solidity-security
Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementing security measures for blockchain applications.
81
58%
Does it follow best practices?
Impact
96%
1.00xAverage score across 6 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/blockchain-web3/skills/solidity-security/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a solid structure with an explicit 'Use when' clause and targets a clear niche in smart contract security. However, it lacks specificity in the concrete actions it performs (e.g., specific vulnerability types or security patterns) and could benefit from more natural trigger terms that users would actually use when seeking help with Solidity security issues. The word 'Master' at the beginning is slightly awkward as it reads more like an imperative/instructional tone rather than a third-person capability description.
Suggestions
Replace the vague 'prevent common vulnerabilities' with specific examples like 'detect reentrancy attacks, prevent integer overflow, validate access controls, implement safe withdrawal patterns'.
Add more natural trigger terms users would say, such as 'reentrancy', 'overflow', 'exploit', '.sol files', 'ERC-20/ERC-721 security', 'DeFi', or 'gas optimization'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (smart contract security, Solidity) and mentions some actions ('prevent common vulnerabilities', 'implement secure patterns', 'auditing'), but doesn't list specific concrete actions like 'detect reentrancy attacks, validate access controls, implement safe math operations'. | 2 / 3 |
Completeness | Clearly answers both 'what' (master smart contract security best practices, prevent vulnerabilities, implement secure Solidity patterns) and 'when' with an explicit 'Use when' clause covering writing, auditing, and implementing security measures for blockchain applications. | 3 / 3 |
Trigger Term Quality | Includes relevant keywords like 'smart contract', 'Solidity', 'security', 'auditing', 'blockchain', but misses common natural variations users might say such as 'reentrancy', 'overflow', 'ERC-20', 'gas optimization', 'exploit', '.sol files', or 'DeFi security'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of smart contracts, Solidity, and security auditing creates a clear niche that is unlikely to conflict with other skills. The domain is specific enough (blockchain/Solidity security) to be distinctly identifiable. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a comprehensive but overly verbose Solidity security reference that tries to cover too much ground in a single file. While the code examples are excellent and fully executable, the content doesn't respect Claude's existing knowledge of common vulnerabilities and could be reduced by 60%+ by removing explanatory text and splitting advanced topics into separate files. The lack of a clear workflow for actually auditing or securing a contract limits its practical utility.
Suggestions
Reduce content by 60%+: remove explanatory prose (e.g., 'Attacker calls back into your contract before state is updated'), vulnerable code examples (Claude knows what vulnerable code looks like), and gas optimization basics. Focus only on the secure patterns and the checklist.
Split into multiple files: keep SKILL.md as a concise overview with the checklist and CEI pattern, then reference separate files like GAS_OPTIMIZATION.md, TESTING.md, and AUDIT_PREP.md.
Add a clear audit/review workflow with explicit validation steps: e.g., '1. Run slither static analysis → 2. Check against checklist → 3. Write security tests → 4. Fix findings → 5. Re-run analysis'.
Remove the 'When to Use This Skill' section entirely—this is metadata that belongs in frontmatter, not content that Claude needs to read every time.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Explains concepts Claude already knows well (reentrancy, overflow, access control, gas optimization basics). The vulnerable vs. secure pattern pairs are educational but redundant for Claude. Comments like 'DANGER: External call before state update' and 'Too late!' are unnecessary. The gas optimization section, audit preparation, and testing sections add significant bulk without being essential to the core skill. | 1 / 3 |
Actionability | All code examples are concrete, executable Solidity with proper imports and complete contract structures. The Hardhat test examples are copy-paste ready. Every vulnerability includes both vulnerable and secure patterns with real code. | 3 / 3 |
Workflow Clarity | The checklist at the end provides a useful sequence, and the front-running section shows a two-step commit-reveal workflow. However, there's no clear audit workflow with validation checkpoints (e.g., 'run slither, then manual review, then fix, then re-check'). The skill reads more like a reference catalog than a guided process. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. The gas optimization, testing, and audit preparation sections could easily be split into separate files. Everything is inline with no navigation structure beyond section headers. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
70444e5
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.