playbooks

home / skills / plurigrid / asi / secure-workflow-guide

secure-workflow-guide skill

/skills/secure-workflow-guide

This skill guides you through Trail of Bits' secure development workflow, runs Slither scans, generates diagrams, and documents security properties for

npx playbooks add skill plurigrid/asi --skill secure-workflow-guide

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.7 KB
---
name: secure-workflow-guide
description: Guide you through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas. (project, gitignored)
category: building-secure-contracts
author: Trail of Bits
source: trailofbits/skills
license: AGPL-3.0
trit: -1
trit_label: MINUS
verified: true
featured: false
---

# Secure Workflow Guide Skill

**Trit**: -1 (MINUS)
**Category**: building-secure-contracts
**Author**: Trail of Bits
**Source**: trailofbits/skills
**License**: AGPL-3.0

## Description

Guide you through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas. (project, gitignored)

## When to Use

This is a Trail of Bits security skill. Refer to the original repository for detailed usage guidelines and examples.

See: https://github.com/trailofbits/skills

## Related Skills

- audit-context-building
- codeql
- semgrep
- variant-analysis


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 2. Domain-Specific Languages

**Concepts**: DSL, wrapper, pattern-directed, embedding

### GF(3) Balanced Triad

```
secure-workflow-guide (−) + SDF.Ch2 (−) + [balancer] (−) = 0
```

**Skill Trit**: -1 (MINUS - verification)


### Connection Pattern

DSLs embed domain knowledge. This skill defines domain-specific operations.

Overview

This skill guides you through Trail of Bits' 5-step secure development workflow for smart contracts and related projects. It automates static checks, inspects special features like upgradeability and token integration, generates visual security diagrams, and helps you produce security-focused documentation for fuzzing and formal verification. The workflow also highlights areas that require manual security review and follow-up.

How this skill works

The skill runs Slither scans to detect common Solidity issues and unsafe patterns, then applies targeted checks for upgradeable contracts, ERC conformance, and token integration concerns. It produces topology-style visual diagrams that map contracts, external calls, and trust boundaries to aid threat modeling. Finally, it collects and formats security properties and assertions useful for fuzzing and verification, and lists manual-review checkpoints with actionable notes.

When to use it

  • When preparing a contract codebase for a security audit or public release
  • When adding upgradeability or proxy patterns and you need targeted checks
  • When integrating token logic or ERC interfaces and you want conformance validation
  • When you need visual diagrams to support threat modeling or design reviews
  • When generating artifacts and properties for fuzzing and formal verification

Best practices

  • Run the workflow early and often during development, not just before release
  • Treat automated findings as inputs for triage; prioritize by exploitability and impact
  • Use the generated diagrams in design discussions and to guide threat modeling
  • Document assumptions and invariants clearly to improve fuzzing and verifier effectiveness
  • Combine automated checks with focused manual reviews on complex or novel logic

Example use cases

  • A team adds a proxy pattern and runs the workflow to verify upgrade safety and storage layout issues
  • Before an audit, generate security diagrams and a checklist of manual review items to share with auditors
  • While integrating ERC-20/ERC-721 logic, validate interface conformance and token transfer edge cases
  • Create a set of formal properties and fuzzing harness targets derived from documented invariants

FAQ

Does this skill replace a full security audit?

No. It automates useful checks and produces artifacts that reduce audit effort, but it does not replace comprehensive manual auditing and external review.

What languages and frameworks does it support?

The workflow focuses on Solidity smart contracts and common proxy/standard patterns; components like Slither are Solidity-centric.