Conversation
- README.md with platform support and quick-start examples - LICENSE (MIT), .gitignore, .markdownlint.json - CONTRIBUTING.md with skill creation guide - CODE_OF_CONDUCT.md, CHANGELOG.md, SECURITY.md - GitHub Actions CI (skill validation, markdown lint, secret scan) - Issue templates: bug report, feature request, new skill proposal - PR template with skill checklist - skills/_template/ starter template (skill.json, system.md, README, examples) - Platform directories: claude/, openai/, gemini/, generic/ - scripts/validate_skills.py for CI manifest validation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…terns Move checklist to references/attack-vectors.md to keep SKILL.md lean. Each vector has precise detection pattern and false-positive signals to maximize true positives and minimize noise. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ositive suppression, 6 new attack vectors - Rename skill directory and all references: security-review → security-scan - Add --fast mode: skips attack-vectors.md and assets, CRITICAL/HIGH only, caps ALL at 5 files, omits PoC - Add structured false-positives.md suppression with location+vector matching - Expand attack vectors from 48 to 52: msg.value reuse in loop/multicall, abi.encodePacked hash collision, write to arbitrary storage, off-by-one in bounds/range checks, plus removal of two lower-signal vectors - Randomize attack vector ordering (remove section groupings, flat numbered list) - Update README install section: sparse-checkout, curl one-liner, per-agent directory table (Copilot, Cursor, Windsurf, Codex) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove references to non-existent platform subdirectories (claude/, openai/, gemini/, generic/), skill.json manifests, system.md, and _template/. Replace with accurate structure: flat skills/<name>/ layout, SKILL.md frontmatter format, references/ and assets/ directories explained correctly. Add Improving an Existing Skill section, accurate CI steps, and updated PR checklist aligned with real file requirements. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove vectors #2 (Uninitialized Local Storage Pointer), #8 (ERC20 Approve Race, and #33 (Unsafe Single-Step Ownership Transfer) as they either have acceptable risk profiles or are standard patterns not worth flagging. Audit every false-positive signal for 90%+ reliability. Remove or replace signals that are: - Not observable in Solidity code (private RPC, deployment tooling) - Market/runtime-data dependent (liquidity, economic incentives) - Process-level claims (formal diffs, operational procedures) - Themselves bypassable (EOA checks via code.length, transparent proxy admin path not protecting implementation initializer) Renumber all remaining vectors 1–49. Update SKILL.md references from 52 to 49. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> EOF )
…dings table - Add references/report-formatting.md with severity classification (CRITICAL/HIGH/MEDIUM/LOW), disclaimer text, and output structure - Output now: disclaimer → findings table (# | Severity | Title) → numbered detail sections → Scope - Severity definitions synthesized from Immunefi v2.3 and Sherlock standards: impact-driven, fund-loss anchored - Remove INFO severity — minimum reportable level is LOW - SKILL.md loads report-formatting.md before producing output Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…escription - Remove PoC field from all findings - Replace Vector + Issue + Impact with a single Description field: "<vector name — what is wrong — what an attacker can do>" - Clean up fast mode output rule (now just defers to report-formatting.md) - Remove PoC constraint from SKILL.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Move confidence score into severity bracket: [HIGH, 91] - Remove bullet dashes before field labels (bold prose style) - Rename Fix → Mitigation - Mitigation uses text + inline code, no fenced code blocks Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…d tables - Severity emoji map: 🔴 CRITICAL 🟠 HIGH 🟡 MEDIUM 🔵 LOW - Emoji in findings table column and before each finding heading - Report title uses 🔐 + repo/contract name - Scope rendered as a two-column table - Disclaimer prefixed with⚠️ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…adability Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…arator Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the binary --fast flag with a graduated time budget system. Four tiers map seconds to scope/depth trade-offs: ≤ 30s — CRITICAL only, built-in vectors, 2-file cap, skip assets ≤ 60s — CRITICAL+HIGH, built-in vectors, 5-file cap, skip assets ≤ 120s — CRITICAL+HIGH+MEDIUM, built-in vectors, all files, load assets ≤ 300s — all severities, reads attack-vectors.md, all files, all assets no limit — same as ≤ 300s (default full scan) --fast retained as alias for --max-run-time=60. README updated with per-tier usage examples. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Default behaviour is now --max-run-time=120 (CRITICAL+HIGH+MEDIUM, built-in vectors, all files, load assets) - Remove --fast alias entirely - Users adjust depth with --max-run-time=N (seconds) - README explains the default and links to --max-run-time for changes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Instead of tier-based severity restrictions, the skill now scans in priority order (CRITICAL → HIGH → MEDIUM → LOW) and reports whatever it finds within the time budget. Tight budgets skip attack-vectors.md; 300s+ reads the full reference. No artificial severity suppression. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove False Positives section from README and all references to false-positives.md from SKILL.md and report-formatting.md. FP signals in attack-vectors.md are retained (they inform confidence scoring), but the per-project suppression file is gone. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rename skills/security-scan/ → skills/audit/ - Update name in SKILL.md frontmatter (slash command: /audit) - Update all references across README.md, CONTRIBUTING.md, lint/README.md, start-audit/README.