jswortz/guidelines-advisor
building-secure-contracts/skills/guidelines-advisor/SKILL.md
Comprehensive smart contract development advisor based on Trail of Bits' best practices. Analyzes codebase to generate documentation/specifications, review architecture, check upgradeability patterns, assess implementation quality, identify pitfalls, review dependencies, and evaluate testing. Provides actionable recommendations. (project, gitignored)
$ install --global
skillsauthnpx skillsauth add jswortz/my-skills guidelines-advisorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 7:08 AM43.4s4 files scanned
SKILL.md
- name:
- guidelines-advisor
- description:
- Comprehensive smart contract development advisor based on Trail of Bits' best practices. Analyzes codebase to generate documentation/specifications, review architecture, check upgradeability patterns, assess implementation quality, identify pitfalls, review dependencies, and evaluate testing. Provides actionable recommendations. (project, gitignored)
Guidelines Advisor
Purpose
I will systematically analyze your codebase and provide comprehensive guidance based on Trail of Bits' development guidelines. I'll help you:
- Generate documentation and specifications (plain English descriptions, architectural diagrams, code documentation)
- Optimize on-chain/off-chain architecture (only if applicable)
- Review upgradeability patterns (if your project has upgrades)
- Check delegatecall/proxy implementations (if present)
- Assess implementation quality (functions, inheritance, events)
- Identify common pitfalls
- Review dependencies
- Evaluate test suite and suggest improvements
Framework: Building Secure Contracts - Development Guidelines
How This Works
Phase 1: Discovery & Context
I'll explore the codebase to understand:
- Project structure and platform
- Contract/module files and their purposes
- Existing documentation
- Architecture patterns (proxies, upgrades, etc.)
- Testing setup
- Dependencies
Phase 2: Documentation Generation
I'll help create:
- Plain English system description
- Architectural diagrams (using Slither printers for Solidity)
- Code documentation recommendations (NatSpec for Solidity)
Phase 3: Architecture Analysis
I'll analyze:
- On-chain vs off-chain component distribution (if applicable)
- Upgradeability approach (if applicable)
- Delegatecall proxy patterns (if present)
Phase 4: Implementation Review
I'll assess:
- Function composition and clarity
- Inheritance structure
- Event logging practices
- Common pitfalls presence
- Dependencies quality
- Testing coverage and techniques
Phase 5: Recommendations
I'll provide:
- Prioritized improvement suggestions
- Best practice guidance
- Actionable next steps
Assessment Areas
I analyze 11 comprehensive areas covering all aspects of smart contract development. For detailed criteria, best practices, and specific checks, see ASSESSMENT_AREAS.md.
Quick Reference:
-
Documentation & Specifications
- Plain English system descriptions
- Architectural diagrams
- NatSpec completeness (Solidity)
- Documentation gaps identification
-
On-Chain vs Off-Chain Computation
- Complexity analysis
- Gas optimization opportunities
- Verification vs computation patterns
-
Upgradeability
- Migration vs upgradeability trade-offs
- Data separation patterns
- Upgrade procedure documentation
-
Delegatecall Proxy Pattern
- Storage layout consistency
- Initialization patterns
- Function shadowing risks
- Slither upgradeability checks
-
Function Composition
- Function size and clarity
- Logical grouping
- Modularity assessment
-
Inheritance
- Hierarchy depth/width
- Diamond problem risks
- Inheritance visualization
-
Events
- Critical operation coverage
- Event naming consistency
- Indexed parameters
-
Common Pitfalls
- Reentrancy patterns
- Integer overflow/underflow
- Access control issues
- Platform-specific vulnerabilities
-
Dependencies
- Library quality assessment
- Version management
- Dependency manager usage
- Copied code detection
-
Testing & Verification
- Coverage analysis
- Fuzzing techniques
- Formal verification
- CI/CD integration
-
Platform-Specific Guidance
- Solidity version recommendations
- Compiler warning checks
- Inline assembly warnings
- Platform-specific tools
For complete details on each area including what I'll check, analyze, and recommend, see ASSESSMENT_AREAS.md.
Example Output
When the analysis is complete, you'll receive comprehensive guidance covering:
- System documentation with plain English descriptions
- Architectural diagrams and documentation gaps
- Architecture analysis (on-chain/off-chain, upgradeability, proxies)
- Implementation review (functions, inheritance, events, pitfalls)
- Dependencies and testing evaluation
- Prioritized recommendations (CRITICAL, HIGH, MEDIUM, LOW)
- Overall assessment and path to production
For a complete example analysis report, see EXAMPLE_REPORT.md.
