explainx.aijoin newsletter3.01k
Productivity

code-maturity-assessor

trailofbits/skills · updated Apr 8, 2026

$npx skills add https://github.com/trailofbits/skills --skill code-maturity-assessor
summary

Systematic code maturity evaluation across 9 security and engineering categories with evidence-based ratings.

  • Assesses arithmetic safety, auditing, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing using Trail of Bits' framework
  • Produces a maturity scorecard with 0–4 ratings per category, detailed findings with file references, and a priority-ordered improvement roadmap
  • Combines automated code analysis with interactive clarification
skill.md

Code Maturity Assessor

Purpose

Systematically assesses codebase maturity using Trail of Bits' 9-category framework. Provides evidence-based ratings and actionable recommendations.

Framework: Building Secure Contracts - Code Maturity Evaluation v0.1.0

How This Works

Phase 1: Discovery

Explores the codebase to understand:

  • Project structure and platform
  • Contract/module files
  • Test coverage
  • Documentation availability

Phase 2: Analysis

For each of 9 categories, I'll:

  • Search the code for relevant patterns
  • Read key files to assess implementation
  • Present findings with file references
  • Ask clarifying questions about processes I can't see in code
  • Determine rating based on criteria

Phase 3: Report

Generates:

  • Executive summary
  • Maturity scorecard (ratings for all 9 categories)
  • Detailed analysis with evidence
  • Priority-ordered improvement roadmap

Rating System

  • Missing (0): Not present/not implemented
  • Weak (1): Several significant improvements needed
  • Moderate (2): Adequate, can be improved
  • Satisfactory (3): Above average, minor improvements
  • Strong (4): Exceptional, only small improvements possible

Rating Logic:

  • ANY "Weak" criteria → Weak
  • NO "Weak" + SOME "Moderate" unmet → Moderate
  • ALL "Moderate" + SOME "Satisfactory" met → Satisfactory
  • ALL "Satisfactory" + exceptional practices → Strong

The 9 Categories

I assess 9 comprehensive categories covering all aspects of code maturity. For detailed criteria, analysis approaches, and rating thresholds, see ASSESSMENT_CRITERIA.md.

Quick Reference:

1. ARITHMETIC

  • Overflow protection mechanisms
  • Precision handling and rounding
  • Formula specifications
  • Edge case testing

2. AUDITING

  • Event definitions and coverage
  • Monitoring infrastructure
  • Incident response planning

3. AUTHENTICATION / ACCESS CONTROLS

  • Privilege management
  • Role separation
  • Access control testing
  • Key compromise scenarios

4. COMPLEXITY MANAGEMENT

  • Function scope and clarity
  • Cyclomatic complexity
  • Inheritance hierarchies
  • Code duplication

5. DECENTRALIZATION

  • Centralization risks
  • Upgrade control mechanisms
  • User opt-out paths
  • Timelock/multisig patterns

6. DOCUMENTATION

  • Specifications and architecture
  • Inline code documentation
  • User stories
  • Domain glossaries

7. TRANSACTION ORDERING RISKS

  • MEV vulnerabilities
  • Front-running protections
  • Slippage controls
  • Oracle security

8. LOW-LEVEL MANIPULATION

  • Assembly usage
  • Unsafe code sections
  • Low-level calls
  • Justification and testing

9. TESTING & VERIFICATION

  • Test coverage
  • Fuzzing and formal verification
  • CI/CD integration
  • Test quality

For complete assessment criteria including what I'll analyze, what I'll ask you, and detailed rating thresholds (WEAK/MODERATE/SATISFACTORY/STRONG), see ASSESSMENT_CRITERIA.md.

