audit-context-building
- Repo stars 5,723
- Forks 499
- Author updated Jun 15, 2026, 04:05 PM
- Author repo skills
- Domain
- Engineering
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @trailofbits · no license declared
- Token usage
- Lean
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- Unspecified (assume cross-platform)
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: audit-context-building
description: Enables ultra-granular, line-by-line code analysis to build deep architectural context before vu…
category: engineering
runtime: no special runtime
---
# audit-context-building output preview
## PART A: Task fit
- Use case: Enables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug finding. Use when - Deep comprehension is needed before bug or vulnerability discovery. runs entirely locally. Works with Claude Code, Cursor, Cline and 23 more..
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “1. Purpose / 2. When to Use This Skill / 3. How This Skill Behaves” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Enables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug finding. Use when - Deep comprehension is needed before bug or vulnerability discovery. runs entirely locally. Works with Claude Code, Cursor, Cline and 23 more.”.
- **02** When the source has headings, the agent prioritizes “1. Purpose / 2. When to Use This Skill / 3. How This Skill Behaves” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands.
Start with a small task and check whether the result follows “1. Purpose / 2. When to Use This Skill / 3. How This Skill Behaves”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: audit-context-building
description: Enables ultra-granular, line-by-line code analysis to build deep architectural context before vu…
category: engineering
source: trailofbits/skills
---
# audit-context-building
## When to use
- Enables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug fin…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “1. Purpose / 2. When to Use This Skill / 3. How This Skill Behaves” and keep inference separate from source facts.
- read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "audit-context-building" {
input -> user goal + target files + boundaries + acceptance criteria
context -> 1. Purpose / 2. When to Use This Skill / 3. How This Skill Behaves
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files, run shell commands | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} Deep Context Builder Skill (Ultra-Granular Pure Context Mode)
1. Purpose
This skill governs how Claude thinks during the context-building phase of an audit.
When active, Claude will:
- Perform line-by-line / block-by-block code analysis by default.
- Apply First Principles, 5 Whys, and 5 Hows at micro scale.
- Continuously link insights → functions → modules → entire system.
- Maintain a stable, explicit mental model that evolves with new evidence.
- Identify invariants, assumptions, flows, and reasoning hazards.
This skill defines a structured analysis format (see Example: Function Micro-Analysis below) and runs before the vulnerability-hunting phase.
2. When to Use This Skill
Use when:
- Deep comprehension is needed before bug or vulnerability discovery.
- You want bottom-up understanding instead of high-level guessing.
- Reducing hallucinations, contradictions, and context loss is critical.
- Preparing for security auditing, architecture review, or threat modeling.
Do not use for:
- Vulnerability findings
- Fix recommendations
- Exploit reasoning
- Severity/impact rating
3. How This Skill Behaves
When active, Claude will:
- Default to ultra-granular analysis of each block and line.
- Apply micro-level First Principles, 5 Whys, and 5 Hows.
- Build and refine a persistent global mental model.
- Update earlier assumptions when contradicted ("Earlier I thought X; now Y.").
- Periodically anchor summaries to maintain stable context.
- Avoid speculation; express uncertainty explicitly when needed.
Goal: deep, accurate understanding, not conclusions.
Rationalizations (Do Not Skip)
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "I get the gist" | Gist-level understanding misses edge cases | Line-by-line analysis required |
| "This function is simple" | Simple functions compose into complex bugs | Apply 5 Whys anyway |
| "I'll remember this invariant" | You won't. Context degrades. | Write it down explicitly |
| "External call is probably fine" | External = adversarial until proven otherwise | Jump into code or model as hostile |
| "I can skip this helper" | Helpers contain assumptions that propagate | Trace the full call chain |
| "This is taking too long" | Rushed context = hallucinated vulnerabilities later | Slow is fast |
4. Phase 1 — Initial Orientation (Bottom-Up Scan)
Before deep analysis, Claude performs a minimal mapping:
- Identify major modules/files/contracts.
- Note obvious public/external entrypoints.
- Identify likely actors (users, owners, relayers, oracles, other contracts).
- Identify important storage variables, dicts, state structs, or cells.
- Build a preliminary structure without assuming behavior.
This establishes anchors for detailed analysis.
5. Phase 2 — Ultra-Granular Function Analysis (Default Mode)
Every non-trivial function receives full micro analysis.
5.1 Per-Function Microstructure Checklist
For each function:
Purpose
- Why the function exists and its role in the system.
Inputs & Assumptions
- Parameters and implicit inputs (state, sender, env).
- Preconditions and constraints.
Outputs & Effects
- Return values.
- State/storage writes.
- Events/messages.
- External interactions.
Block-by-Block / Line-by-Line Analysis For each logical block:
- What it does.
- Why it appears here (ordering logic).
- What assumptions it relies on.
- What invariants it establishes or maintains.
- What later logic depends on it.
Apply per-block:
- First Principles
- 5 Whys
- 5 Hows
5.2 Cross-Function & External Flow Analysis
(Full Integration of Jump-Into-External-Code Rule)
When encountering calls, continue the same micro-first analysis across boundaries.
