Skip to content

thescribedevelopment/skills

 
 

Repository files navigation

Trail of Bits Skills Marketplace

A Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows. Codex can load this marketplace through its Claude marketplace compatibility.

Also see: claude-code-config · skills-curated · claude-code-devcontainer · dropkit

Installation

Claude Code Marketplace

/plugin marketplace add trailofbits/skills

Browse and Install Plugins

/plugin menu

Codex

Codex supports Claude plugin marketplaces directly, so this repository does not need Codex-specific sidecar metadata.

Install the marketplace with:

codex plugin marketplace add trailofbits/skills
codex plugin list
codex plugin add <plugin-name>@trailofbits

Local Development

To add the marketplace locally (e.g., for testing or development), navigate to the parent directory of this repository:

cd /path/to/parent  # e.g., if repo is at ~/projects/skills, be in ~/projects
/plugins marketplace add ./skills

Available Plugins

Smart Contract Security

Plugin Description
building-secure-contracts Smart contract security toolkit with vulnerability scanners for 6 blockchains
entry-point-analyzer Identify state-changing entry points in smart contracts for security auditing

Code Auditing

Plugin Description
agentic-actions-auditor Audit GitHub Actions workflows for AI agent security vulnerabilities
audit-context-building Build deep architectural context through ultra-granular code analysis
burpsuite-project-parser Search and extract data from Burp Suite project files
c-review Comprehensive C/C++ security review with clustered parallel workers and SARIF output
differential-review Security-focused differential review of code changes with git history analysis
dimensional-analysis Annotate codebases with dimensional analysis comments to detect unit mismatches and formula bugs
fp-check Systematic false positive verification for security bug analysis with mandatory gate reviews
insecure-defaults Detect insecure default configurations, hardcoded credentials, and fail-open security patterns
rust-review Comprehensive Rust security review covering safe/unsafe boundary, memory safety, concurrency, panic-DoS, FFI, and async runtime with SARIF output
semgrep-rule-creator Create and refine Semgrep rules for custom vulnerability detection
semgrep-rule-variant-creator Port existing Semgrep rules to new target languages with test-driven validation
sharp-edges Identify error-prone APIs, dangerous configurations, and footgun designs
static-analysis Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing
supply-chain-risk-auditor Audit supply-chain threat landscape of project dependencies
testing-handbook-skills Skills from the Testing Handbook: fuzzers, static analysis, sanitizers, coverage
trailmark Code graph analysis, Mermaid diagrams, mutation testing triage, and protocol verification
variant-analysis Find similar vulnerabilities across codebases using pattern-based analysis

Malware Analysis

Plugin Description
yara-authoring YARA detection rule authoring with linting, atom analysis, and best practices

Verification

Plugin Description
constant-time-analysis Detect compiler-induced timing side-channels in cryptographic code
mutation-testing Configure mewt/muton mutation testing campaigns — scope targets, tune timeouts, optimize long runs
property-based-testing Property-based testing guidance for multiple languages and smart contracts
spec-to-code-compliance Specification-to-code compliance checker for blockchain audits
zeroize-audit Detect missing or compiler-eliminated zeroization of secrets in C/C++ and Rust

Reverse Engineering

Plugin Description
dwarf-expert Interact with and understand the DWARF debugging format

Mobile Security

Plugin Description
firebase-apk-scanner Scan Android APKs for Firebase security misconfigurations

Development

Plugin Description
ask-questions-if-underspecified Clarify requirements before implementing
devcontainer-setup Create pre-configured devcontainers with Claude Code and language-specific tooling
gh-cli Intercept GitHub URL fetches and redirect to the authenticated gh CLI
git-cleanup Safely clean up git worktrees and local branches with gated confirmation workflow
let-fate-decide Draw Tarot cards using cryptographic randomness to add entropy to vague planning
modern-python Modern Python tooling and best practices with uv, ruff, and pytest
seatbelt-sandboxer Generate minimal macOS Seatbelt sandbox configurations
second-opinion Run code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on changes, diffs, or commits. Bundles Codex's built-in MCP server.
skill-improver Iterative skill refinement loop using automated fix-review cycles
workflow-skill-design Design patterns for workflow-based Claude Code skills with review agent

Team Management

Plugin Description
culture-index Interpret Culture Index survey results for individuals and teams

Tooling

Plugin Description
claude-in-chrome-troubleshooting Diagnose and fix Claude in Chrome MCP extension connectivity issues

Infrastructure

Plugin Description
debug-buttercup Debug Buttercup Kubernetes deployments

Trophy Case

Bugs discovered using Trail of Bits Skills. Found something? Let us know!

When reporting bugs you've found, feel free to mention:

Found using Trail of Bits Skills

Skill Bug
constant-time-analysis Timing side-channel in ML-DSA signing

Contributing

We welcome contributions! Please see CLAUDE.md for skill authoring guidelines.

License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Made by Trail of Bits.

About

Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 72.1%
  • Shell 19.3%
  • YARA 2.1%
  • CodeQL 1.1%
  • C 0.8%
  • Swift 0.5%
  • Other 4.1%