audit_context_skill

This skill helps you rapidly build a mental model of a codebase before vulnerability hunting by mapping assets, roles, and threats.

10

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill multiversx/mx-ai-skills --skill audit_context

  • SKILL.md2.9 KB

Overview

This skill provides practical guidelines to quickly build context for a smart contract audit before deep vulnerability hunting. It focuses on reconnaissance, system mapping, initial threat modeling, and environment checks so auditors can prioritize effort and scope the review. The result is a compact Audit Context Report that drives testing and deeper analysis.

How this skill works

The skill walks auditors through reconnaissance to locate core logic, documentation, and external interactions. It then guides creation of a system map (roles, assets, state), enumerates entry points, and performs an initial threat model listing attacker profiles and assets at risk. Finally it checks the environment (framework versions, test suite presence) and outputs a structured Audit Context Report to use as a baseline for the audit.

When to use it

  • At the start of any smart contract or on-chain component audit
  • When onboarding a new codebase to quickly prioritize review effort
  • Before writing or running exploit PoCs or fuzzing campaigns
  • When deciding audit scope: upgrades, DeFi, or multi-contract systems
  • When a rapid triage is needed for bug bounty triage or security reviews

Best practices

  • Identify core logic and money flows first (endpoints and payable markers) to prioritize risk
  • Map roles, assets, and stored state clearly; document permissions for each endpoint
  • List all external contracts and hardcoded addresses; classify interaction types (sync/async/proxy)
  • Enumerate all endpoints and check which lack access checks or modifiers
  • Run environment checks: framework version, build config, and whether tests exist and are current

Example use cases

  • Audit kickoff: produce a concise context report for the security team and stakeholders
  • Bug bounty triage: rapidly determine whether a report affects core assets or is out-of-scope
  • Red-team planning: identify highest-risk entry points and attacker profiles to craft PoCs
  • Regulatory/compliance review: map asset flows and roles to ensure controls are present
  • Integration review: assess external dependencies and async call graphs before composing multi-contract systems

FAQ

Complete when all roles and permissions are documented, assets and flows are mapped, external dependencies identified, at least one risk per attacker profile listed, and scope flags (upgrade/DeFi/multi-contract) are set.

What if the codebase lacks tests or docs?

Flag the absence in the report, prioritize creating simple unit/scenario tests for core flows, and treat external interactions as higher risk until validated.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational