0x-shashi/skills/spec-compliance
skills/spec-compliance/SKILL.md
Verify smart contract implementations comply with EIP/ERC standards and protocol specifications. Use when checking ERC-20, ERC-721, ERC-1155, ERC-4626, or EIP-712 compliance, or when identifying non-standard token behavior that causes integration failures.
$ install --global
skillsauthnpx skillsauth add 0x-shashi/web3-audit-skills skills/spec-complianceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
4 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
4
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 23, 2026, 11:11 PM130.8s4 files scanned
SKILL.md
- id:
- spec-compliance
- title:
- Spec Compliance Skill
- category:
- methodology
- difficulty:
- intermediate
- last_updated:
- 2026-02-26
- description:
- >-
Spec Compliance Skill
Verify smart contract implementations comply with EIP/ERC standards and protocol specifications. Non-compliant implementations cause integration failures, fund losses, and security vulnerabilities.
Why Compliance Matters
| Impact of Non-Compliance | Example |
|--------------------------|----------|
| Integration failure | DEXs can't list non-standard ERC20 (missing decimals()) |
| Silent fund loss | ERC721 safeTransferFrom not calling onERC721Received = NFTs lost |
| Security vulnerability | EIP-712 without chainId = cross-chain signature replay |
| Accounting errors | ERC4626 wrong rounding direction = vault inflation attack |
| Ecosystem rejection | Bridges, wallets, indexers refuse non-standard tokens |
Supported Standards
Token Standards
| Standard | Type | Key Functions | Common Issues |
|----------|------|---------------|---------------|
| ERC-20 | Fungible token | transfer, approve, transferFrom | Missing return values, approve race |
| ERC-721 | Non-fungible token | safeTransferFrom, approve, ownerOf | Missing receiver callback |
| ERC-1155 | Multi-token | safeTransferFrom, safeBatchTransferFrom | Batch operation atomicity |
| ERC-4626 | Tokenized vault | deposit, withdraw, convertToShares | Rounding direction, first depositor attack |
| ERC-2612 | Permit (gasless approve) | permit, nonces, DOMAIN_SEPARATOR | Signature replay, frontrunning |
Infrastructure Standards
| Standard | Type | Security Focus | |----------|------|----------------| | EIP-712 | Typed data signing | Domain separator, chain ID | | EIP-1967 | Proxy storage slots | Standard slot locations | | EIP-2535 | Diamond standard | Selector collision, storage isolation | | EIP-4337 | Account abstraction | UserOp validation, paymaster trust | | EIP-1153 | Transient storage | TSTORE/TLOAD lifecycle | | EIP-2981 | Royalty info | Not enforceable (informational only) |
Compliance Verification Approach
1. Interface Completeness
Does the contract implement ALL required functions with correct signatures?
// ERC-20 REQUIRED interface (IERC20)
function totalSupply() external view returns (uint256);
function balanceOf(address account) external view returns (uint256);
function transfer(address to, uint256 amount) external returns (bool);
function allowance(address owner, address spender) external view returns (uint256);
function approve(address spender, uint256 amount) external returns (bool);
function transferFrom(address from, address to, uint256 amount) external returns (bool);
// ERC-20 REQUIRED events
event Transfer(address indexed from, address indexed to, uint256 value);
event Approval(address indexed owner, address indexed spender, uint256 value);
// OPTIONAL but expected by most integrations
function name() external view returns (string memory);
function symbol() external view returns (string memory);
function decimals() external view returns (uint8);
2. Behavioral Compliance
Does each function behave as specified? (Not just exist with the right signature)
3. Edge Case Handling
Does the implementation handle boundary conditions specified in the standard?
Resources
- ERC Standards
- EIP Security
Workflows
- Compliance Audit
Related Skills
0x-shashi/skills/variant-analysis
development
VerifiedTrustedCommunity
Systematically hunt for every variant of a discovered vulnerability across the entire codebase. Use when a bug is found and all instances of the same root cause pattern must be identified, or when performing variant analysis during competitive audits on Code4rena or Sherlock.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/ton-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit TON smart contracts for security vulnerabilities, scan FunC or Tact contracts for message chain replay, bounce handling, or gas issues, review TON DeFi protocols for actor-model concurrency flaws, or analyze asynchronous message passing security.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/token-analyzer
tools
VerifiedTrustedCommunity
Analyze ERC20/ERC721/ERC1155 token implementations for non-standard behavior, fee-on-transfer mechanics, rebasing logic, blacklists, pausability, and integration risks. Use when reviewing protocols that interact with external tokens or implementing token-related features.
45SKILL.mdUpdated Mar 23, 2026
0x-shashi/skills/sui-scanner
testing
VerifiedTrustedCommunity
Use when the user wants to audit Sui Move smart contracts, scan Sui-specific patterns including object ownership, shared objects, or dynamic fields, review Sui DeFi protocols for object model security issues, or analyze Sui-specific transaction and consensus patterns.
45SKILL.mdUpdated Mar 23, 2026