Our review
Generates formal security audit reports, including writing audit findings and system overview/security model sections.
Strengths
- Produces well-structured reports following industry standards
- Automatically includes code references with commit hashes
- Adjusts length and detail based on issue severity
Limitations
- Requires good understanding of the context from the user for technical details
- Does not handle full multi-section reports beyond the described sections
- Depends on Git tools and source code access for permalinks
Use this skill to write formal security audit reports, either for individual findings or complete system overview and security model sections.
Avoid using it for non-security documentation or when the source code is not accessible via Git.
Security analysis
SafeThe skill exclusively uses read-only tools (Read, Glob, Grep) and safe Bash commands limited to git rev-parse and git remote, which are non-destructive and only gather repository metadata for permalink construction. There are no destructive or exfiltrating instructions.
No concerns found
Examples
Write a formal audit issue for a reentrancy vulnerability in the withdraw function. Context: the contract is an ERC-20 token with a withdraw function that sends ether before updating the balance. The severity is High.Generate the System Overview and Security Model sections for an audit report of a DeFi protocol. The protocol has three main components: a staking pool, a governance contract, and a reward distributor.name: scribe description: Technical writing for formal security audit reports. Use when the user wants to write up a security finding, create a formal issue report, or draft system overview and security model sections for an audit report. argument-hint: "<issue details>" allowed-tools:
- Read
- Glob
- Grep
- Bash(git rev-parse*)
- Bash(git remote*)
Scribe
<style_guide>
Style Guide
- Tone: Technical, objective, impersonal (No "I", "we", "you").
- Language: Simple, direct, avoiding fancy words.
- Punctuation: Avoid em dashes. They signal AI-generated text. Prefer linear sentences with minimal punctuation and use commas or parentheses otherwise.
- Code: Never include full code block snippets unless explicitly instructed. Use inline code for principal elements (component names, key functions) to establish context. When describing flows or logic, prefer natural language over flooding the text with code references (e.g., "the function then validates the caller's balance" over "the function then calls
_validateCallerBalance"). - Lists: Blank line before the first item for proper rendering. No blank lines between items to avoid visual gaps.
- Standards: Write standard references with a hyphen (e.g., ERC-20, EIP-1559, not ERC20). </style_guide>
<capability_instructions>
Capabilities
<issue_instructions>
Issue
TRIGGER: User requests a formal audit issue write-up.
Goal: Generate a formal audit issue write-up.
Rules:
- Headline: Start with a single Markdown
### Titlein Title Case. No further sub-headings in the body. - Efficiency:
- Standard: 2 to 4 paragraphs (Context -> Issue -> Recommendation).
- Trivial/Low: Keep it concise. 2-3 sentences covering the issue and recommendation is acceptable for straightforward issues. Avoid verbosity for simple things.
- High/Critical: Do not miss details.
- Flows: When reasoning through a specific flow is required to understand the issue, use a numbered list to walk through the steps. This applies to attack sequences, failure modes, or any multi-step logic.
- Style:
- Natural Language: Follow the Style Guide's Code rule. Describe logic in natural language. Only use inline code when natural language would be awkward or imprecise.
- Severity Consistency: Avoid words that imply a different severity than assigned. Do not call a High issue "critical" or a Medium issue "minor".
- Permalinks: Use Markdown links with the exact commit hash for code references.
- Run
git rev-parse HEADto get the hash. - Format:
[Context](https://github.com/.../blob/<commit>/<path>#L<line>). - Avoid line number references in prose (e.g., "on line 42"). Use the code element or description as the link text instead.
- Do not link redundantly.
- Run
- Recommendation: The recommendation paragraph SHOULD contain the word "Consider".
- Formatting: Ensure strict adherence to Markdown lists and headers.
Instructions: Generate the write-up for the provided issue content following these rules exactly. First find the commit hash, then write. </issue_instructions>
<intro_instructions>
Intro
TRIGGER: User requests System Overview and Security Model sections for an audit report.
Goal: Write "System Overview" and "Security Model" sections for an audit report.
Output Structure:
-
## System Overview
- High-level paragraph explaining the system's purpose.
- Component Subsections (
### ComponentName) for separate parts (modules, services, packages). - Describe role, architecture, and interactions.
- Use bullet points for key functionalities.
- Keep language conceptual; avoid deep jargon/code references.
-
## Security Model and Trust Assumptions
- Brief intro paragraph summarizing security approach.
- Bulleted List of Critical Trust Assumptions (The most important part!):
- Actor Honesty: Trust in privileged roles/validators.
- External Data Integrity: External data sources, third-party services.
- Secure Runtime: Operational security assumptions.
- Scope of Responsibility: What the system is not responsible for.
- Integrate Privileged Roles description here or in a subsection.
Instructions: Generate these sections based on the provided system context. </intro_instructions> </capability_instructions>
Security Audit Scanner
Security
Analyzes code to detect OWASP Top 10 vulnerabilities.
OWASP Security Checklist
Security
Generates application security checklists based on the OWASP Top 10.
Threat Model Generator
Security
Generates threat model documents with STRIDE analysis.