Skills by trailofbits

Clarify requirements before implementing. Use when serious doubts arise.

This skill orchestrates Semgrep static analysis across a codebase using parallel Task subagents and triage, producing merged SARIF output. It contains explicit shell commands (`semgrep --pro ... & wait`, `uv run {baseDir}/scripts/merge_triaged_sarif.py [OUTPUT_DIR]`), network calls to `https://github.com/trailofbits/semgrep-rules`/npm, and prompts for `semgrep login`.

Performs security-focused differential review of code changes (PRs, commits, diffs). Adapts analysis depth to codebase size, uses git history for context, calculates blast radius, checks test coverage, and generates comprehensive markdown reports. Automatically detects and prevents security regressions.

Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.

The `sharp-edges` skill audits APIs, configuration schemas, and cryptographic ergonomics to find developer footguns and insecure defaults. No security-relevant behaviors (file exfiltration, secret harvesting, remote execution) are explicitly instructed in the skill content.

This skill provides guidance for property-based testing across languages and smart contracts. It includes developer-facing shell/install commands and external URLs such as `pip install`, `npm install`, `go install`, `pytest`, `https://github.com/crytic/echidna`, and `https://secure-contracts.com`.

This skill automates CodeQL database creation, data-extension generation, and analysis (`codeql database create`, `codeql database analyze`). It instructs executing arbitrary shell commands (e.g., `pip install`, `make`, `rm -rf`) and downloading packs from `github.com`/`codeql.github.com`, raising execution and network risk.

Provides variant analysis templates and guidance for finding similar vulnerabilities using CodeQL/Semgrep. It instructs running commands like `rg -n "exact_vulnerable_code_here"` and to `search the ENTIRE codebase root directory`, enabling broad filesystem searches and tool execution.

The skill is a smart-contract development advisor that analyzes a codebase and produces documentation, architecture analysis, implementation review, and prioritized recommendations. It instructs exploring the repository (e.g., reading `contracts/Marketplace.sol`, `README`) and running local analysis tools (e.g., `Slither`, `Foundry`, `Echidna`), which requires executing CLI tools against the codebase.

Token integration and implementation analyzer based on Trail of Bits' token integration checklist. Analyzes token implementations for ERC20/ERC721 conformity, checks for 20+ weird token patterns, assesses contract composition and owner privileges, performs on-chain scarcity analysis, and evaluates how protocols handle non-standard tokens. Context-aware for both token implementations and token integrations.

This skill defines an ultra-granular, line-by-line context-building method for code audits and references resources such as `resources/FUNCTION_MICRO_ANALYSIS_EXAMPLE.md` and `resources/COMPLETENESS_CHECKLIST.md`. No security-relevant behaviors detected.

This skill parses and processes SARIF files and provides `jq` and Python utilities for aggregation, deduplication, and CI integration. It includes explicit executable commands (e.g., `jq`, `pip install`, `npm install`) and a GitHub Actions step (`uses: github/codeql-action/upload-sarif@v3`) that perform local execution and network operations.

Techniques for patching code to overcome fuzzing obstacles. Use when checksums, global state, or other barriers block fuzzer progress.

Verifies code implements exactly what documentation specifies for blockchain audits. Use when comparing code against whitepapers, finding gaps between specs and implementation, or performing compliance checks for protocol implementations.

Scans Solana programs for 6 critical vulnerabilities including arbitrary CPI, improper PDA validation, missing signer/ownership checks, and sysvar spoofing. Use when auditing Solana/Anchor programs.

Prepares codebases for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes dead code, ensures accessibility, and generates documentation (flowcharts, user stories, inline comments).

Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations.

This skill documents coverage-analysis workflows for fuzzing and provides build/run scripts and example runtimes. It contains explicit shell commands (e.g., `clang++`, `./fuzz_exec`) and package installs (e.g., `pip3 install gcovr`); no instructions to read secrets or exfiltrate data were found.

