0xlayerghost/solidity-testing
skills/solidity-testing/SKILL.md
[AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any test files (*.t.sol). Covers test structure, naming conventions, coverage requirements, fuzz testing, and Foundry cheatcodes. Trigger: any task involving creating, editing, or running Solidity tests.
$ install --global
skillsauthnpx skillsauth add 0xlayerghost/solidity-agent-kit solidity-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Error
VirusTotalMulti-engine malware detection
70%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 24, 2026, 12:56 PM44.3s1 file scanned
SKILL.md
- name:
- solidity-testing
- description:
- [AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any test files (*.t.sol). Covers test structure, naming conventions, coverage requirements, fuzz testing, and Foundry cheatcodes. Trigger: any task involving creating, editing, or running Solidity tests.
Testing Standards
Language Rule
- Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.
Test Organization
- One test contract per source contract:
MyToken.sol→MyToken.t.sol - File location: All tests in
test/directory - Naming:
test_<feature>_<scenario>for passing tests,testFail_<feature>_<scenario>for expected reverts- Example:
test_transfer_revertsWhenInsufficientBalance - Example:
test_stake_updatesBalanceCorrectly
- Example:
- Independence: Each test must run in isolation — use
setUp()for shared state, no cross-test dependencies - Filtering: Support
--match-testand--match-contractfor targeted runs
Coverage Requirements
Every core function must have tests covering:
| Scenario | What to verify |
|----------|---------------|
| Happy path | Standard input → expected output, correct state changes |
| Permission checks | Unauthorized caller → vm.expectRevert with correct error |
| Boundary conditions | Zero values, max values (type(uint256).max), off-by-one |
| Failure scenarios | Every require / revert / custom error path |
| State changes | Storage updates, balance changes, event emissions (vm.expectEmit) |
| Edge cases | Empty arrays, duplicate calls, self-transfers |
Foundry Cheatcodes Quick Reference
| Cheatcode | Usage |
|-----------|-------|
| vm.prank(addr) | Next call from addr |
| vm.startPrank(addr) | All calls from addr until vm.stopPrank() |
| vm.warp(timestamp) | Set block.timestamp |
| vm.roll(blockNum) | Set block.number |
| vm.deal(addr, amount) | Set ETH balance |
| vm.expectRevert(error) | Next call must revert with specific error |
| vm.expectEmit(true,true,false,true) | Verify event emission (topic checks) |
| vm.record() / vm.accesses() | Track storage reads/writes |
| makeAddr("name") | Create labeled address for readable traces |
Fuzz Testing Rules
- All math-heavy and fund-flow functions must have fuzz tests
- Pattern:
function testFuzz_<name>(uint256 amount) public - Use
vm.assume()to constrain inputs:vm.assume(amount > 0 && amount < MAX_SUPPLY); - Default runs: 256 — increase to 10,000+ for critical functions:
forge test --fuzz-runs 10000
Common Commands
# Run all tests
forge test
# Run specific test function
forge test --match-test test_transfer
# Run specific test contract
forge test --match-contract MyTokenTest
# Verbose output with full trace
forge test -vvvv
# Gas report
forge test --gas-report
# Fuzz with more runs
forge test --fuzz-runs 10000
# Test coverage
forge coverage
# Coverage with report
forge coverage --report lcov
Related Skills
0xlayerghost/token-antiflash
testing
VerifiedTrustedCommunity
[AUTO-INVOKE] MUST be invoked when designing or reviewing ERC20 token contracts that need flash loan protection. Covers token-level defense design patterns: cost tracking, same-block cooldown, progressive sell tax, minimum balance retention, EIP-7702 aware address checks, front-run protection, and referral binding. Trigger: any ERC20 token with anti-flash-loan, anti-bot, or tokenomics security design requirements.
3SKILL.mdUpdated May 19, 2026
0xlayerghost/solidity-coding
development
VerifiedTrustedCommunity
[AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any Solidity contract (.sol files). Covers pragma version, naming conventions, project layout, OpenZeppelin library selection standards, oracle integration, and anti-patterns. Trigger: any task involving creating, editing, or reviewing .sol source files.
2SKILL.mdUpdated Mar 24, 2026
0xlayerghost/solidity-checklist
testing
VerifiedTrustedCommunity
[AUTO-INVOKE] MUST be invoked BEFORE any on-chain operation (cast send, forge script --broadcast). Systematic 6-layer verification checklist: permissions, dependencies, parameters, security, testing, and knowledge capture. Trigger: any task involving sending transactions, deploying contracts, or interacting with on-chain state.
1SKILL.mdUpdated Apr 28, 2026
0xlayerghost/solidity-security
testing
VerifiedTrustedCommunity
[AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any Solidity contract (.sol files). Covers private key handling, access control, reentrancy prevention, gas safety, and pre-audit checklists. Trigger: any task involving creating, editing, or reviewing .sol source files.
1SKILL.mdUpdated Mar 24, 2026