trailofbits
skills
Python

Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows

Last updated Jul 8, 2026
6.0k
Stars
533
Forks
29
Issues
+127
Stars/day
Attention Score
86
Topics
Language breakdown
No language data available.
โ–ธ Files click to expand
README

Trail of Bits Skills Marketplace

A Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows. Codex can load this marketplace through its Claude marketplace compatibility.

Also see: claude-code-config ยท skills-curated ยท claude-code-devcontainer ยท dropkit

Installation

Claude Code Marketplace

/plugin marketplace add trailofbits/skills

Browse and Install Plugins

/plugin menu

Codex

Codex supports Claude plugin marketplaces directly, so this repository does not need Codex-specific sidecar metadata.

Install the marketplace with:

codex plugin marketplace add trailofbits/skills
codex plugin list
codex plugin add <plugin-name>@trailofbits

Local Development

To add the marketplace locally (e.g., for testing or development), navigate to the parent directory of this repository:

cd /path/to/parent  # e.g., if repo is at ~/projects/skills, be in ~/projects
/plugins marketplace add ./skills

Available Plugins

Smart Contract Security

| Plugin | Description | |--------|-------------| | building-secure-contracts | Smart contract security toolkit with vulnerability scanners for 6 blockchains | | entry-point-analyzer | Identify state-changing entry points in smart contracts for security auditing |

Code Auditing

| Plugin | Description | |--------|-------------| | agentic-actions-auditor | Audit GitHub Actions workflows for AI agent security vulnerabilities | | audit-context-building | Build deep architectural context through ultra-granular code analysis | | burpsuite-project-parser | Search and extract data from Burp Suite project files | | c-review | Comprehensive C/C++ security review with clustered parallel workers and SARIF output | | differential-review | Security-focused differential review of code changes with git history analysis | | dimensional-analysis | Annotate codebases with dimensional analysis comments to detect unit mismatches and formula bugs | | fp-check | Systematic false positive verification for security bug analysis with mandatory gate reviews | | insecure-defaults | Detect insecure default configurations, hardcoded credentials, and fail-open security patterns | | rust-review | Comprehensive Rust security review covering safe/unsafe boundary, memory safety, concurrency, panic-DoS, FFI, and async runtime with SARIF output | | semgrep-rule-creator | Create and refine Semgrep rules for custom vulnerability detection | | semgrep-rule-variant-creator | Port existing Semgrep rules to new target languages with test-driven validation | | sharp-edges | Identify error-prone APIs, dangerous configurations, and footgun designs | | static-analysis | Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing | | supply-chain-risk-auditor | Audit supply-chain threat landscape of project dependencies | | testing-handbook-skills | Skills from the Testing Handbook: fuzzers, static analysis, sanitizers, coverage | | trailmark | Code graph analysis, Mermaid diagrams, mutation testing triage, and protocol verification | | variant-analysis | Find similar vulnerabilities across codebases using pattern-based analysis |

Malware Analysis

| Plugin | Description | |--------|-------------| | yara-authoring | YARA detection rule authoring with linting, atom analysis, and best practices |

Verification

| Plugin | Description | |--------|-------------| | constant-time-analysis | Detect compiler-induced timing side-channels in cryptographic code | | mutation-testing | Configure mewt/muton mutation testing campaigns โ€” scope targets, tune timeouts, optimize long runs | | property-based-testing | Property-based testing guidance for multiple languages and smart contracts | | spec-to-code-compliance | Specification-to-code compliance checker for blockchain audits | | zeroize-audit | Detect missing or compiler-eliminated zeroization of secrets in C/C++ and Rust |

Reverse Engineering

| Plugin | Description | |--------|-------------| | dwarf-expert | Interact with and understand the DWARF debugging format |

Mobile Security

| Plugin | Description | |--------|-------------| | firebase-apk-scanner | Scan Android APKs for Firebase security misconfigurations |

Development

| Plugin | Description | |--------|-------------| | ask-questions-if-underspecified | Clarify requirements before implementing | | devcontainer-setup | Create pre-configured devcontainers with Claude Code and language-specific tooling | | gh-cli | Intercept GitHub URL fetches and redirect to the authenticated gh CLI | | git-cleanup | Safely clean up git worktrees and local branches with gated confirmation workflow | | let-fate-decide | Draw Tarot cards using cryptographic randomness to add entropy to vague planning | | modern-python | Modern Python tooling and best practices with uv, ruff, and pytest | | seatbelt-sandboxer | Generate minimal macOS Seatbelt sandbox configurations | | second-opinion | Run code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on changes, diffs, or commits. Bundles Codex's built-in MCP server. | | skill-improver | Iterative skill refinement loop using automated fix-review cycles | | workflow-skill-design | Design patterns for workflow-based Claude Code skills with review agent |

Team Management

| Plugin | Description | |--------|-------------| | culture-index | Interpret Culture Index survey results for individuals and teams |

Tooling

| Plugin | Description | |--------|-------------| | claude-in-chrome-troubleshooting | Diagnose and fix Claude in Chrome MCP extension connectivity issues |

Infrastructure

| Plugin | Description | |--------|-------------| | debug-buttercup | Debug Buttercup Kubernetes deployments |

Trophy Case

Bugs discovered using Trail of Bits Skills. Found something? Let us know!

When reporting bugs you've found, feel free to mention:

Found using Trail of Bits Skills

| Skill | Bug | |-------|-----| | constant-time-analysis | Timing side-channel in ML-DSA signing |

Contributing

We welcome contributions! Please see CLAUDE.md for skill authoring guidelines.

License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Made by Trail of Bits.

ยฉ 2026 GitRepoTrend ยท trailofbits/skills ยท Updated daily from GitHub