Auditing is finding bugs others missed. Evolution of solving smart contract security (aka how to find bugs in 2026): ❌ Static analysis is blind to logic ❌ Fuzzing may find logic bugs by accident, but is blind to integrations ❌ Invariant fuzzing covers logic state, but blind to spec gaps and unknown invariants ❌ Formal verification proves what you specify, but blind to what you didn't specify ❌ Spec-to-code compliance catches spec gaps, but blind to implicit assumptions never written ❌ Human adversarial reasoning covers the rest - but doesn't scale ❌ AI pattern reasoning scales human thinking based on past patterns, but not novel ones ("This looks like a reentrancy. I've seen reentrancy before. check for reentrancy.") 👾👾👾 Then there was first-principles reasoning "This contract holds ETH. ETH can move. Who controls when it moves? What happens if it moves at an unexpected time? What state is inconsistent if that happens?" With Claude Code Skills in 2026 we can remove the blind spot, but it requires: 🧠 deep domain expertise 🥷 creativity 💰 funds AI skills are the solution for first-principle reasoning. however, auditors ignore the 3 requirements. They do so by: ❌🧠 Skipping the domain expertise, and asking AI to generate the checklists ❌🥷 Skipping creativity by copying each others fully AI-generated logic ❌💰 Careless on token spend The alpha is that to find bugs in 2026 you need to work in researching the deep extra specific domain expertise, add your creativity and personal takes to it, and optimize it like every word matters (which it does). This doesn't scale right away but it does over time. Exactly how it's done today: 👉 3 terminal tabs, each running tmux with 2-4 claude code panes 👉 claude sonnet 4.6 🪨 caveman skill for token optimization 🧠 obsidian vault for memory and organization 👉 secret ingredient: research what you audit 🧪 occasional experiments with guest skills from our community's finest If you are doing this too, interested to learn and research together and want to hunt bugs - we should be friends Comment below, and I'll DM 🤍

npm finally fights supply chain attacks with v12 (July 2026) blocking install scripts by default. Here's how to adapt early without breaking your CI 🧵 What's changing: • preinstall/install/postinstall scripts → blocked by default • Git dependencies → blocked by default • Remote URL deps → blocked by default The fix is creating a one-time allowlist per repo: 💻 npm install 💻 npm approve-scripts --all 💻 git commit -m "chore: allowlist install scripts" This snapshots exactly what's trusted today and only new unknown scripts are blocked automatically going forward. CI adaptation playbook: 1. Upgrade to npm 11.16.0 2. Run the approve-scripts commands above 3. Add --strict-allow-scripts to your pipeline Now jobs will fail loudly if anything unreviewed tries to run. Source: github.com/orgs/community/di…

Thanks to everyone who came out for the Auditware × @ProtocolLabs OpSec workshop in NYC yesterday 🫂 If you attended or want to dig into these topics: Workshop Slides: canva.link/eo2u3yczkv20blz Free 1-hr OpSec Training (tailored to your team): calendly.com/joe-auditware/o… Full OpSec Audit to go deeper on your security posture: auditware.io/audits/opsec Questions? Reply or DM us 💜

Inspiring use of AI to visualize attack TLDRs ❗️

My talk is tomorrow. It’s 100% the most exciting talk about operational security you have ever seen. Don’t miss it! But if you do, don’t worry it will be recorded and I’ll post the slides after 😎

7/ AuditWare (@audit_wizard) OpSec Workshop (June 9) A hands-on workshop covering practical security practices, incident response, key management, and organizational OpSec. luma.com/cg5bv83p

Nice to know that the auditor registry's static rules are better than these giants Just blind tested the first one from the @trailofbits repo and got an instant raised concern on the pattern obfuscation: forefy.com/skill-scan/79b7a8… github.com/trailofbits/overt… BUT still have to investigate the rest, and I am sure that an incentivized-enough attacker can break all the deterministic checks (and guardrails) - don't need to test to say that. There isn't a by-design fix for this, except the human auditing layer. On the skills registry each published skilled has a clear mark of "Audited" v.s. "Not Audited" - this is the result of trusted community researchers taking their time to code-review and validate the skill, and not rely on static methods which. The solution is simple code review, assisted by heuristic-based review assists. That same scanning logic is open-sourced to github.com/W3OSC/skill-warde…

Hey Protocol Labs founders and builders 👋 We're hosting a hands-on OpSec workshop exclusively for @ProtocolLabs portfolio founders and developers in New York City. 🗓️ Tuesday, June 9 · 10:00 – 11:00 AM 📍OASIS by Workville, NYC We'll be covering practical security practices for teams building in Web3: → Key management & storage → Device security → Wallet & multisig handling → Incident response fundamentals → Auth & security policies Led by our CEO, @joe_vanloon Want a head start or can't make it in person? Check out the training materials here: auditware.io/opsec-training Grab your spot below 👇 luma.com/cg5bv83p See you there!

I'm in love with this saas deployment GDPR-vibe-bypass architecture Bring Your Own Cloud Taken from ClickHouse public docs - perfect demonstration of how to deploy software to customer cloud infrastructure, while keeping them still regulated on their own terms (they are in-charge of the infrastructure and data retainment, you still manage updates and fixes)

agent-onboarding skill is another easy trick to enforce agents to "register" to a workforce ‼️ not only for devs, but useful for audits too I know there are many built-in team features in various solutions, tbh there's also just git lol but if you just want to randomly run 5 different agents on the same codebase with minimal collisions and 0 setup you just invoke this at the stat of each context the agent will: - give itself a name based on contextual purpose - read current project TODO.md (or create one) - will constantly look out for join work - update the tasks on the TODO when done quite cool for coverage tracking too 😇 forefy.com/skills/32ddc285-0…

!!!

tiny-auditor is a skill of 48 lines that was hand-crafted based on 10 years of experience in writing not trying to show off, but this is how we need skills to be made: ✏️ Author > author's linkedin history matches what the skill does > it takes a few hours to write down without AI, but it took a decade of hard work an real expertise to learn enough to even know what are the sweet spots 🤖 No AI > knowledge is not enough, if you dilute it with AI writing the skill for you based on your instructions (increases token cost) 👨‍🏭 Write while doing the WORK > it needs to be polished WHILE working with it, for example if you are writing a report manully you are more focused on the edge cases of the skill user because you are one, without active work on the side it won't be as good In 10 years I must've issued thousand of reports, reviewed, presented to fortune 500 customers and board members, got feedback, got burned, reiterated, written knowledgebases - you get it. I put all that experience and all my focus to write how a PERFECT security report should look like Please share your thoughts! these are the skills we need, not mega-AI spam from all directions forefy.com/skills/1c0ebab8-2…

npm user? ➡️ One small change to stay safe, FREE Add these aliases ➡️ pkg installs forbid using known malware I run this: - locally, to stay safe - in my CI to detect compromised transitive dependencies early for my lib consumers

📝 supply-chainability term to describe how much your devs are prone to get rekt by a supply chain attack how much would you say is an average supplychainability % in a small dev team nowadays?

Claude Code steering behaviour that causes your agent to forget stuff: (for devs and auditors alike) > implement X >> Thinking... > oh also implement Y the latter creates an interrupt signal that will cause X to finish half-way, creating hidden slop FIX: > implement X >> Thinking... > side job: implement Y depending on the task it will auto trigger a background task or just be clearly instructed that this is not a steer but an added request Also token-efficient!