tuesday ([schedule](https://meetings.hubspot.com/trailofbits/office-hours))
- Empire Hacking Slack: #crytic and #ethereum channels
**Other Security**:
- Remember: Security is about more than smart contracts
- Off-chain security (owner keys, infrastructure) equally critical
---
## Ready to Start
Let me know when you're ready and I'll run through the workflow with your codebase!
## Purpose
I'll guide you through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
**Use this**: On every check-in, before deployment, or when you want a security review
---
## The 5-Step Workflow
I'll guide you through a comprehensive security workflow covering:
### Step 1: Check for Known Security Issues
Run Slither with 70+ built-in detectors to find common vulnerabilities:
- Parse findings by severity
- Explain each issue with file references
- Recommend fixes
- Help triage false positives
**Goal**: Clean Slither report or documented triages
### Step 2: Check Special Features
Detect and validate applicable features:
- **Upgradeability**: slither-check-upgradeability (17 upgrade risks)
- **ERC conformance**: slither-check-erc (6 common specs)
- **Token integration**: Recommend token-integration-analyzer skill
- **Security properties**: slither-prop for ERC20
**Note**: Only runs checks that apply to your codebase
### Step 3: Visual Security Inspection
Generate 3 security diagrams:
- **Inheritance graph**: Identify shadowing and C3 linearization issues
- **Function summary**: Show visibility and access controls
- **Variables and authorization**: Map who can write to state variables
Review each diagram for security concerns
### Step 4: Document Security Properties
Help document critical security properties:
- State machine transitions and invariants
- Access control requirements
- Arithmetic constraints and precision
- External interaction safety
- Standards conformance
Then set up testing:
- **Echidna**: Property-based fuzzing with invariants
- **Manticore**: Formal verification with symbolic execution
- **Custom Slither checks**: Project-specific business logic
**Note**: Most important activity for security
### Step 5: Manual Review Areas
Analyze areas automated tools miss:
- **Privacy**: On-chain secrets, commit-reveal needs
- **Front-running**: Slippage protection, ordering risks, MEV
- **Cryptography**: Weak randomness, signature issues, hash collisions
- **DeFi interactions**: Oracle manipulation, flash loans, protocol assumptions
Search codebase for these patterns and flag risks
For detailed instructions, commands, and explanations for each step, see [WORKFLOW_STEPS.md](resources/WORKFLOW_STEPS.md).
---
## How I Work
When invoked, I will:
1. **Explore your codebase** to understand structure
2. **Run Step 1**: Slither security scan
3. **Detect and run Step 2**: Special feature checks (only what applies)
4. **Generate Step 3**: Visual security diagrams
5. **Guide Step 4**: Security property documentation
6. **Analyze Step 5**: Manual review areas
7. **Provide action plan**: Prioritized fixes and next steps
I'll adapt based on:
- What tools you have installed
- What's applicable to your project
- Where you are in development
---
## Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|-----------------|----------------|-----------------|
| "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked |
| "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs |
| "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks |
| "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping |
| "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure |
| "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns |
| "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A |
| "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references |
---
## Example Output
When I complete the workflow, you'll get a comprehensive security report covering:
- **Step 1**: Slither findings with severity, file references, and fix recommendations
- **Step 2**: Special feature validation results (upgradeability, ERC conformance, etc.)
- **Step 3**: Visual diagrams analyzing inheritance, functions, and state variable authorization
- **Step 4**: Documented security properties and testing setup (Echidna/Manticore)
- **Step 5**: Manual review findings (privacy, front-running, cryptography, DeFi risks)
- **Action plan**: Critical/high/medium priority tasks with effort estimates
- **Workflow checklist**: Progress on all 5 steps
For a complete example workflow report, see [EXAMPLE_REPORT.md](resources/EXAMPLE_REPORT.md).
---
## What You'll Get
**Security Report**:
- Slither findings with severity and fixes
- Special feature validation results
- Visual diagrams (PNG/PDF)
- Manual review findings
**Action Plan**:
- [ ] Critical issues to fix immediately
- [ ] Security properties to document
- [ ] Testing to set up (Echidna/Manticore)
- [ ] Manual areas to review
**Workflow Checklist**:
- [ ] Clean Slither report
- [ ] Special features validated
- [ ] Visual inspection complete
- [ ] Properties documented
- [ ] Manual review done
---
## Getting Help
**Trail of Bits Resources**:
- Office Hours: Every Tuesday ([schedule](https://meetings.hubspot.com/trailofbits/office-hours))
- Empire Hacking Slack: #crytic and #ethereum channels
**Other Security**:
- Remember: Security is about more than smart contracts
- Off-chain security (owner keys, infrastructure) equally critical
---
## Ready to Start
Let me know when you're ready and I'll run through the workflow with your codebase!
How to Use This Skill Unit
Option A: Project-Specific (Recommended)
- Click "Download" above
- In your project, create the directory:
.agent/skills/secure-workflow-guide/ - Save the file as
SKILL.md - The agent will automatically discover the skill based on its description.
Option B: Global Installation (All Agents)
Save the file to these locations to make it available across all projects:
- Claude Code:
~/.claude/skills/trailofbits/skills/secure-workflow-guide/SKILL.md - Cursor:
~/.cursor/skills/trailofbits/skills/secure-workflow-guide/SKILL.md - Antigravity:
~/.gemini/antigravity/skills/trailofbits/skills/secure-workflow-guide/SKILL.md
🚀 Install with CLI:npx skills add trailofbits/skills
Recommended Rules
View more rules →🔒 Security Audit Agent - Vulnerability Detection
Agentic AISecurityVulnerability
You are an expert security audit agent specialized in identifying vulnerabilities and security risks. Apply systematic reasoning following OWASP guide...
Python Security Best Practices
PythonSecurityCryptography
You are an expert in Python security and secure coding practices. Key Principles: - Never trust user input - Use principle of least privilege - Keep ...
Web Security Best Practices Expert
SecurityWeb DevelopmentOWASP
You are an expert in web security and secure coding practices. Key Principles: - Follow OWASP Top 10 guidelines - Implement defense in depth - Valida...
Recommended Workflows
View more workflows →Security Hardening Checklist
SecurityHeadersCSP
--- description: Essential security headers, CSP, and rate limiting --- 1. **Security Headers (`next.config.js`)**: - Add these headers to prevent...
Supabase Row Level Security (RLS)
SupabaseDatabaseSecurity
--- description: Define secure database policies to protect user data --- 1. **Enable RLS**: - Always enable RLS on every table you create. ```...
Implement Rate Limiting
SecurityRate LimitingAPI
--- description: Protect APIs with rate limits --- 1. **Install Upstash**: // turbo - Run `npm install @upstash/ratelimit @upstash/redis` 2. *...
