playbooks

home / skills / plurigrid / asi / code-maturity-assessor

code-maturity-assessor skill

/skills/code-maturity-assessor

This skill assesses code maturity using Trail of Bits' 9-category framework to deliver evidence-based scores and actionable engineering recommendations.

npx playbooks add skill plurigrid/asi --skill code-maturity-assessor

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.8 KB
---
name: code-maturity-assessor
description: Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations. (project, gitignored)
category: building-secure-contracts
author: Trail of Bits
source: trailofbits/skills
license: AGPL-3.0
trit: -1
trit_label: MINUS
verified: true
featured: false
---

# Code Maturity Assessor Skill

**Trit**: -1 (MINUS)
**Category**: building-secure-contracts
**Author**: Trail of Bits
**Source**: trailofbits/skills
**License**: AGPL-3.0

## Description

Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations. (project, gitignored)

## When to Use

This is a Trail of Bits security skill. Refer to the original repository for detailed usage guidelines and examples.

See: https://github.com/trailofbits/skills

## Related Skills

- audit-context-building
- codeql
- semgrep
- variant-analysis


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 3. Variations on an Arithmetic Theme

**Concepts**: generic arithmetic, coercion, symbolic, numeric

### GF(3) Balanced Triad

```
code-maturity-assessor (○) + SDF.Ch3 (○) + [balancer] (○) = 0
```

**Skill Trit**: 0 (ERGODIC - coordination)


### Connection Pattern

Generic arithmetic crosses type boundaries. This skill handles heterogeneous data.

Overview

This skill performs a systematic code maturity assessment using Trail of Bits' nine-category framework to evaluate security and engineering readiness. It produces a professional scorecard with evidence-based ratings and clear, actionable recommendations. The assessment is designed for codebases written in Python and related ecosystems, focusing on practical remediation priorities.

How this skill works

The assessor analyzes the codebase across nine dimensions: arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. It collects concrete findings, links evidence to each rating, and generates a scorecard with severity-weighted recommendations and remediation steps. The tool is intended to run against a project workspace and outputs compact, prioritized action items for engineers and security reviewers.

When to use it

  • Before a security audit to identify high-risk areas and focus auditor effort
  • As part of a release checklist to ensure engineering maturity milestones are met
  • When onboarding a new team or evaluating third-party code for integration
  • During threat modeling to provide evidence-based maturity context
  • To track progress on remediation across multiple sprints or releases

Best practices

  • Run the assessor early and repeatedly; use results to prioritize fixes by impact
  • Link each recommendation to a specific file, test, or commit for traceability
  • Combine findings with automated tooling (linters, CI tests, static analysis)
  • Share the scorecard with stakeholders and use it to set measurable remediation goals
  • Treat the output as a living artifact: re-run after significant changes or fixes

Example use cases

  • Generate a maturity scorecard before engaging an external security audit
  • Assess a refactor to ensure complexity and access-control drift are detected
  • Validate testing coverage and low-level code paths prior to mainnet or prod deploy
  • Compare maturity across microservices or repositories to allocate engineering resources
  • Create an evidence-backed remediation plan for investor or compliance reviews

FAQ

What does each category measure?

Each of the nine categories targets a specific risk or quality dimension—arithmetic safety checks numeric operations, access controls inspect auth patterns, complexity measures cyclomatic and structural risk, documentation and testing evaluate maintainability and coverage, and others focus on decentralization, MEV, auditing, and low-level code concerns.

How actionable are the recommendations?

Recommendations are prioritized and tied to concrete evidence (files, lines, test gaps) with suggested remediation steps and examples so teams can implement fixes directly.