audit-prep-assistant
Prepares codebases for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes dead code, ensures accessibility, and generates documentation (flowcharts, user stories, inline comments).
65
47%
Does it follow best practices?
Impact
96%
1.07xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/building-secure-contracts/skills/audit-prep-assistant/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description excels at specificity and distinctiveness by clearly naming Trail of Bits and listing concrete preparation actions. However, it lacks an explicit 'Use when...' clause, which limits its completeness score, and could benefit from more natural trigger terms that users might actually say when requesting security review preparation.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user wants to prepare a codebase for a security audit, penetration test, or Trail of Bits review.'
Include additional natural trigger terms like 'security audit', 'audit prep', 'pentest preparation', 'code hardening', or 'pre-audit checklist' to improve discoverability.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: setting review goals, running static analysis tools, increasing test coverage, removing dead code, ensuring accessibility, and generating documentation (with subtypes: flowcharts, user stories, inline comments). | 3 / 3 |
Completeness | Clearly answers 'what does this do' with a detailed list of actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance for when Claude should select this skill. | 2 / 3 |
Trigger Term Quality | Includes relevant terms like 'security review', 'Trail of Bits', 'static analysis', 'test coverage', 'dead code', and 'documentation', but misses common user-facing variations like 'audit', 'pentest prep', 'code review checklist', or 'security audit preparation'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of 'security review' with 'Trail of Bits' checklist' creates a very specific niche that is unlikely to conflict with general code review, documentation, or testing skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
27%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is well-intentioned and covers the Trail of Bits audit prep checklist comprehensively, but it is far too verbose for a SKILL.md. The massive example output section, repeated deliverable summaries, and vague bullet-point lists waste tokens without adding actionable value. The skill would benefit greatly from being split into referenced sub-files and tightened to focus on concrete, executable guidance rather than descriptive lists.
Suggestions
Cut the example output section to ~20 lines showing just the structure/format, or move it to a separate EXAMPLE_OUTPUT.md file referenced from the main skill.
Remove the 'What You'll Get' section entirely as it duplicates Steps 1-4, and remove the 'Ready to Prep' sign-off.
Replace vague bullet lists (e.g., 'Analyze current coverage / Identify untested code') with specific tool commands and concrete instructions (e.g., 'Run `forge coverage` and identify functions below 80% branch coverage').
Add explicit validation checkpoints between steps, such as 'Verify slither reports 0 high/medium findings before proceeding to Step 3' to create proper feedback loops.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~300+ lines. The example output alone is over 100 lines of filler content. Bullet-point lists like 'Map primary workflows / Show component relationships / Visualize data flow / Identify critical paths' are vague padding. The 'What You'll Get' section largely repeats Steps 1-4. The 'Ready to Prep' sign-off and timeline section add little actionable value. Claude doesn't need explanations of what flowcharts or glossaries are. | 1 / 3 |
Actionability | Provides some concrete commands (slither, dylint, golangci-lint, forge coverage) which is good, but most guidance is vague bullet points like 'Analyze current coverage', 'Identify untested code', 'Suggest new tests'. The static analysis commands for CodeQL/Semgrep are left as comments. Many steps describe what to do abstractly rather than providing executable instructions or specific tool invocations. | 2 / 3 |
Workflow Clarity | The 4-step process provides a clear sequence and the timeline section adds temporal structure. However, there are no explicit validation checkpoints or feedback loops between steps. For example, after running static analysis there's no 'if X then Y' error recovery guidance. The 'How I Work' section lists steps but doesn't define when to stop or how to verify completion of each phase. | 2 / 3 |
Progressive Disclosure | Everything is in one monolithic file with no references to external files or bundle resources. The massive example output, the rationalizations table, the deliverables summary, and the checklist all bloat the main file. Content like the full example output, the rationalizations table, and detailed documentation guidance should be in separate referenced files. No bundle files exist to support this. | 1 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- trailofbits/skills
- Commit
c94841b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.