alt-research/spec-compliance
.claude/skills/solidity-guard/skills/spec-compliance/SKILL.md
Validates Solidity implementation against specification documents. Extracts behavior from docs (README, specs, NatSpec) and verifies code matches documented intent. Uses Trail of Bits methodology for divergence detection.
$ install --global
skillsauthnpx skillsauth add alt-research/solidityguard spec-complianceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 4:00 PM6.7s1 file scanned
SKILL.md
- name:
- spec-compliance
- description:
- |
Specification-to-Code Compliance Checker
1. Purpose
Detect divergences between documented behavior and actual implementation. Many vulnerabilities arise not from insecure code patterns, but from code that doesn't match the intended design.
2. Methodology (Trail of Bits)
Phase 1: Documentation Discovery
rg -l "README|SPEC|DESIGN|spec|design" .
rg "/// @" contracts/ # NatSpec comments
rg "@dev|@notice|@param" contracts/
Phase 2: Extract Spec Claims
For each documented behavior:
INTENT-001: [Function]
- Claim: "Users can withdraw after 7-day timelock"
- Constraints:
- C1: Minimum 7 days between request and execution
- C2: Only original depositor can withdraw
- C3: Withdrawal amount <= deposited amount
- Source: README.md:45
Phase 3: Map to Code
BEHAVIOR-001: withdraw() at contracts/Vault.sol:156
- Observed: Withdrawal has no timelock
- C1: No time check found — DIVERGENCE
- C2: msg.sender check present (line 158) — MATCH
- C3: Balance check present (line 157) — MATCH
Phase 4: Classify Divergences
| Type | Definition | Severity | |------|------------|----------| | MISSING | Spec feature not implemented | HIGH | | EXTRA | Code does more than spec | MEDIUM | | DIFFERENT | Behavior differs from spec | HIGH | | AMBIGUOUS | Spec unclear | LOW | | UNDOCUMENTED | Code behavior not in spec | MEDIUM |
3. Anti-Hallucination Rules
- Never infer unspecified behavior
- Always cite exact evidence (file:line or doc section)
- Always provide confidence score
- Always classify ambiguity explicitly
- Zero speculation - only report what's documented vs implemented
Related Skills
alt-research/solidityguard
tools
VerifiedTrustedCommunity
Advanced Solidity/EVM smart contract security auditor with 104 vulnerability patterns, multi-tool integration, and professional report generation.
93SKILL.mdUpdated Apr 3, 2026
alt-research/solidity-vulnerability-scanner
development
VerifiedTrustedCommunity
Comprehensive Solidity contract security scanner detecting 104 vulnerability patterns across reentrancy, access control, arithmetic, DeFi, proxy, and token categories. Integrates Slither, Aderyn, and Mythril with manual analysis.
83SKILL.mdUpdated Apr 3, 2026
alt-research/storage-analyzer
testing
VerifiedTrustedCommunity
Analyzes storage layout, proxy patterns, and state variable security in Solidity contracts. Detects storage collisions, uninitialized pointers, and upgrade risks. Use when auditing proxy/upgradeable contracts.
83SKILL.mdUpdated Apr 3, 2026
alt-research/report-generator
testing
VerifiedTrustedCommunity
Generates professional security audit reports from findings. Creates OpenZeppelin/Trail of Bits style reports with executive summary, methodology, severity-classified findings, and remediation recommendations.
83SKILL.mdUpdated Apr 3, 2026