Comprehensive smart contract security toolkit based on Trail of Bits’ Building Secure Contracts framework. This plugin provides 11 specialized skills for smart contract security across multiple blockchain platforms.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/trailofbits/skills/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The plugin includes two categories of skills:- 6 Vulnerability Scanners - Platform-specific attack pattern detection
- 5 Development Guidelines Assistants - Secure development best practices
Installation
Supported Blockchains
Algorand
TEAL/PyTeal smart contracts
Cairo
StarkNet contracts
Cosmos
Cosmos SDK modules
Solana
Native Rust & Anchor programs
Substrate
Substrate pallets
TON
FunC smart contracts
Vulnerability Scanners
Platform-specific vulnerability detection based on Trail of Bits’ Not So Smart Contracts repository.Algorand Vulnerability Scanner
Algorand Vulnerability Scanner
Skill:
/algorand-vulnerability-scannerScans Algorand/TEAL codebases for 11 vulnerability patterns:- Rekeying vulnerabilities
- Unchecked transaction fees
- Asset closing issues
- Group size checks
- Time-based replay attacks
- CloseRemainderTo validation
- AssetCloseTo validation
- Transaction type confusion
- Improper escrow handling
- Fee manipulation
- Lease validation issues
Cairo Vulnerability Scanner
Cairo Vulnerability Scanner
Skill:
/cairo-vulnerability-scannerAnalyzes StarkNet/Cairo smart contracts for 6 vulnerability patterns:- Arithmetic overflow/underflow
- Reentrancy vulnerabilities
- Uninitialized storage
- Authorization bypass
- Improper access control
- State manipulation issues
Cosmos Vulnerability Scanner
Cosmos Vulnerability Scanner
Skill:
/cosmos-vulnerability-scannerDetects security issues in Cosmos SDK modules for 9 patterns:- Undelegation time validation
- Amount validation issues
- Unbonding validation
- Rounding issues in calculations
- Delegation state manipulation
- Validator set manipulation
- Slashing bypass
- Reward distribution errors
- Token minting vulnerabilities
Solana Vulnerability Scanner
Solana Vulnerability Scanner
Skill:
/solana-vulnerability-scannerScans Solana/Anchor programs for 6 critical vulnerabilities:- Arbitrary CPI - User-controlled program IDs in cross-program invocations
- Improper PDA Validation - Using create_program_address without canonical bump
- Missing Ownership Check - Deserializing accounts without owner validation
- Missing Signer Check - Authority operations without is_signer verification
- Sysvar Account Check - Spoofed sysvar accounts (pre-Solana 1.8.1)
- Improper Instruction Introspection - Absolute indexes allowing reuse attacks
Supports both native Solana programs and Anchor framework. Integrates with Trail of Bits Solana Lints when available.
Substrate Vulnerability Scanner
Substrate Vulnerability Scanner
Skill:
/substrate-vulnerability-scannerAnalyzes Substrate pallets for 7 security issues:- BadOrigin handling
- Insufficient weight calculations
- Panics on overflow
- Unsigned transaction validation
- Storage manipulation
- Runtime upgrade issues
- Extrinsic validation bypass
TON Vulnerability Scanner
TON Vulnerability Scanner
Skill:
/ton-vulnerability-scannerDetects vulnerabilities in TON smart contracts for 3 patterns:- Replay protection failures
- Unprotected receiver functions
- Sender validation issues
Development Guidelines Assistants
Based on Trail of Bits’ Development Guidelines.Audit Prep Assistant
Skill:/audit-prep-assistant
Prepare your codebase for security reviews with a comprehensive 4-step checklist:
- Set Review Goals - Define security objectives and areas of concern
- Resolve Easy Issues - Run static analysis (Slither, dylint, golangci-lint) and fix low-hanging fruit
- Ensure Accessibility - Create build instructions, freeze commits, clarify scope
- Generate Documentation - Create flowcharts, user stories, glossaries, and inline comments
Code Maturity Assessor
Skill:/code-maturity-assessor
Systematic code maturity evaluation using Trail of Bits’ 9-category framework:
- Arithmetic safety
- Auditing practices
- Authentication/Access controls
- Complexity management
- Decentralization
- Documentation quality
- Transaction ordering risks
- Low-level manipulation
- Testing and verification
Guidelines Advisor
Skill:/guidelines-advisor
Comprehensive development best practices advisor covering:
- Documentation & Specifications - Generate system descriptions and architectural diagrams
- Architecture Analysis - Optimize on-chain/off-chain distribution
- Upgradeability Review - Assess upgrade patterns and delegatecall proxies
- Implementation Quality - Review functions, inheritance, events
- Common Pitfalls - Identify security anti-patterns
- Dependencies - Evaluate library usage
- Testing - Suggest test improvements
Secure Workflow Guide
Skill:/secure-workflow-guide
Interactive 5-step secure development workflow:
- Known Security Issues - Run Slither with 70+ detectors
- Special Features - Check upgradeability, ERC conformance, token integration
- Visual Inspection - Generate inheritance graphs, function summaries, authorization maps
- Security Properties - Document properties, set up Echidna/Manticore
- Manual Review - Analyze privacy, front-running, cryptography, DeFi risks
Token Integration Analyzer
Skill:/token-integration-analyzer
Comprehensive token security analysis for both implementations and integrations:
- ERC20/ERC721 Conformity - Validate standard compliance
- Contract Composition - Assess complexity and SafeMath usage
- Owner Privileges - Review upgradeability, minting, pausability, blacklists
- 20+ Weird Token Patterns - Check for non-standard behaviors:
- Missing return values
- Fee-on-transfer tokens
- Rebasing tokens
- Double entry point tokens
- Flash mintable tokens
- Revert on zero-value transfers
- On-chain Analysis - Query deployed contracts for scarcity and distribution
- Integration Safety - Verify defensive patterns and safe transfer usage
Usage Examples
Pre-Audit Preparation Workflow
Platform-Specific Security Review
For a Solana project:Token Development
Continuous Security Integration
Tool Integration
Many skills leverage security tools when available:- Slither - Static analysis for Solidity (70+ detectors, visual diagrams, upgradeability checks)
- Echidna - Property-based fuzzing for Ethereum contracts
- Manticore - Symbolic execution for deep analysis
- Tealer - Static analyzer for TEAL/PyTeal (Algorand)
- Web3/Ethers - On-chain queries for deployed contracts
- dylint - Linter framework for Rust-based contracts
- golangci-lint - Comprehensive linter for Go (Cosmos)
Skills gracefully adapt when tools are unavailable, performing manual analysis instead. However, tool-assisted analysis is more thorough and faster.
Source Material
This plugin is based on Trail of Bits’ open-source security resources:- Building Secure Contracts - Comprehensive security guidelines
- Not So Smart Contracts - Common vulnerability patterns
- Weird ERC20 - Non-standard token behaviors
Related Skills
Complement this plugin with other Trail of Bits skills:- audit-context-building - Build deep architectural context before vulnerability hunting
- issue-writer - Transform findings into professional audit reports
- solidity-poc-builder - Build proof-of-concept exploits for Solidity vulnerabilities
Support
For questions or issues:- Trail of Bits Office Hours - Every Tuesday
- Empire Hacking Slack - #crytic and #ethereum channels