solidity-security
Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementing security measures for blockchain applications.
81
58%
Does it follow best practices?
Impact
96%
1.00xAverage score across 6 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/blockchain-web3/skills/solidity-security/SKILL.mdQuality
Discovery
75%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description has a solid structure with an explicit 'Use when...' clause and targets a clear niche in smart contract security. However, it relies on somewhat general language ('best practices', 'common vulnerabilities', 'secure patterns') rather than enumerating specific capabilities, and could benefit from more natural trigger terms that users would actually type when seeking help with Solidity security issues.
Suggestions
Replace vague phrases like 'common vulnerabilities' and 'secure patterns' with specific examples such as 'detect reentrancy, integer overflow, access control flaws, and front-running vulnerabilities'.
Add more natural trigger terms users would say, such as 'Solidity audit', '.sol files', 'reentrancy', 'ERC-20 security', 'DeFi exploit', or 'gas optimization'.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (smart contract security, Solidity) and mentions some actions ('prevent common vulnerabilities', 'implement secure patterns', 'auditing'), but doesn't list specific concrete actions like 'detect reentrancy attacks, validate access controls, implement safe math operations'. | 2 / 3 |
Completeness | Clearly answers both 'what' (smart contract security best practices, preventing vulnerabilities, implementing secure Solidity patterns) and 'when' with an explicit 'Use when...' clause covering writing, auditing, and implementing security measures for blockchain applications. | 3 / 3 |
Trigger Term Quality | Includes relevant keywords like 'smart contract', 'Solidity', 'security', 'auditing', 'blockchain', but misses common natural variations users might say such as 'reentrancy', 'overflow', 'ERC-20', 'gas optimization', 'exploit', '.sol files', or 'DeFi security'. | 2 / 3 |
Distinctiveness Conflict Risk | The combination of smart contracts, Solidity, and blockchain security creates a clear niche that is unlikely to conflict with other skills. The domain is specific enough to be distinctly identifiable. | 3 / 3 |
Total | 10 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a comprehensive but overly verbose reference on Solidity security that explains many concepts Claude already understands well. While the code examples are high quality and executable, the content would benefit enormously from being split into focused sub-documents with SKILL.md serving as a concise overview. The lack of a clear audit/review workflow with validation steps is a notable gap for a security-focused skill.
Suggestions
Reduce the main SKILL.md to a concise overview (~50-80 lines) with the checklist and CEI pattern, then move detailed vulnerability examples to separate files like REENTRANCY.md, ACCESS_CONTROL.md, GAS_OPTIMIZATION.md
Remove explanatory comments that state the obvious (e.g., '// DANGER: External call before state update', '// Too late!') — Claude understands these patterns
Add a concrete audit workflow with validation checkpoints: e.g., 1) Run Slither static analysis, 2) Check specific vulnerability patterns, 3) Run test suite, 4) Verify coverage, 5) Document findings
Cut the gas optimization section entirely or move to a separate skill — it's tangential to security and adds significant bulk
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Extremely verbose at ~400+ lines. Explains concepts Claude already knows well (reentrancy, integer overflow, access control, gas optimization basics). The vulnerable vs. secure pattern pairs are educational but redundant for Claude. Comments like 'DANGER: External call before state update' and 'Too late!' are unnecessary. The gas optimization section and audit preparation section add bulk without novel insight. | 1 / 3 |
Actionability | All code examples are concrete, executable Solidity with proper imports and complete contract structures. The Hardhat test examples are copy-paste ready. Every vulnerability includes both vulnerable and secure patterns with real code. | 3 / 3 |
Workflow Clarity | The checklist at the end provides a useful sequence, and the front-running section shows a two-step commit-reveal workflow. However, there's no clear audit workflow with validation checkpoints (e.g., run static analysis tools like Slither, then manual review, then test). The 'Audit Preparation' section is just a documentation example, not a workflow. | 2 / 3 |
Progressive Disclosure | Monolithic wall of content with no references to external files. Everything is inline — gas optimization, testing, audit preparation, and all vulnerability patterns could be split into separate referenced documents. The skill tries to be a comprehensive textbook rather than an overview with pointers. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- wshobson/agents
- Commit
27a7ed9
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.