solidity-security
Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementing security measures for blockchain applications.
71
58%
Does it follow best practices?
Impact
94%
1.00xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./tests/ext_conformance/artifacts/agents-wshobson/blockchain-web3/skills/solidity-security/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a solid structure with an explicit 'Use when...' clause and identifies the domain clearly (Solidity smart contracts, blockchain). However, it relies on high-level language ('best practices', 'common vulnerabilities', 'security measures') rather than enumerating specific capabilities, and it could benefit from more natural trigger terms that users would actually type when seeking smart contract security help.
Suggestions
Replace vague phrases like 'common vulnerabilities' and 'security measures' with specific examples such as 'prevent reentrancy attacks, integer overflow, access control flaws, and front-running exploits'.
Add more natural trigger terms users would say, such as 'Solidity audit', 'reentrancy', '.sol files', 'EVM security', 'OpenZeppelin', or 'gas optimization'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (smart contract security, Solidity) and mentions some actions ('writing smart contracts', 'auditing existing contracts', 'implementing security measures'), but doesn't list specific concrete actions like 'prevent reentrancy attacks, implement access control patterns, validate input parameters'. | 2 / 3 |
Completeness | Clearly answers both 'what' (smart contract security best practices, preventing vulnerabilities, implementing secure Solidity patterns) and 'when' with an explicit 'Use when...' clause covering writing, auditing, and implementing security measures. | 3 / 3 |
Trigger Term Quality | Includes relevant keywords like 'smart contract', 'Solidity', 'security', 'auditing', 'blockchain', but misses common natural variations users might say such as 'reentrancy', 'overflow', 'exploit', 'vulnerability scan', 'gas optimization', '.sol files', or 'EVM'. | 2 / 3 |
Distinctiveness Conflict Risk | The focus on smart contracts and Solidity provides some distinctiveness, but 'security best practices' and 'auditing' are broad enough to potentially overlap with general code security or auditing skills. More specific triggers like particular vulnerability types would reduce conflict risk. | 2 / 3 |
Total | 9 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides excellent, actionable Solidity security examples with executable code covering major vulnerability categories. However, it is significantly too long and repetitive — the CEI pattern appears three times, and entire sections (gas optimization, testing, audit prep) should be in referenced sub-files rather than inline. The lack of a clear sequential workflow for conducting an audit or securing a contract limits its effectiveness as a procedural guide.
Suggestions
Reduce redundancy by showing the CEI pattern once and referencing it elsewhere; consolidate the reentrancy section with the best practices section.
Move gas optimization, testing, and audit preparation content into the referenced sub-files (references/gas-optimization.md, etc.) and keep only brief summaries with links in the main skill.
Add a clear sequential workflow for auditing an existing contract (e.g., 1. Run static analysis → 2. Check each vulnerability category → 3. Verify test coverage → 4. Document findings) with explicit validation checkpoints.
Remove explanatory comments like '// DANGER: External call before state update' that explain concepts Claude already understands; keep only the pattern names and code.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~400+ lines, with significant redundancy. The Checks-Effects-Interactions pattern is shown three separate times (in reentrancy, in best practices, and in audit preparation). The vulnerable vs. secure code pairs, while useful, are overly detailed for Claude who understands Solidity. Gas optimization and testing sections add bulk that could be separate reference files. | 1 / 3 |
Actionability | All code examples are fully executable Solidity with proper imports, complete function signatures, and realistic patterns. The testing section provides runnable Hardhat tests. Every vulnerability includes both vulnerable and secure code that could be directly used or adapted. | 3 / 3 |
Workflow Clarity | The checklist at the end provides a good overview of what to verify, but there's no clear sequenced workflow for auditing a contract or writing a secure one from scratch. The front-running section shows a two-step commit-reveal process, but overall the skill lacks explicit validation checkpoints and feedback loops for the audit/development process. | 2 / 3 |
Progressive Disclosure | The Resources section references several sub-files (references/reentrancy.md, etc.), which is good progressive disclosure structure. However, the main file contains far too much inline content that should be in those reference files — the gas optimization, testing, and audit preparation sections are all candidates for extraction. The skill tries to be both overview and comprehensive reference. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (526 lines); consider splitting into references/ and linking | Warning |
Total | 10 / 11 Passed | |
- Repository
- Dicklesworthstone/pi_agent_rust
- Commit
6e3d68c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.