Internal Calls
- Jump into the callee immediately.
- Perform block-by-block analysis of relevant code.
- Track flow of data, assumptions, and invariants: caller → callee → return → caller.
- Note if callee logic behaves differently in this specific call context.
External Calls — Two Cases
Case A — External Call to a Contract Whose Code Exists in the Codebase Treat as an internal call:
- Jump into the target contract/function.
- Continue block-by-block micro-analysis.
- Propagate invariants and assumptions seamlessly.
- Consider edge cases based on the actual code, not a black-box guess.
Case B — External Call Without Available Code (True External / Black Box) Analyze as adversarial:
- Describe payload/value/gas or parameters sent.
- Identify assumptions about the target.
- Consider all outcomes:
- revert
- incorrect/strange return values
- unexpected state changes
- misbehavior
- reentrancy (if applicable)
Continuity Rule
Treat the entire call chain as one continuous execution flow. Never reset context. All invariants, assumptions, and data dependencies must propagate across calls.
5.3 Complete Analysis Example
See FUNCTION_MICRO_ANALYSIS_EXAMPLE.md for a complete walkthrough demonstrating:
- Full micro-analysis of a DEX swap function
- Application of First Principles, 5 Whys, and 5 Hows
- Block-by-block analysis with invariants and assumptions
- Cross-function dependency mapping
- Risk analysis for external interactions
This example demonstrates the level of depth and structure required for all analyzed functions.
5.4 Output Requirements
When performing ultra-granular analysis, Claude MUST structure output following the format defined in OUTPUT_REQUIREMENTS.md.
Key requirements:
- Purpose (2-3 sentences minimum)
- Inputs & Assumptions (all parameters, preconditions, trust assumptions)
- Outputs & Effects (returns, state writes, external calls, events, postconditions)
- Block-by-Block Analysis (What, Why here, Assumptions, First Principles/5 Whys/5 Hows)
- Cross-Function Dependencies (internal calls, external calls with risk analysis, shared state)
Quality thresholds:
- Minimum 3 invariants per function
- Minimum 5 assumptions documented
- Minimum 3 risk considerations for external interactions
- At least 1 First Principles application
- At least 3 combined 5 Whys/5 Hows applications
5.5 Completeness Checklist
Before concluding micro-analysis of a function, verify against the COMPLETENESS_CHECKLIST.md:
- Structural Completeness: All required sections present (Purpose, Inputs, Outputs, Block-by-Block, Dependencies)
- Content Depth: Minimum thresholds met (invariants, assumptions, risk analysis, First Principles)
- Continuity & Integration: Cross-references, propagated assumptions, invariant couplings
- Anti-Hallucination: Line number citations, no vague statements, evidence-based claims
Analysis is complete when all checklist items are satisfied and no unresolved "unclear" items remain.
6. Phase 3 — Global System Understanding
After sufficient micro-analysis:
State & Invariant Reconstruction
- Map reads/writes of each state variable.
- Derive multi-function and multi-module invariants.
Workflow Reconstruction
- Identify end-to-end flows (deposit, withdraw, lifecycle, upgrades).
- Track how state transforms across these flows.
- Record assumptions that persist across steps.
Trust Boundary Mapping
- Actor → entrypoint → behavior.
- Identify untrusted input paths.
- Privilege changes and implicit role expectations.
Complexity & Fragility Clustering
- Functions with many assumptions.
- High branching logic.
- Multi-step dependencies.
- Coupled state changes across modules.
These clusters help guide the vulnerability-hunting phase.
7. Stability & Consistency Rules
(Anti-Hallucination, Anti-Contradiction)
Claude must:
Never reshape evidence to fit earlier assumptions. When contradicted:
- Update the model.
- State the correction explicitly.
Periodically anchor key facts Summarize core:
- invariants
- state relationships
- actor roles
- workflows
Avoid vague guesses Use:
- "Unclear; need to inspect X." instead of:
- "It probably…"
Cross-reference constantly Connect new insights to previous state, flows, and invariants to maintain global coherence.
8. Subagent Usage
Claude may spawn subagents for:
- Dense or complex functions.
- Long data-flow or control-flow chains.
- Cryptographic / mathematical logic.
- Complex state machines.
- Multi-module workflow reconstruction.
Use the function-analyzer agent for per-function deep analysis.
It follows the full microstructure checklist, cross-function flow
rules, and quality thresholds defined in this skill, and enforces
the pure-context-building constraint.
Subagents must:
- Follow the same micro-first rules.
- Return summaries that Claude integrates into its global model.
9. Relationship to Other Phases
This skill runs before:
- Vulnerability discovery
- Classification / triage
- Report writing
- Impact modeling
- Exploit reasoning
It exists solely to build:
- Deep understanding
- Stable context
- System-level clarity
10. Non-Goals
While active, Claude should NOT:
- Identify vulnerabilities
- Propose fixes
- Generate proofs-of-concept
- Model exploits
- Assign severity or impact
This is pure context building only.
Decide Fit First
Design Intent
How To Use It
Boundaries And Review