PluginBench
Skill
Review
Audit score 70

solidity-security

wshobson/agents

Master smart contract security best practices and prevent common Solidity vulnerabilities.

What is solidity-security?

This skill teaches secure smart contract development patterns, vulnerability prevention techniques, and best practices for Solidity. Use it when writing or auditing smart contracts, implementing DeFi protocols, or preparing contracts for professional security audits.

  • Prevent reentrancy attacks using secure patterns
  • Protect against integer overflow and underflow vulnerabilities
  • Enforce access control and authorization checks
  • Implement Checks-Effects-Interactions (CEI) pattern for safe state management
  • Write comprehensive security tests using Hardhat
  • Document contracts properly for audit readiness

How to install solidity-security

npx skills add https://github.com/wshobson/agents --skill solidity-security
Claude Code
Cursor
Windsurf
Cline

How to use solidity-security

  1. 1.Review the security patterns in references/details.md for your specific use case
  2. 2.Identify which vulnerabilities apply to your contract (reentrancy, overflow, access control)
  3. 3.Implement the appropriate secure patterns (CEI pattern, ReentrancyGuard, access modifiers)
  4. 4.Write security tests using Hardhat to verify protections against attack vectors
  5. 5.Document your contract thoroughly with NatSpec comments for audit preparation
  6. 6.Test edge cases and potential attack scenarios before deployment

Use cases

Good for
  • Writing secure smart contracts from scratch
  • Auditing existing contracts for common vulnerabilities
  • Implementing secure DeFi protocols and token contracts
  • Preventing reentrancy, overflow, and access control exploits
  • Preparing contracts for professional security audits
Who it's for
  • Smart contract developers
  • Blockchain security engineers
  • DeFi protocol developers
  • Contract auditors
  • Web3 developers preparing for mainnet deployment

solidity-security FAQ

What is the Checks-Effects-Interactions (CEI) pattern?

CEI is a secure pattern for state-changing functions: first check all conditions (CHECKS), then update state (EFFECTS), then interact with external contracts (INTERACTIONS). This prevents reentrancy attacks by ensuring state is updated before external calls.

How do I prevent reentrancy attacks?

Use the CEI pattern, implement a ReentrancyGuard, or use the checks-effects-interactions ordering. The skill provides examples of ReentrancyGuard implementation and proper function structure.

What are common Solidity vulnerabilities this skill covers?

The skill covers reentrancy attacks, integer overflow/underflow, improper access control, unsafe external calls, and gas optimization issues while maintaining security.

How should I document my contract for audits?

Use NatSpec comments (@dev, @notice, @param, @return) for all public functions and state variables. Include clear descriptions of what each function does and any security considerations.

Full instructions (SKILL.md)

Source of truth, from wshobson/agents.


name: solidity-security description: Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementing security measures for blockchain applications.

Solidity Security

Master smart contract security best practices, vulnerability prevention, and secure Solidity development patterns.

When to Use This Skill

  • Writing secure smart contracts
  • Auditing existing contracts for vulnerabilities
  • Implementing secure DeFi protocols
  • Preventing reentrancy, overflow, and access control issues
  • Optimizing gas usage while maintaining security
  • Preparing contracts for professional audits
  • Understanding common attack vectors

Detailed patterns and worked examples

Detailed pattern documentation lives in references/details.md. Read that file when the navigation tier above is insufficient.

Testing for Security

// Hardhat test example
const { expect } = require("chai");
const { ethers } = require("hardhat");

describe("Security Tests", function () {
  it("Should prevent reentrancy attack", async function () {
    const [attacker] = await ethers.getSigners();

    const VictimBank = await ethers.getContractFactory("SecureBank");
    const bank = await VictimBank.deploy();

    const Attacker = await ethers.getContractFactory("ReentrancyAttacker");
    const attackerContract = await Attacker.deploy(bank.address);

    // Deposit funds
    await bank.deposit({ value: ethers.utils.parseEther("10") });

    // Attempt reentrancy attack
    await expect(
      attackerContract.attack({ value: ethers.utils.parseEther("1") }),
    ).to.be.revertedWith("ReentrancyGuard: reentrant call");
  });

  it("Should prevent integer overflow", async function () {
    const Token = await ethers.getContractFactory("SecureToken");
    const token = await Token.deploy();

    // Attempt overflow
    await expect(token.transfer(attacker.address, ethers.constants.MaxUint256))
      .to.be.reverted;
  });

  it("Should enforce access control", async function () {
    const [owner, attacker] = await ethers.getSigners();

    const Contract = await ethers.getContractFactory("SecureContract");
    const contract = await Contract.deploy();

    // Attempt unauthorized withdrawal
    await expect(contract.connect(attacker).withdraw(100)).to.be.revertedWith(
      "Ownable: caller is not the owner",
    );
  });
});

Audit Preparation

contract WellDocumentedContract {
    /**
     * @title Well Documented Contract
     * @dev Example of proper documentation for audits
     * @notice This contract handles user deposits and withdrawals
     */

    /// @notice Mapping of user balances
    mapping(address => uint256) public balances;

    /**
     * @dev Deposits ETH into the contract
     * @notice Anyone can deposit funds
     */
    function deposit() public payable {
        require(msg.value > 0, "Must send ETH");
        balances[msg.sender] += msg.value;
    }

    /**
     * @dev Withdraws user's balance
     * @notice Follows CEI pattern to prevent reentrancy
     * @param amount Amount to withdraw in wei
     */
    function withdraw(uint256 amount) public {
        // CHECKS
        require(amount <= balances[msg.sender], "Insufficient balance");

        // EFFECTS
        balances[msg.sender] -= amount;

        // INTERACTIONS
        (bool success, ) = msg.sender.call{value: amount}("");
        require(success, "Transfer failed");
    }
}