solidity-security
Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementing security measures for blockchain applications.
71
58%
Does it follow best practices?
Impact
94%
1.00xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./tests/ext_conformance/artifacts/agents-wshobson/blockchain-web3/skills/solidity-security/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a solid structure with an explicit 'Use when...' clause and covers the domain adequately. However, it relies on high-level language ('best practices', 'common vulnerabilities', 'secure patterns') rather than enumerating specific capabilities, and the trigger terms could be more comprehensive to capture the variety of ways users might request smart contract security help.
Suggestions
Replace vague phrases like 'common vulnerabilities' and 'secure patterns' with specific examples such as 'prevent reentrancy attacks, integer overflow, and unauthorized access; implement checks-effects-interactions pattern, OpenZeppelin guards'.
Expand trigger terms to include specific user-facing keywords like 'reentrancy', 'access control', 'gas optimization', '.sol files', 'ERC-20/ERC-721 security', and 'exploit prevention'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (smart contract security, Solidity) and mentions some actions ('writing smart contracts', 'auditing existing contracts', 'implementing security measures'), but doesn't list specific concrete actions like 'prevent reentrancy attacks, implement access control patterns, validate input parameters'. | 2 / 3 |
Completeness | Clearly answers both 'what' (smart contract security best practices, preventing vulnerabilities, implementing secure Solidity patterns) and 'when' with an explicit 'Use when...' clause covering writing, auditing, and implementing security measures for blockchain applications. | 3 / 3 |
Trigger Term Quality | Includes relevant keywords like 'smart contract', 'Solidity', 'security', 'auditing', 'blockchain', and 'vulnerabilities', but misses common user terms like 'reentrancy', 'overflow', 'access control', 'ERC-20', 'gas optimization', '.sol files', or 'exploit'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on smart contract security and Solidity provides some distinctiveness, but 'writing smart contracts' could overlap with a general Solidity development skill, and 'security measures for blockchain applications' is broad enough to conflict with other blockchain-related skills. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is highly actionable with excellent executable code examples covering major Solidity security vulnerabilities, but it is far too verbose for a SKILL.md file. Much of the content (gas optimization, testing examples, audit preparation) should be in referenced files rather than inline. The lack of a clear audit/review workflow with validation steps limits its effectiveness as a procedural guide.
Suggestions
Reduce the main file to a concise overview of each vulnerability with one compact code example each, moving detailed examples, gas optimization, testing, and audit preparation into referenced files.
Remove redundant explanations—the CEI pattern is shown three times (reentrancy vulnerable/secure, best practices section, and audit preparation); consolidate to one authoritative example.
Add an explicit workflow for auditing an existing contract: e.g., 1) Run Slither, 2) Check against checklist, 3) Review each function for CEI compliance, 4) Verify access control, with validation gates between steps.
Remove pedagogical comments like '// Too late!' and '// DANGER:' that explain concepts Claude already understands; keep only structural comments that aid code comprehension.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, with extensive code examples that repeat similar patterns (e.g., the CEI pattern appears multiple times). It includes sections like gas optimization and audit preparation that expand scope significantly. Comments like '// DANGER: External call before state update' and '// Too late!' are pedagogical padding Claude doesn't need. | 1 / 3 |
Actionability | The skill provides fully executable Solidity code examples for every vulnerability and pattern, including both vulnerable and secure versions. The testing section includes complete Hardhat test examples, and the code is copy-paste ready. | 3 / 3 |
Workflow Clarity | While individual patterns are clear, there's no explicit workflow for auditing a contract or securing an existing one. The checklist is helpful but lacks a sequenced process with validation checkpoints. The front-running mitigation shows a two-step process but most content is pattern-based rather than workflow-based. | 2 / 3 |
Progressive Disclosure | The Resources section references external files appropriately, but the main file is monolithic with extensive inline code that could be split into referenced files. The gas optimization and testing sections could easily be separate documents, keeping the main skill focused on the security overview. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (526 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- Dicklesworthstone/pi_agent_rust
- Commit
dad585c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.