MCPcopy Index your code
hub / github.com/trailofbits/skills

github.com/trailofbits/skills @main sqlite

repository ↗ · DeepWiki ↗
859 symbols 2,609 edges 55 files 491 documented · 57%
README

Trail of Bits Skills Marketplace

A Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows. Codex can load this marketplace through its Claude marketplace compatibility.

Also see: claude-code-config · skills-curated · claude-code-devcontainer · dropkit

Installation

Claude Code Marketplace

/plugin marketplace add trailofbits/skills

Browse and Install Plugins

/plugin menu

Codex

Codex supports Claude plugin marketplaces directly, so this repository does not need Codex-specific sidecar metadata.

Install the marketplace with:

codex plugin marketplace add trailofbits/skills
codex plugin list
codex plugin add <plugin-name>@trailofbits

Local Development

To add the marketplace locally (e.g., for testing or development), navigate to the parent directory of this repository:

cd /path/to/parent  # e.g., if repo is at ~/projects/skills, be in ~/projects
/plugins marketplace add ./skills

Available Plugins

Smart Contract Security

Plugin Description
building-secure-contracts Smart contract security toolkit with vulnerability scanners for 6 blockchains
entry-point-analyzer Identify state-changing entry points in smart contracts for security auditing

Code Auditing

Plugin Description
agentic-actions-auditor Audit GitHub Actions workflows for AI agent security vulnerabilities
audit-context-building Build deep architectural context through ultra-granular code analysis
burpsuite-project-parser Search and extract data from Burp Suite project files
c-review Comprehensive C/C++ security review with clustered parallel workers and SARIF output
differential-review Security-focused differential review of code changes with git history analysis
dimensional-analysis Annotate codebases with dimensional analysis comments to detect unit mismatches and formula bugs
fp-check Systematic false positive verification for security bug analysis with mandatory gate reviews
insecure-defaults Detect insecure default configurations, hardcoded credentials, and fail-open security patterns
rust-review Comprehensive Rust security review covering safe/unsafe boundary, memory safety, concurrency, panic-DoS, FFI, and async runtime with SARIF output
semgrep-rule-creator Create and refine Semgrep rules for custom vulnerability detection
semgrep-rule-variant-creator Port existing Semgrep rules to new target languages with test-driven validation
sharp-edges Identify error-prone APIs, dangerous configurations, and footgun designs
static-analysis Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing
supply-chain-risk-auditor Audit supply-chain threat landscape of project dependencies
testing-handbook-skills Skills from the Testing Handbook: fuzzers, static analysis, sanitizers, coverage
trailmark Code graph analysis, Mermaid diagrams, mutation testing triage, and protocol verification
variant-analysis Find similar vulnerabilities across codebases using pattern-based analysis

Malware Analysis

Plugin Description
yara-authoring YARA detection rule authoring with linting, atom analysis, and best practices

Verification

Plugin Description
constant-time-analysis Detect compiler-induced timing side-channels in cryptographic code
mutation-testing Configure mewt/muton mutation testing campaigns — scope targets, tune timeouts, optimize long runs
property-based-testing Property-based testing guidance for multiple languages and smart contracts
spec-to-code-compliance Specification-to-code compliance checker for blockchain audits
zeroize-audit Detect missing or compiler-eliminated zeroization of secrets in C/C++ and Rust

Reverse Engineering

Plugin Description
dwarf-expert Interact with and understand the DWARF debugging format

Mobile Security

Plugin Description
firebase-apk-scanner Scan Android APKs for Firebase security misconfigurations

Development

Plugin Description
ask-questions-if-underspecified Clarify requirements before implementing
devcontainer-setup Create pre-configured devcontainers with Claude Code and language-specific tooling
gh-cli Intercept GitHub URL fetches and redirect to the authenticated gh CLI
git-cleanup Safely clean up git worktrees and local branches with gated confirmation workflow
let-fate-decide Draw Tarot cards using cryptographic randomness to add entropy to vague planning
modern-python Modern Python tooling and best practices with uv, ruff, and pytest
seatbelt-sandboxer Generate minimal macOS Seatbelt sandbox configurations
second-opinion Run code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on changes, diffs, or commits. Bundles Codex's built-in MCP server.
skill-improver Iterative skill refinement loop using automated fix-review cycles
workflow-skill-design Design patterns for workflow-based Claude Code skills with review agent

Team Management

Plugin Description
culture-index Interpret Culture Index survey results for individuals and teams

Tooling

Plugin Description
claude-in-chrome-troubleshooting Diagnose and fix Claude in Chrome MCP extension connectivity issues

Infrastructure

Plugin Description
debug-buttercup Debug Buttercup Kubernetes deployments

Trophy Case

Bugs discovered using Trail of Bits Skills. Found something? Let us know!

When reporting bugs you've found, feel free to mention:

Found using Trail of Bits Skills

Skill Bug
constant-time-analysis Timing side-channel in ML-DSA signing

Contributing

We welcome contributions! Please see CLAUDE.md for skill authoring guidelines.

License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Made by Trail of Bits.

Core symbols most depended-on inside this repo

detect_language
called by 31
plugins/constant-time-analysis/ct_analyzer/analyzer.py
fail
called by 20
plugins/rust-review/scripts/build_run_plan.py
split_oversized_clusters
called by 20
plugins/rust-review/scripts/build_run_plan.py
fail
called by 20
plugins/c-review/scripts/build_run_plan.py
split_oversized_clusters
called by 20
plugins/c-review/scripts/build_run_plan.py
normalize_arch
called by 20
plugins/constant-time-analysis/ct_analyzer/analyzer.py
build_sarif
called by 19
plugins/rust-review/scripts/generate_sarif.py
build_sarif
called by 19
plugins/c-review/scripts/generate_sarif.py

Shape

Function 583
Method 211
Class 65

Languages

Python96%
TypeScript2%
Java1%
Go1%

Modules by API surface

plugins/constant-time-analysis/ct_analyzer/tests/test_analyzer.py80 symbols
plugins/constant-time-analysis/ct_analyzer/script_analyzers.py63 symbols
plugins/zeroize-audit/skills/zeroize-audit/tools/generate_poc.py48 symbols
plugins/let-fate-decide/skills/let-fate-decide/scripts/test_draw_cards.py45 symbols
plugins/constant-time-analysis/ct_analyzer/analyzer.py39 symbols
plugins/zeroize-audit/skills/zeroize-audit/tools/scripts/semantic_audit.py33 symbols
plugins/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py24 symbols
plugins/rust-review/scripts/test_generate_sarif.py23 symbols
plugins/c-review/scripts/test_generate_sarif.py23 symbols
plugins/rust-review/scripts/test_gating.py22 symbols
plugins/testing-handbook-skills/scripts/validate-skills.py21 symbols
plugins/rust-review/scripts/test_validate_artifacts.py20 symbols

Dependencies from manifests, versioned

pyyaml6.0 · 1×
yara-x0.10.0 · 1×

Datastores touched

prodDatabase · 1 repos

For agents

$ claude mcp add skills \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact