home / skills / plurigrid / asi / audit-prep-assistant

audit-prep-assistant skill

safe

This skill helps prepare your codebase for security review by applying Trail of Bits guidelines, increasing test coverage, and generating documentation.

npx playbooks add skill plurigrid/asi --skill audit-prep-assistant

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

1.7 KB

---
name: audit-prep-assistant
description: Prepare your codebase for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes dead code, ensures accessibility, and generates comprehensive documentation (flowcharts, user stories, inline comments). (project, gitignored)
category: building-secure-contracts
author: Trail of Bits
source: trailofbits/skills
license: AGPL-3.0
trit: -1
trit_label: MINUS
verified: true
featured: false
---

# Audit Prep Assistant Skill

**Trit**: -1 (MINUS)
**Category**: building-secure-contracts
**Author**: Trail of Bits
**Source**: trailofbits/skills
**License**: AGPL-3.0

## Description

Prepare your codebase for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes dead code, ensures accessibility, and generates comprehensive documentation (flowcharts, user stories, inline comments). (project, gitignored)

## When to Use

This is a Trail of Bits security skill. Refer to the original repository for detailed usage guidelines and examples.

See: https://github.com/trailofbits/skills

## Related Skills

- audit-context-building
- codeql
- semgrep
- variant-analysis


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 1. Flexibility through Abstraction

**Concepts**: combinators, compose, parallel-combine, spread-combine, arity

### GF(3) Balanced Triad

```
audit-prep-assistant (○) + SDF.Ch1 (+) + [balancer] (−) = 0
```

**Skill Trit**: 0 (ERGODIC - coordination)


### Connection Pattern

Combinators compose operations. This skill provides composable abstractions.

Overview

This skill prepares a Python codebase for a formal security review using Trail of Bits' checklist. It helps set review goals, runs static analysis and linters, increases test coverage, removes dead code, ensures accessibility, and generates documentation artifacts like flowcharts, user stories, and inline comments. It is intended to run locally against a git-ignored project workspace.

How this skill works

The assistant inspects the repository structure and test suite, then runs a suite of static analysis tools and linters to surface common security and quality issues. It measures and suggests targets to raise test coverage, identifies and flags dead or unreachable code, and produces documentation outputs (flow diagrams, component maps, and user stories). Configuration suggestions and incremental work items are emitted so teams can track progress toward checklist completion.

When to use it

Before scheduling a formal security review or audit
When preparing a release that requires a third-party code audit
To harden a codebase after major refactors or feature additions
When you need a runnable checklist to satisfy internal security gates
To produce developer-facing documentation ahead of onboarding or handoff

Best practices

Run the assistant from the repository root with your virtual environment active to ensure tools resolve correctly
Commit work-in-progress branches; keep generated artifacts git-ignored if not intended for source control
Prioritize actionable findings: fix high-severity static analysis results and missing tests first
Iterate: apply fixes, re-run tools, and track coverage increases in CI
Annotate non-fixable findings with inline comments and rationale for audit reviewers

Example use cases

Generate a prioritized remediation plan and checklist before a hired security review
Automatically produce flowcharts and user stories for reviewers unfamiliar with the project topology
Quantify and raise unit test coverage in targeted modules ahead of an audit
Detect and remove dead code paths introduced during rapid prototyping
Create a repeatable pre-audit pipeline that integrates static analysis, tests, and documentation generation

FAQ

Does the skill modify source automatically?

It suggests changes and can run non-destructive refactor tooling, but it does not apply risky automatic fixes without confirmation.

Which static analysis tools are used?

The assistant runs a configurable set of linters and analyzers appropriate for Python projects; you can enable tools like bandit, flake8, mypy, and configured security scanners in the toolchain.

Can the generated documentation be customized?

Yes. Documentation templates (flowcharts, story formats, inline comment styles) are configurable so outputs match your repository conventions and reviewer needs.