secure-workflow-guide
Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
63
43%
Does it follow best practices?
Impact
99%
1.39xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/building-secure-contracts/skills/secure-workflow-guide/SKILL.mdQuality
Discovery
67%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description excels at specificity and distinctiveness, clearly outlining a unique 5-step smart contract security workflow with concrete actions. However, it lacks an explicit 'Use when...' clause and misses common user-facing trigger terms like 'smart contract', 'Solidity', 'audit', or 'blockchain', which would help Claude match this skill to user requests more reliably.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks for a smart contract security audit, secure development review, or mentions Trail of Bits methodology.'
Include natural trigger terms users would say, such as 'smart contract', 'Solidity', 'audit', 'vulnerability analysis', 'blockchain security', and 'security review'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: running Slither scans, checking special features (upgradeability/ERC conformance/token integration), generating visual security diagrams, documenting security properties for fuzzing/verification, and reviewing manual security areas. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with the 5-step workflow and specific actions, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric guidelines. | 2 / 3 |
Trigger Term Quality | Includes some relevant keywords like 'Slither', 'security', 'upgradeability', 'ERC conformance', 'fuzzing', and 'verification', but misses common user-facing terms like 'smart contract', 'Solidity', 'audit', 'vulnerability', or 'blockchain security' that users would naturally say. | 2 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche: Trail of Bits' specific 5-step secure development workflow for smart contracts, with unique triggers like 'Slither scans', 'ERC conformance', and 'security diagrams' that are unlikely to conflict with other skills. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
20%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill provides a well-structured overview of a 5-step security workflow but fails on actionability—there are no executable commands, no concrete Slither flags, and no code examples anywhere in the body. The content is also significantly verbose, with redundant sections (output described twice), a large rationalizations table of questionable value, and sections that explain Claude's behavior back to itself. The referenced resource files (WORKFLOW_STEPS.md, EXAMPLE_REPORT.md) are not provided in the bundle, meaning all the concrete guidance is missing.
Suggestions
Add concrete, executable Slither commands for each step (e.g., `slither . --detect reentrancy-eth`, `slither-check-upgradeability . ContractName`, `slither . --print inheritance-graph`)
Remove redundant sections: consolidate 'Example Output' and 'What You'll Get' into one section, remove 'Ready to Start' and 'How I Work' which waste tokens describing Claude's own behavior
Provide the referenced bundle files (WORKFLOW_STEPS.md, EXAMPLE_REPORT.md) or inline the critical command details, since without them the skill has no actionable content
Add explicit validation checkpoints between steps (e.g., 'Verify Slither exit code 0 before proceeding to Step 2', 'Confirm diagram files were generated before reviewing')
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Significant verbosity throughout. The 'Rationalizations' table, 'What You'll Get' section, 'Ready to Start' section, and 'Getting Help' section add substantial token cost with minimal actionable value. The 'How I Work' section explains Claude's own behavior back to itself. Multiple sections repeat the same information (e.g., the output description appears in both 'Example Output' and 'What You'll Get'). | 1 / 3 |
Actionability | Despite describing a 5-step workflow, there are zero executable commands, no concrete Slither invocations, no actual code examples, and no specific flags or arguments. Everything is described at a high level ('Run Slither', 'Generate 3 security diagrams') without showing how. The actual commands and details are deferred to WORKFLOW_STEPS.md which is not provided. | 1 / 3 |
Workflow Clarity | The 5 steps are clearly sequenced and each has a defined goal, which is good. However, there are no validation checkpoints between steps, no explicit error recovery paths, and no feedback loops. For a workflow involving security-critical operations, the lack of verification steps (e.g., confirming Slither ran successfully before proceeding) is a notable gap. | 2 / 3 |
Progressive Disclosure | References to WORKFLOW_STEPS.md and EXAMPLE_REPORT.md are well-signaled and one level deep, which is good structure. However, neither bundle file is provided, so the references are unverifiable. Additionally, the main SKILL.md contains too much inline content that is either redundant (output described twice) or belongs in referenced files (the rationalizations table, the getting help section). | 2 / 3 |
Total | 6 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- trailofbits/skills
- Commit
c94841b
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.