Analyzes smart contract codebases to identify state-changing entry points for security auditing. Detects externally callable functions that modify state, categorizes them by access level (public, admin, role-restricted, contract-only), and generates structured audit reports. Excludes view/pure/read-only functions. Use when auditing smart contracts (Solidity, Vyper, Solana/Rust, Move, TON, CosmWasm) or when asked to find entry points, audit flows, external functions, access control patterns, or privileged operations.

This skill creates Semgrep rules and test files for static analysis and enforces a strict test-first workflow. It instructs running the `semgrep` CLI (e.g., `semgrep --test --config <rule-id>.yaml <rule-id>.<ext>`) and fetching documentation from `https://semgrep.dev`, `https://appsec.guide`, and `https://github.com/semgrep/semgrep-docs`.

The skill analyzes code for timing side-channel vulnerabilities using the CLI tool `ct_analyzer/analyzer.py`. It contains explicit shell commands (`uv run`, `pecl install`, `git clone`), performs remote downloads from `https://pecl.php.net`/`https://github.com`, and sets environment variables such as `PATH` and `CGO_ENABLED`.

cargo-fuzz is the de facto fuzzing tool for Rust projects using Cargo. Use for fuzzing Rust code with libFuzzer backend.

AddressSanitizer detects memory errors during fuzzing. Use when fuzzing C/C++ code to find buffer overflows and use-after-free bugs.

Techniques for writing effective fuzzing harnesses across languages. Use when creating new fuzz targets or improving existing harness code.

This skill documents how to create and use fuzzing dictionaries for fuzzers like `libFuzzer`, `AFL++`, and `cargo-fuzz`. It includes shell command examples such as `afl-fuzz -x ./dictionary.dict -i input/ -o output/ -- ./target @@` and an environment variable `AFL_LLVM_DICT2FILE`.

This skill scans Cosmos SDK and CosmWasm code for nine consensus-critical vulnerabilities and reports findings and fixes. It instructs running local commands (e.g., `grep`, `go build`, `go test`, `codeql query run`) and reading project files such as `x/`, `go.mod`, and `resources/VULNERABILITY_PATTERNS.md`.

Generates Claude Code skills from the Trail of Bits Testing Handbook, reading `{handbook_path}/content/docs/` and writing generated SKILLs to `plugins/testing-handbook-skills/skills/[skill-name]/`. It runs shell commands (e.g., `git clone`, `uv run scripts/validate-skills.py`) and fetches external resources (`https://github.com/trailofbits/testing-handbook`, `https://semgrep.dev/docs/`).

Scans Algorand smart contracts for 11 common vulnerabilities including rekeying attacks, unchecked transaction fees, missing field validations, and access control issues. Use when auditing Algorand projects (TEAL/PyTeal).

This skill documents constant-time testing for cryptographic code and recommends tools, workflows, and remediation steps. It instructs running local analysis commands such as `valgrind --leak-check=full --track-origins=yes ./binary` and `timeout 600 ./ct_test`; no instructions to exfiltrate secrets or access external credentials are present.

This skill documents using OSS-Fuzz to build, run, and enroll fuzzing projects with examples like `git clone https://github.com/google/oss-fuzz`, `python3 infra/helper.py`, and `python3 infra/helper.py run_fuzzer`. It instructs executing shell commands and pulling/running container images (e.g., `docker run --rm --privileged ... -v /private/tmp/oss-fuzz/build/out/irssi:/out -t gcr.io/oss-fuzz-base/base-runner`), enabling network access and privileged mounts.

This skill documents using libFuzzer to build and run coverage-guided fuzzers for C/C++ projects. It contains direct shell commands (e.g., `clang++`, `./fuzz`), `curl` downloads, and sets environment variables such as `CC` and `ASAN_OPTIONS`.

This skill documents using Atheris, a coverage-guided Python fuzzer for pure Python and C extensions. It includes explicit shell commands (`python fuzz.py`, `docker build -t atheris .`, `apt install`), network downloads (`https://apt.llvm.org/llvm-snapshot.gpg.key`), and environment variable settings (`CC`, `LD_PRELOAD`).