Deliverables
I provide four comprehensive deliverable categories:
1. System Documentation
- Plain English descriptions
- Architectural diagrams
- Documentation gaps analysis
2. Architecture Analysis
- On-chain/off-chain assessment
- Upgradeability review
- Proxy pattern security review
3. Implementation Review
- Function composition analysis
- Inheritance assessment
- Events coverage
- Pitfall identification
- Dependencies evaluation
- Testing analysis
4. Prioritized Recommendations
- CRITICAL (address immediately)
- HIGH (address before deployment)
- MEDIUM (address for production quality)
- LOW (nice to have)
For detailed templates and examples of each deliverable, see DELIVERABLES.md.
Assessment Process
When invoked, I will:
-
Explore the codebase
- Identify all contract/module files
- Find existing documentation
- Locate test files
- Check for proxies/upgrades
- Identify dependencies
-
Generate documentation
- Create plain English system description
- Generate architectural diagrams (if tools available)
- Identify documentation gaps
-
Analyze architecture
- Assess on-chain/off-chain distribution (if applicable)
- Review upgradeability approach (if applicable)
- Audit proxy patterns (if present)
-
Review implementation
- Analyze functions, inheritance, events
- Check for common pitfalls
- Assess dependencies
- Evaluate testing
-
Provide recommendations
- Present findings with file references
- Ask clarifying questions about design decisions
- Suggest prioritized improvements
- Offer actionable next steps
Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action | |-----------------|----------------|-----------------| | "System is simple, description covers everything" | Plain English descriptions miss security-critical details | Complete all 5 phases: documentation, architecture, implementation, dependencies, recommendations | | "No upgrades detected, skip upgradeability section" | Upgradeability can be implicit (ownable patterns, delegatecall) | Search for proxy patterns, delegatecall, storage collisions before declaring N/A | | "Not applicable" without verification | Premature scope reduction misses vulnerabilities | Verify with explicit codebase search before skipping any guideline section | | "Architecture is straightforward, no analysis needed" | Obvious architectures have subtle trust boundaries | Analyze on-chain/off-chain distribution, access control flow, external dependencies | | "Common pitfalls don't apply to this codebase" | Every codebase has common pitfalls | Systematically check all guideline pitfalls with grep/code search | | "Tests exist, testing guideline is satisfied" | Test existence ≠ test quality | Check coverage, property-based tests, integration tests, failure cases | | "I can provide generic best practices" | Generic advice isn't actionable | Provide project-specific findings with file:line references | | "User knows what to improve from findings" | Findings without prioritization = no action plan | Generate prioritized improvement roadmap with specific next steps |
Notes
- I'll only analyze relevant sections (won't hallucinate about upgrades if not present)
- I'll adapt to your platform (Solidity, Rust, Cairo, etc.)
- I'll use available tools (Slither, etc.) but work without them if unavailable
- I'll provide file references and line numbers for all findings
- I'll ask questions about design decisions I can't infer from code
Ready to Begin
What I'll need:
- Access to your codebase
- Context about your project goals
- Any existing documentation or specifications
- Information about deployment plans
Let's analyze your codebase and improve it using Trail of Bits' best practices!
Related Skills
jswortz/constant-time-analysis
research
VerifiedTrustedCommunity
Constant-Time Analyzer (ct-analyzer)
1SKILL.mdUpdated Apr 16, 2026
jswortz/condition-based-waiting
testing
VerifiedTrustedCommunity
--- name: condition-based-waiting description: -- name: Condition-Based Waiting description: Replace arbitrary timeouts with condition polling for reliable async tests when_to_use: when tests have ... --- -- name: Condition-Based Waiting description: Replace arbitrary timeouts with condition polling for reliable async tests when_to_use: when tests have race conditions, timing dependencies, or inconsistent pass/fail behavior version: 1.1.0 languages: all --- # Condition-Based Waiting ## Overvi
1SKILL.mdUpdated Apr 16, 2026
jswortz/collision-zone-thinking
testing
VerifiedTrustedCommunity
--- name: collision-zone-thinking description: -- name: Collision-Zone Thinking description: Force unrelated concepts together to discover emergent properties - "What if we treated X like Y?" when_... --- -- name: Collision-Zone Thinking description: Force unrelated concepts together to discover emergent properties - "What if we treated X like Y?" when_to_use: when conventional approaches feel inadequate and you need breakthrough innovation by forcing unrelated concepts together version: 1.1.0
1SKILL.mdUpdated Apr 16, 2026
jswortz/canvas-design
documentation
VerifiedTrustedCommunity
--- name: canvas-design description: -- name: canvas-design description: Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the... --- -- name: canvas-design description: Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art, design, or other static piece. Create original visual designs, never copying existing artists' work to avoid
1SKILL.mdUpdated Apr 16, 2026