Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
View on GitHubFebruary 1, 2026
Select agents to install to:
npx add-skill https://github.com/trailofbits/skills/blob/main/plugins/building-secure-contracts/skills/secure-workflow-guide/SKILL.md -a claude-code --skill secure-workflow-guideInstallation paths:
.claude/skills/secure-workflow-guide/# Secure Workflow Guide ## Purpose Guides through Trail of Bits' secure development workflow - a 5-step process to enhance smart contract security throughout development. **Use this**: On every check-in, before deployment, or when you want a security review --- ## The 5-Step Workflow Covers a security workflow including: ### Step 1: Check for Known Security Issues Run Slither with 70+ built-in detectors to find common vulnerabilities: - Parse findings by severity - Explain each issue with file references - Recommend fixes - Help triage false positives **Goal**: Clean Slither report or documented triages ### Step 2: Check Special Features Detect and validate applicable features: - **Upgradeability**: slither-check-upgradeability (17 upgrade risks) - **ERC conformance**: slither-check-erc (6 common specs) - **Token integration**: Recommend token-integration-analyzer skill - **Security properties**: slither-prop for ERC20 **Note**: Only runs checks that apply to your codebase ### Step 3: Visual Security Inspection Generate 3 security diagrams: - **Inheritance graph**: Identify shadowing and C3 linearization issues - **Function summary**: Show visibility and access controls - **Variables and authorization**: Map who can write to state variables Review each diagram for security concerns ### Step 4: Document Security Properties Help document critical security properties: - State machine transitions and invariants - Access control requirements - Arithmetic constraints and precision - External interaction safety - Standards conformance Then set up testing: - **Echidna**: Property-based fuzzing with invariants - **Manticore**: Formal verification with symbolic execution - **Custom Slither checks**: Project-specific business logic **Note**: Most important activity for security ### Step 5: Manual Review Areas Analyze areas automated tools miss: - **Privacy**: On-chain secrets, commit-reveal needs - **Front-running**: Slippage protection, ordering risks, MEV - *