Logo
Agent Skills Guide
trailofbits/skills logo

trailofbits/skills

Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows

16 skills published1,761 starsGitHub

modern-python

@trailofbits/skills

2166

Modern Python best practices. Use when creating new Python projects, and writing Python scripts, or migrating existing projects from legacy tools.

Software Development

token-integration-analyzer

@trailofbits/skills

1895

Comprehensive token integration and implementation analyzer based on Trail of Bits' token integration checklist. Analyzes token implementations for ERC20/ERC721 conformity, checks for 20+ weird token patterns, assesses contract composition and owner privileges, performs on-chain scarcity analysis, and evaluates how protocols handle non-standard tokens. Context-aware for both token implementations and token integrations. (project, gitignored)

Software Development

testing-handbook-generator

@trailofbits/skills

1761

Meta-skill that analyzes the Trail of Bits Testing Handbook (appsec.guide) and generates Claude Code skills for security testing tools and techniques. Use when creating new skills based on handbook content.

Software Development

atheris

@trailofbits/skills

1761

Atheris is a coverage-guided Python fuzzer based on libFuzzer. Use for fuzzing pure Python code and Python C extensions.

Software Development

semgrep-rule-variant-creator

@trailofbits/skills

1761

Creates language variants of existing Semgrep rules. Use when porting a Semgrep rule to specified target languages. Takes an existing rule and target languages as input, produces independent rule+test directories for each language.

Software Development

wycheproof

@trailofbits/skills

1761

Wycheproof provides test vectors for validating cryptographic implementations. Use when testing crypto code for known attacks and edge cases.

Software Development

burp-suite

@trailofbits/skills

1761

Burp Suite Professional is an HTTP interception proxy with numerous security testing features. Use when testing web applications for security vulnerabilities.

DevOps & Infrastructure

constant-time-analysis

@trailofbits/skills

1761

Detects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets, secret-dependent branches, or constant-time programming questions in C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, or Ruby.

Software Development

semgrep-rule-creator

@trailofbits/skills

1761

Create custom Semgrep rules for detecting bug patterns and security vulnerabilities. This skill should be used when the user explicitly asks to "create a Semgrep rule", "write a Semgrep rule", "make a Semgrep rule", "build a Semgrep rule", or requests detection of a specific bug pattern, vulnerability, or insecure code pattern using Semgrep.

Software Development

variant-analysis

@trailofbits/skills

1761

Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.

Software Development

fix-review

@trailofbits/skills

1761

Verifies that git commits address security audit findings without introducing bugs. This skill should be used when the user asks to "verify these commits fix the audit findings", "check if TOB-XXX was addressed", "review the fix branch", "validate remediation commits", "did these changes address the security report", "post-audit remediation review", "compare fix commits to audit report", or when reviewing commits against security audit reports.

Software Development

semgrep

@trailofbits/skills

1761

Run Semgrep static analysis for fast security scanning and pattern matching. Use when asked to scan code with Semgrep, write custom YAML rules, find vulnerabilities quickly, use taint mode, or set up Semgrep in CI/CD pipelines.

Software Development

fuzzing-dictionary

@trailofbits/skills

1761

Fuzzing dictionaries guide fuzzers with domain-specific tokens. Use when fuzzing parsers, protocols, or format-specific code.

Software Development

entry-point-analyzer

@trailofbits/skills

1761

Analyzes smart contract codebases to identify state-changing entry points for security auditing. Detects externally callable functions that modify state, categorizes them by access level (public, admin, role-restricted, contract-only), and generates structured audit reports. Excludes view/pure/read-only functions. Use when auditing smart contracts (Solidity, Vyper, Solana/Rust, Move, TON, CosmWasm) or when asked to find entry points, audit flows, external functions, access control patterns, or privileged operations.

Software Development

ruzzy

@trailofbits/skills

1761

Ruzzy is a coverage-guided Ruby fuzzer by Trail of Bits. Use for fuzzing pure Ruby code and Ruby C extensions.

Software Development

harness-writing

@trailofbits/skills

1761

Techniques for writing effective fuzzing harnesses across languages. Use when creating new fuzz targets or improving existing harness code.

Software Development