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…files - Default mode: if no changed .sol files, ask user for a filename and mention /audit ALL as an option instead of silently stopping - All modes: skip test files (test/, tests/, spec/, *.t.sol, Test*.sol, *Test.sol, *Spec.sol) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Controls depth of analysis: low values move faster, high values think harder and re-examine uncertain findings before reporting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Apply <context>, <instructions>, <output_format>, and <constraints> tags to audit, lint, and start-audit skills following Anthropic prompt engineering best practices. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Emit startup header, per-file reading status, severity pass headers, inline finding alerts, and wrap-up line as work progresses. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…n --reasoning - attack-vectors.md is now read on every run, not just at 300s+ - default --max-run-time raised from 120s to 150s - README explains that --reasoning controls depth of free reasoning beyond the checklist (project-specific logic bugs, unusual combos) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New vectors added based on research across SWC registry, rekt.news, solodit, chainsecurity, kadenzipfel/smart-contract-vulnerabilities, OWASP SC Top 10 2025, and post-mortems of 2024–2025 DeFi hacks: 50. Transient storage low-gas reentrancy (EIP-1153 / Cancun) 51. Force-feeding ETH via selfdestruct / coinbase 52. CREATE2 address reuse after selfdestruct 53. extcodesize zero bypass in constructor 54. Single-step ownership transfer 55. Multi-block TWAP oracle manipulation (post-Merge PoS) 56. Private variable readable on-chain via eth_getStorageAt 57. Incorrect inheritance order (C3 linearization) 58. Blacklistable/pausable token in critical payment path 59. Missing input validation on critical setters 60. Staking reward front-run by new depositor 61. EIP-2612 permit front-run causing DoS 62. ecrecover returns address(0) on invalid signature 63. Griefing via dust deposits resetting timelocks 64. Insufficient gas forwarding / 63/64 rule exploitation 65. Chainlink feed deprecation / wrong decimal assumption Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Removed: - 54. Single-Step Ownership Transfer - 56. Private Variable Readable On-Chain - 57. Incorrect Inheritance Order (C3 Linearization) Renumbered 58–65 → 55–62 accordingly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…formatting - Move Banner section after Mode Selection/analysis logic so it prints last (before output) - Update disclaimer to link pashov.com instead of generic security advice - Fix report-formatting: align severity table columns, rename confidence threshold label to include (1-100), render suppressed findings as a structured table - Sort README skills table alphabetically Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nning on Claude Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- AGENTS.md: update structure tree to list all three skills accurately - README.md: fix tagline typo, remove dead CI badge, consolidate security consulting into footer - SECURITY.md: remove irrelevant supported-versions table, tighten copy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- README: point contributing section to CONTRIBUTING.md instead of AGENTS.md - AGENTS.md: remove rule referencing non-existent _template directory - CONTRIBUTING.md: fix attack vector count (52→62), remove CI step references, update agent-agnostic rule to allow documented agent-specific sections, remove CI checklist item - CODE_OF_CONDUCT.md: tighten enforcement section, remove redundant sentence Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove sparse-checkout and curl one-liner approaches (other skill files beyond SKILL.md are required). Replace with clone → cp → invoke flow with a per-agent command table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…placeholder Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…slash commands Cursor slash commands require .md files in ~/.cursor/commands/ (global) or .cursor/commands/ (project), not .cursor/rules/. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a Severity Assignment section with explicit downgrade triggers: privileged caller, self-contained impact, no direct monetary loss, incomplete attack path, and an always-go-lower tie-breaker rule. Add calibration note to report-formatting severity table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…n field Confidence is now a standalone **Confidence** N line between Location and Description, instead of being embedded in [HIGH, 91] brackets. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Findings with similarity ≥85 are merged (lower severity kept if fair); 60-84 are cross-referenced; <60 are left independent. Delegated to claude-haiku when running on Claude for speed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… analysis role - Remove all --reasoning mentions (not supported by Claude) - Add planning phase: scope, attack surface summary, time estimate, priority order - Strengthen role to always consider edge cases and unusual interactions - Rename audit-prep to audit-helper across AGENTS.md, README.md, marketplace.json Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sets up the foundational open-source repository structure for the AI Skills project — a community library of reusable skills for Claude, ChatGPT, Gemini, and other AI assistants.
Top 10 OSS Best Practices
README.mdLICENSE(MIT).gitignoreCONTRIBUTING.mdCODE_OF_CONDUCT.mdCHANGELOG.mdSECURITY.md.github/workflows/ci.yml.github/ISSUE_TEMPLATE/(bug, feature, new skill).github/pull_request_template.mdAI Skills Structure
skills/_template/— Starter template withskill.jsonmanifest,system.mdprompt,README.md, andexamples/skills/claude/,skills/openai/,skills/gemini/,skills/generic/scripts/validate_skills.py— CI validator that checks manifest schema and required files🤖 Generated with Claude Code