secure-workflow-guide▌
trailofbits/skills · updated Apr 8, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Smart contract security review through Trail of Bits' 5-step workflow with automated scanning, visual analysis, and property documentation.
- ›Runs Slither with 70+ detectors to identify known vulnerabilities, then checks for special features like upgradeability risks, ERC conformance, and token integration patterns
- ›Generates three security diagrams (inheritance graph, function visibility, state variable authorization) to reveal architectural vulnerabilities that text descriptions miss
Secure Workflow Guide
Purpose
Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development.
Use this: On every check-in, before deployment, or when you want a security review
The 5-Step Workflow
Covers a security workflow including:
Step 1: Check for Known Security Issues
Run Slither with 70+ built-in detectors to find common vulnerabilities:
- Parse findings by severity
- Explain each issue with file references
- Recommend fixes
- Help triage false positives
Goal: Clean Slither report or documented triages
Step 2: Check Special Features
Detect and validate applicable features:
- Upgradeability: slither-check-upgradeability (17 upgrade risks)
- ERC conformance: slither-check-erc (6 common specs)
- Token integration: Recommend token-integration-analyzer skill
- Security properties: slither-prop for ERC20
Note: Only runs checks that apply to your codebase
Step 3: Visual Security Inspection
Generate 3 security diagrams:
- Inheritance graph: Identify shadowing and C3 linearization issues
- Function summary: Show visibility and access controls
- Variables and authorization: Map who can write to state variables
Review each diagram for security concerns
Step 4: Document Security Properties
Help document critical security properties:
- State machine transitions and invariants
- Access control requirements
- Arithmetic constraints and precision
- External interaction safety
- Standards conformance
Then set up testing:
- Echidna: Property-based fuzzing with invariants
- Manticore: Formal verification with symbolic execution
- Custom Slither checks: Project-specific business logic
Note: Most important activity for security
Step 5: Manual Review Areas
Analyze areas automated tools miss:
- Privacy: On-chain secrets, commit-reveal needs
- Front-running: Slippage protection, ordering risks, MEV
- Cryptography: Weak randomness, signature issues, hash collisions
- DeFi interactions: Oracle manipulation, flash loans, protocol assumptions
Search codebase for these patterns and flag risks
For detailed instructions, commands, and explanations for each step, see WORKFLOW_STEPS.md.
How I Work
When invoked, I will:
- Explore your codebase to understand structure
- Run Step 1: Slither security scan
- Detect and run Step 2: Special feature checks (only what applies)
- Generate Step 3: Visual security diagrams
- Guide Step 4: Security property documentation
- Analyze Step 5: Manual review areas
- Provide action plan: Prioritized fixes and next steps
Adapts based on:
- What tools you have installed
- What's applicable to your project
- Where you are in development
Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "Slither not available, I'll check manually" | Manual checking misses 70+ detector patterns | Install and run Slither, or document why it's blocked |
| "Can't generate diagrams, I'll describe the architecture" | Descriptions aren't visual - diagrams reveal patterns text misses | Execute slither --print commands, generate actual visual outputs |
| "No upgrades detected, skip upgradeability checks" | Proxies and upgrades are often implicit or planned | Verify with codebase search before skipping Step 2 checks |
| "Not a token, skip ERC checks" | Tokens can be integrated without obvious ERC inheritance | Check for token interactions, transfers, balances before skipping |
| "Can't set up Echidna now, suggesting it for later" | Property-based testing is Step 4, not optional | Document properties now, set up fuzzing infrastructure |
| "No DeFi interactions, skip oracle/flash loan checks" | DeFi patterns appear in unexpected places (price feeds, external calls) | Complete Step 5 manual review, search codebase for patterns |
| "This step doesn't apply to my project" | "Not applicable" without verification = missed vulnerabilities | Verify with explicit codebase search before declaring N/A |
| "I'll provide generic security advice instead of running workflow" | Generic advice isn't actionable, workflow finds specific issues | Execute all 5 steps, generate project-specific findings with file:line references |
Example Output
When I complete the workflow, you'll get a comprehensive security report covering:
- Step 1: Slither findings with severity, file references, and fix recommendations
- Step 2: Special feature validation results (upgradeability, ERC conformance, etc.)
- Step 3: Visual diagrams analyzing inheritance, functions, and state variable authorization
- Step 4: Documented security properties and testing setup (Echidna/Manticore)
- Step 5: Manual review findings (privacy, front-running, cryptography, DeFi risks)
- Action plan: Critical/high/medium priority tasks with effort estimates
- Workflow checklist: Progress on all 5 steps
For a complete example workflow report, see EXAMPLE_REPORT.md.
What You'll Get
Security Report:
- Slither findings with severity and fixes
- Special feature validation results
- Visual diagrams (PNG/PDF)
- Manual review findings
Action Plan:
- Critical issues to fix immediately
- Security properties to document
- Testing to set up (Echidna/Manticore)
- Manual areas to review
Workflow Checklist:
- Clean Slither report
- Special features validated
- Visual inspection complete
- Properties documented
- Manual review done
Getting Help
Trail of Bits Resources:
- Office Hours: Every Tuesday (schedule)
- Empire Hacking Slack: #crytic and #ethereum channels
Other Security:
- Remember: Security is about more than smart contracts
- Off-chain security (owner keys, infrastructure) equally critical
Ready to Start
Let me know when you're ready and I'll run through the workflow with your codebase!
How to use secure-workflow-guide on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add secure-workflow-guide
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches secure-workflow-guide from GitHub repository trailofbits/skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate secure-workflow-guide. Access the skill through slash commands (e.g., /secure-workflow-guide) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.8★★★★★51 reviews- ★★★★★Noah Jackson· Dec 20, 2024
We added secure-workflow-guide from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Dev Johnson· Dec 20, 2024
Keeps context tight: secure-workflow-guide is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Dhruvi Jain· Dec 12, 2024
Useful defaults in secure-workflow-guide — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Dev Smith· Dec 4, 2024
secure-workflow-guide has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Dev Bhatia· Nov 27, 2024
secure-workflow-guide fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Fatima Desai· Nov 23, 2024
Useful defaults in secure-workflow-guide — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Noah Huang· Nov 15, 2024
We added secure-workflow-guide from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Ama Ghosh· Nov 11, 2024
Registry listing for secure-workflow-guide matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Oshnikdeep· Nov 3, 2024
secure-workflow-guide has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Ganesh Mohane· Oct 22, 2024
Solid pick for teams standardizing on skills: secure-workflow-guide is focused, and the summary matches what you get after install.
showing 1-10 of 51