0x-shashi/skills/severity
skills/severity/SKILL.md
Data-driven severity classification for smart contract audit findings with statistical breakdowns and 30 representative examples per level from top audit firms. Use when assigning severity to findings, justifying classifications with historical data, or calibrating severity judgment against Code4rena, Sherlock, and Cyfrin benchmarks.
$ install --global
skillsauthnpx skillsauth add 0x-shashi/web3-audit-skills skills/severityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
4 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
4
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 23, 2026, 11:04 PM170.9s6 files scanned
SKILL.md
- id:
- severity
- title:
- Severity Classification Skill
- category:
- methodology
- difficulty:
- beginner
- last_updated:
- 2026-02-26
- description:
- >-
Severity Classification
Purpose
This directory provides data-driven severity classification for smart contract audit findings. Each file contains statistical breakdowns of real vulnerability types at that severity level, plus 30 representative examples from top audit firms (Code4rena, Cyfrin, Spearbit, Pashov, MixBytes, Shieldify, OtterSec, Quantstamp).
Severity Levels
| Level | File | Finding Count | % of All | Scoring Weight | |-------|------|---------------|----------|----------------| | HIGH | high-severity.md | 8,022 | 15.88% | 5 points | | MEDIUM | medium-severity.md | 13,814 | 27.34% | 2 points | | LOW | low-severity.md | 25,272 | 50.01% | 1 point | | GAS | gas-optimizations.md | 3,422 | 6.77% | 0 points |
Scoring weights reference the Audit Scoring System efficiency metric.
How to Use
- Classifying a finding → Use the Severity Scoring Decision Tree to determine the correct level
- Validating severity → Compare your finding against the top vulnerability types table in each file
- Writing the report → Reference representative examples for formatting and depth expectations
- Scoring the audit → Apply severity weights from AUDIT_SCORING.md to calculate composite scores
Quick Severity Decision Tree
Is there direct fund loss possible?
├── YES → Is it unconditional (anyone can exploit)?
│ ├── YES → CRITICAL (not in this dataset — escalate)
│ └── NO (needs conditions) → HIGH
└── NO → Is there indirect fund loss or protocol damage?
├── YES → Is the attack practical?
│ ├── YES → HIGH
│ └── NO (theoretical) → MEDIUM
└── NO → Is there any functional impact?
├── YES → LOW
└── NO → GAS / INFORMATIONAL
Full decision tree with scoring matrix: patterns/severity-scoring.md
Cross-Severity Vulnerability Migration
Some vulnerability types appear across multiple severity levels depending on conditions. Key crossovers:
| Vulnerability Type | HIGH Count | MEDIUM Count | LOW Count | Notes | |---|---|---|---|---| | Business Logic | 100 | 127 | 7 | Most common at every level | | Validation | 52 | 75 | — | Severity depends on what's unvalidated | | Reentrancy | 39 | 20 | — | HIGH when funds at risk, MEDIUM when state-only | | Oracle | 24 | 34 | — | HIGH for price manipulation, MEDIUM for staleness | | Access Control | 27 | 19 | 2 | HIGH for privilege escalation, LOW for missing events | | Front-Running | 39 | 67 | — | MEDIUM unless sandwich causes fund loss | | DOS | 23 | 43 | — | HIGH for permanent, MEDIUM for temporary | | Overflow/Underflow | 21 | 22 | — | Severity = magnitude of miscalculation |
Related Skills
- Audit Scoring System — Composite scoring using severity weights
- Severity Scoring Decision Tree — AI-optimized classification guide
- Audit Report Templates — How to write findings at each severity
- PoC Writing Guide — Proving exploitability strengthens severity claims
- Checklists — Protocol-specific vulnerability checklists
Prerequisites
Severity classification requires understanding of the Severity Scoring Decision Tree. The decision tree MUST be consulted before assigning final severity.
Validation
To verify severity classification consistency, compare against historical benchmarks:
# Validate severity distribution against expected ranges
def test_severity_distribution(findings):
high_pct = len([f for f in findings if f.severity == 'HIGH']) / len(findings)
assert 0.10 <= high_pct <= 0.25, f"HIGH findings at {high_pct:.0%} (expected 10-25%)"
print(f"Severity distribution validated: {high_pct:.0%} HIGH")
# Expected severity distribution benchmarks
benchmarks:
high: 15.88% # 8,022 of 50,530 findings
medium: 27.34% # 13,814 findings
low: 50.01% # 25,272 findings
gas: 6.77% # 3,422 findings
# Verify severity files are complete
for f in high-severity.md medium-severity.md low-severity.md gas-optimizations.md; do
echo "Checking $f: $(wc -l < $f) lines"
done
Behavior Guidelines
- Every finding MUST have a severity classification before submission
- The decision tree is required for borderline HIGH/MEDIUM cases
- Auditors may optionally include a severity justification paragraph for contested findings
- GAS findings ALWAYS have 0 scoring weight in composite metrics
References
- Severity References - Historical distribution data and calibration benchmarks
Related Skills
0x-shashi/skills/variant-analysis
development
VerifiedTrustedCommunity
Systematically hunt for every variant of a discovered vulnerability across the entire codebase. Use when a bug is found and all instances of the same root cause pattern must be identified, or when performing variant analysis during competitive audits on Code4rena or Sherlock.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/ton-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit TON smart contracts for security vulnerabilities, scan FunC or Tact contracts for message chain replay, bounce handling, or gas issues, review TON DeFi protocols for actor-model concurrency flaws, or analyze asynchronous message passing security.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/token-analyzer
tools
VerifiedTrustedCommunity
Analyze ERC20/ERC721/ERC1155 token implementations for non-standard behavior, fee-on-transfer mechanics, rebasing logic, blacklists, pausability, and integration risks. Use when reviewing protocols that interact with external tokens or implementing token-related features.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/sui-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit Sui Move smart contracts, scan Sui-specific patterns including object ownership, shared objects, or dynamic fields, review Sui DeFi protocols for object model security issues, or analyze Sui-specific transaction and consensus patterns.
45SKILL.mdUpdated Mar 23, 2026