Trail of Bits Skills Marketplace
A Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows. Codex can load this marketplace through its Claude marketplace compatibility.
Also see: claude-code-config · skills-curated · claude-code-devcontainer · dropkit
Installation
Claude Code Marketplace
/plugin marketplace add trailofbits/skills
Browse and Install Plugins
/plugin menu
Codex
Codex supports Claude plugin marketplaces directly, so this repository does not need Codex-specific sidecar metadata.
Install the marketplace with:
codex plugin marketplace add trailofbits/skills
codex plugin list
codex plugin add <plugin-name>@trailofbits
Local Development
To add the marketplace locally (e.g., for testing or development), navigate to the parent directory of this repository:
cd /path/to/parent # e.g., if repo is at ~/projects/skills, be in ~/projects
/plugins marketplace add ./skills
Available Plugins
Smart Contract Security
Code Auditing
| Plugin |
Description |
| agentic-actions-auditor |
Audit GitHub Actions workflows for AI agent security vulnerabilities |
| audit-context-building |
Build deep architectural context through ultra-granular code analysis |
| burpsuite-project-parser |
Search and extract data from Burp Suite project files |
| c-review |
Comprehensive C/C++ security review with clustered parallel workers and SARIF output |
| differential-review |
Security-focused differential review of code changes with git history analysis |
| dimensional-analysis |
Annotate codebases with dimensional analysis comments to detect unit mismatches and formula bugs |
| fp-check |
Systematic false positive verification for security bug analysis with mandatory gate reviews |
| insecure-defaults |
Detect insecure default configurations, hardcoded credentials, and fail-open security patterns |
| rust-review |
Comprehensive Rust security review covering safe/unsafe boundary, memory safety, concurrency, panic-DoS, FFI, and async runtime with SARIF output |
| semgrep-rule-creator |
Create and refine Semgrep rules for custom vulnerability detection |
| semgrep-rule-variant-creator |
Port existing Semgrep rules to new target languages with test-driven validation |
| sharp-edges |
Identify error-prone APIs, dangerous configurations, and footgun designs |
| static-analysis |
Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing |
| supply-chain-risk-auditor |
Audit supply-chain threat landscape of project dependencies |
| testing-handbook-skills |
Skills from the Testing Handbook: fuzzers, static analysis, sanitizers, coverage |
| trailmark |
Code graph analysis, Mermaid diagrams, mutation testing triage, and protocol verification |
| variant-analysis |
Find similar vulnerabilities across codebases using pattern-based analysis |
Malware Analysis
| Plugin |
Description |
| yara-authoring |
YARA detection rule authoring with linting, atom analysis, and best practices |
Verification
| Plugin |
Description |
| constant-time-analysis |
Detect compiler-induced timing side-channels in cryptographic code |
| mutation-testing |
Configure mewt/muton mutation testing campaigns — scope targets, tune timeouts, optimize long runs |
| property-based-testing |
Property-based testing guidance for multiple languages and smart contracts |
| spec-to-code-compliance |
Specification-to-code compliance checker for blockchain audits |
| zeroize-audit |
Detect missing or compiler-eliminated zeroization of secrets in C/C++ and Rust |
Reverse Engineering
| Plugin |
Description |
| dwarf-expert |
Interact with and understand the DWARF debugging format |
Mobile Security
Development
| Plugin |
Description |
| ask-questions-if-underspecified |
Clarify requirements before implementing |
| devcontainer-setup |
Create pre-configured devcontainers with Claude Code and language-specific tooling |
| gh-cli |
Intercept GitHub URL fetches and redirect to the authenticated gh CLI |
| git-cleanup |
Safely clean up git worktrees and local branches with gated confirmation workflow |
| let-fate-decide |
Draw Tarot cards using cryptographic randomness to add entropy to vague planning |
| modern-python |
Modern Python tooling and best practices with uv, ruff, and pytest |
| seatbelt-sandboxer |
Generate minimal macOS Seatbelt sandbox configurations |
| second-opinion |
Run code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on changes, diffs, or commits. Bundles Codex's built-in MCP server. |
| skill-improver |
Iterative skill refinement loop using automated fix-review cycles |
| workflow-skill-design |
Design patterns for workflow-based Claude Code skills with review agent |
Team Management
| Plugin |
Description |
| culture-index |
Interpret Culture Index survey results for individuals and teams |
Tooling
Infrastructure
Trophy Case
Bugs discovered using Trail of Bits Skills. Found something? Let us know!
When reporting bugs you've found, feel free to mention:
Found using Trail of Bits Skills
Contributing
We welcome contributions! Please see CLAUDE.md for skill authoring guidelines.
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Made by Trail of Bits.