Example Output

When the assessment is complete, you'll receive a comprehensive maturity report including:

  • Executive Summary: Overall score, top 3 strengths, top 3 gaps, priority recommendations
  • Maturity Scorecard: Table with all 9 categories rated with scores and notes
  • Detailed Analysis: Category-by-category breakdown with evidence (file:line references)
  • Improvement Roadmap: Priority-ordered recommendations (CRITICAL/HIGH/MEDIUM) with effort estimates

For a complete example assessment report, see EXAMPLE_REPORT.md.

Assessment Process

When invoked, I will:

  1. Explore codebase

    • Find contract/module files
    • Identify test files
    • Locate documentation

  2. Analyze each category

    • Search for relevant code patterns
    • Read key implementations
    • Assess against criteria
    • Collect evidence

  3. Interactive assessment

    • Present my findings with file references
    • Ask about processes I can't see in code
    • Discuss borderline cases
    • Determine ratings together

  4. Generate report

    • Executive summary
    • Maturity scorecard table
    • Detailed category analysis with evidence
    • Priority-ordered improvement roadmap

Rationalizations (Do Not Skip)

Rationalization Why It's Wrong Required Action
"Found some findings, assessment complete" Assessment requires evaluating ALL 9 categories Complete assessment of all 9 categories with evidence for each
"I see events, auditing category looks good" Events alone don't equal auditing maturity Check logging comprehensiveness, testing, incident response processes
"Code looks simple, complexity is low" Visual simplicity masks composition complexity Analyze cyclomatic complexity, dependency depth, state machine transitions
"Not a DeFi protocol, MEV category doesn't apply" MEV extends beyond DeFi (governance, NFTs, games) Verify with transaction ordering analysis before declaring N/A
"No assembly found, low-level category is N/A" Low-level risks include external calls, delegatecall, inline assembly Search for all low-level patterns before skipping category
"This is taking too long" Thorough assessment requires time per category Complete all 9 categories, ask clarifying questions about off-chain processes
"I can rate this without evidence" Ratings without file:line references = unsubstantiated claims Collect concrete code evidence for every category assessment
"User will know what to improve" Vague guidance = no action Provide priority-ordered roadmap with specific improvements and effort estimates

Report Format

For detailed report structure and templates, see REPORT_FORMAT.md.

Structure:

  1. Executive Summary

    • Project name and platform
    • Overall maturity (average rating)
    • Top 3 strengths
    • Top 3 critical gaps
    • Priority recommendations

  2. Maturity Scorecard

    • Table with all 9 categories
    • Ratings and scores
    • Key findings notes

  3. Detailed Analysis

    • Per-category breakdown
    • Evidence with file:line references
    • Gaps and improvement actions

  4. Improvement Roadmap

    • CRITICAL (immediate)
    • HIGH (1-2 months)
    • MEDIUM (2-4 months)
    • Effort estimates and impact

Ready to Begin

Estimated Time: 30-40 minutes

I'll need:

  • Access to full codebase
  • Your knowledge of processes (monitoring, incident response, team practices)
  • Context about the project (DeFi, NFT, infrastructure, etc.)

Let's assess this codebase!

general reviews

Ratings

4.510 reviews
  • Shikha Mishra· Oct 10, 2024

    code-maturity-assessor is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Piyush G· Sep 9, 2024

    Keeps context tight: code-maturity-assessor is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Chaitanya Patil· Aug 8, 2024

    Registry listing for code-maturity-assessor matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Sakshi Patil· Jul 7, 2024

    code-maturity-assessor reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Ganesh Mohane· Jun 6, 2024

    I recommend code-maturity-assessor for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Oshnikdeep· May 5, 2024

    Useful defaults in code-maturity-assessor — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Dhruvi Jain· Apr 4, 2024

    code-maturity-assessor has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Rahul Santra· Mar 3, 2024

    Solid pick for teams standardizing on skills: code-maturity-assessor is focused, and the summary matches what you get after install.

  • Pratham Ware· Feb 2, 2024

    We added code-maturity-assessor from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Yash Thakker· Jan 1, 2024

    code-maturity-assessor fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.