Code Maturity Assessor

Passed
trailofbits/skills
Source

This skill systematically assesses codebase maturity using Trail of Bits' Building Secure Contracts framework. It evaluates 9 categories including arithmetic safety, access controls, complexity management, documentation, and testing, producing a detailed scorecard with ratings (0-4) and actionable improvement recommendations.

SecurityCode ReviewSecurity AuditSmart ContractsSolidityCode QualityTrail Of Bits
2.1kstars156forks
|369 views|Found in travisvn/awesome-claude-skills

Skill Content

7,186 characters

Code Maturity Assessor

Purpose

I will systematically assess this codebase's maturity using Trail of Bits' 9-category framework by analyzing the code and evaluating it against established criteria. I'll provide evidence-based ratings and actionable recommendations.

Framework: Building Secure Contracts - Code Maturity Evaluation v0.1.0

How This Works

Phase 1: Discovery

I'll explore the codebase to understand:

  • Project structure and platform
  • Contract/module files
  • Test coverage
  • Documentation availability

Phase 2: Analysis

For each of 9 categories, I'll:

  • Search the code for relevant patterns
  • Read key files to assess implementation
  • Present findings with file references
  • Ask clarifying questions about processes I can't see in code
  • Determine rating based on criteria

Phase 3: Report

I'll generate:

  • Executive summary
  • Maturity scorecard (ratings for all 9 categories)
  • Detailed analysis with evidence
  • Priority-ordered improvement roadmap

Rating System

  • Missing (0): Not present/not implemented
  • Weak (1): Several significant improvements needed
  • Moderate (2): Adequate, can be improved
  • Satisfactory (3): Above average, minor improvements
  • Strong (4): Exceptional, only small improvements possible

Rating Logic:

  • ANY "Weak" criteria → Weak
  • NO "Weak" + SOME "Moderate" unmet → Moderate
  • ALL "Moderate" + SOME "Satisfactory" met → Satisfactory
  • ALL "Satisfactory" + exceptional practices → Strong

The 9 Categories

I assess 9 comprehensive categories covering all aspects of code maturity. For detailed criteria, analysis approaches, and rating thresholds, see ASSESSMENT_CRITERIA.md.

Quick Reference:

1. ARITHMETIC

  • Overflow protection mechanisms
  • Precision handling and rounding
  • Formula specifications
  • Edge case testing

2. AUDITING

  • Event definitions and coverage
  • Monitoring infrastructure
  • Incident response planning

3. AUTHENTICATION / ACCESS CONTROLS

  • Privilege management
  • Role separation
  • Access control testing
  • Key compromise scenarios

4. COMPLEXITY MANAGEMENT

  • Function scope and clarity
  • Cyclomatic complexity
  • Inheritance hierarchies
  • Code duplication

5. DECENTRALIZATION

  • Centralization risks
  • Upgrade control mechanisms
  • User opt-out paths
  • Timelock/multisig patterns

6. DOCUMENTATION

  • Specifications and architecture
  • Inline code documentation
  • User stories
  • Domain glossaries

7. TRANSACTION ORDERING RISKS

  • MEV vulnerabilities
  • Front-running protections
  • Slippage controls
  • Oracle security

8. LOW-LEVEL MANIPULATION

  • Assembly usage
  • Unsafe code sections
  • Low-level calls
  • Justification and testing

9. TESTING & VERIFICATION

  • Test coverage
  • Fuzzing and formal verification
  • CI/CD integration
  • Test quality

For complete assessment criteria including what I'll analyze, what I'll ask you, and detailed rating thresholds (WEAK/MODERATE/SATISFACTORY/STRONG), see ASSESSMENT_CRITERIA.md.

Example Output

When the assessment is complete, you'll receive a comprehensive maturity report including:

  • Executive Summary: Overall score, top 3 strengths, top 3 gaps, priority recommendations
  • Maturity Scorecard: Table with all 9 categories rated with scores and notes
  • Detailed Analysis: Category-by-category breakdown with evidence (file:line references)
  • Improvement Roadmap: Priority-ordered recommendations (CRITICAL/HIGH/MEDIUM) with effort estimates

For a complete example assessment report, see EXAMPLE_REPORT.md.

Assessment Process

When invoked, I will:

  1. Explore codebase

    • Find contract/module files
    • Identify test files
    • Locate documentation

  2. Analyze each category

    • Search for relevant code patterns
    • Read key implementations
    • Assess against criteria
    • Collect evidence

  3. Interactive assessment

    • Present my findings with file references
    • Ask about processes I can't see in code
    • Discuss borderline cases
    • Determine ratings together

  4. Generate report

    • Executive summary
    • Maturity scorecard table
    • Detailed category analysis with evidence
    • Priority-ordered improvement roadmap

Rationalizations (Do Not Skip)

| Rationalization | Why It's Wrong | Required Action | |-----------------|----------------|-----------------| | "Found some findings, assessment complete" | Assessment requires evaluating ALL 9 categories | Complete assessment of all 9 categories with evidence for each | | "I see events, auditing category looks good" | Events alone don't equal auditing maturity | Check logging comprehensiveness, testing, incident response processes | | "Code looks simple, complexity is low" | Visual simplicity masks composition complexity | Analyze cyclomatic complexity, dependency depth, state machine transitions | | "Not a DeFi protocol, MEV category doesn't apply" | MEV extends beyond DeFi (governance, NFTs, games) | Verify with transaction ordering analysis before declaring N/A | | "No assembly found, low-level category is N/A" | Low-level risks include external calls, delegatecall, inline assembly | Search for all low-level patterns before skipping category | | "This is taking too long" | Thorough assessment requires time per category | Complete all 9 categories, ask clarifying questions about off-chain processes | | "I can rate this without evidence" | Ratings without file:line references = unsubstantiated claims | Collect concrete code evidence for every category assessment | | "User will know what to improve" | Vague guidance = no action | Provide priority-ordered roadmap with specific improvements and effort estimates |

Report Format

For detailed report structure and templates, see REPORT_FORMAT.md.

Structure:

  1. Executive Summary

    • Project name and platform
    • Overall maturity (average rating)
    • Top 3 strengths
    • Top 3 critical gaps
    • Priority recommendations

  2. Maturity Scorecard

    • Table with all 9 categories
    • Ratings and scores
    • Key findings notes

  3. Detailed Analysis

    • Per-category breakdown
    • Evidence with file:line references
    • Gaps and improvement actions

  4. Improvement Roadmap

    • CRITICAL (immediate)
    • HIGH (1-2 months)
    • MEDIUM (2-4 months)
    • Effort estimates and impact

Ready to Begin

Estimated Time: 30-40 minutes

I'll need:

  • Access to full codebase
  • Your knowledge of processes (monitoring, incident response, team practices)
  • Context about the project (DeFi, NFT, infrastructure, etc.)

Let's assess this codebase!

Installation

Marketplace
Step 1: Add marketplace
/plugin marketplace add trailofbits/skills
Step 2: Install plugin
/plugin install building-secure-contracts@trailofbits