This skill automates extracting and interpreting Culture Index PDFs/JSON to generate reports. It instructs executing local scripts such as `uv run {baseDir}/scripts/extract_pdf.py --verify /path/to/file.pdf` and installing system/Python packages (`brew install poppler`, `pip install pytesseract`).

This skill scans Substrate/FRAME pallets for seven critical vulnerabilities and produces findings and fixes. It includes explicit shell/CLI commands (e.g., `rg`, `cargo`, `try-runtime`) and an external connection to `wss://rpc.polkadot.io`, which requires executing commands and contacting a remote host.

High-risk skill: includes remote downloads and direct shell execution such as `curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh` and `git clone https://github.com/AFLplusplus/LibAFL`. It documents build and fuzzing steps for `libafl` and sets environment variables like `RUSTFLAGS`.

Dangerous skill: provides AFL++ setup and fuzzing instructions that execute shell commands and download remote artifacts. It requests elevated actions like `--privileged`, `update-grub`, `reboot`, and uses network sources such as `https://github.com/AFLplusplus/AFLplusplus` and `docker pull aflplusplus/aflplusplus:stable`.

Provides expertise for analyzing DWARF debug files and understanding the DWARF debug format/standard (v3-v5). Triggers when understanding DWARF information, interacting with DWARF files, answering DWARF-related questions, or working with code that parses DWARF data.

Scans TON (The Open Network) smart contracts for 3 critical vulnerabilities including integer-as-boolean misuse, fake Jetton contracts, and forward TON without gas checks. Use when auditing FunC contracts.

This skill scans Cairo/StarkNet contracts for six vulnerability patterns and produces file-referenced reports. It instructs running shell commands like `pip install caracal`, `caracal detect src/`, and `rg "felt252" src/`, which access the filesystem (`src/`) and fetch tools from external sources (`https://github.com/crytic/caracal`).

This skill documents the Wycheproof test-vector collection and provides parsing and test-harness examples. It includes shell commands such as `git submodule add https://github.com/C2SP/wycheproof.git` and a fetch script using `curl` to `https://raw.githubusercontent.com/C2SP/wycheproof/master/testvectors_v1/`.

The skill scans Android APKs for Firebase misconfigurations and performs decompilation and active tests. It runs local shell commands (`{baseDir}/scanner.sh`, `apktool`), issues network requests to Firebase APIs (`identitytoolkit.googleapis.com`, `firebasestorage.googleapis.com`), and extracts/uses API keys/tokens (`API_KEY`).

Ruzzy is a coverage-guided Ruby fuzzer by Trail of Bits. Use for fuzzing pure Ruby code and Ruby C extensions.

This skill ports existing Semgrep rules to target languages and produces per-language rule and test directories. It includes explicit instructions to run local CLI commands such as `semgrep --test --config rule.yaml test-file`, which requires executing local shell/CLI tools.

High-risk skill: configures modern Python projects but instructs executing remote install scripts such as `curl -LsSf https://astral.sh/uv/install.sh | sh` and PowerShell `irm https://astral.sh/uv/install.ps1 | iex`. It also includes networked examples (`response = requests.get("https://api.example.com/data")`) and uses credentials (`uv publish --token $TOKEN`, `UV_PROJECT_ENVIRONMENT`).

This skill detects fail-open insecure defaults and scans code and configs for hardcoded secrets, weak crypto, permissive CORS, and debug/default credentials. It instructs searching `**/config/`, `**/auth/`, `**/database/` and env files and permits use of `Bash`/`Grep` for discovery, which enables credential access and shell execution.

This skill guides authoring, testing, and deployment of YARA-X detection rules with examples, templates, and supporting scripts. It instructs local command execution (`brew install yara-x`, `yr check`, `uv run atom_analyzer.py`) and recommends uploading/testing with external services (`https://www.virustotal.com/gui/hunting`, `github.com/apps/virustotal-yara-ci`).

Diagnose and fix Claude in Chrome MCP extension connectivity issues. Use when mcp__claude-in-chrome__* tools fail, return "Browser extension is not connected", or behave erratically.

This skill runs external LLM CLIs (`codex exec`, `gemini -p ... --yolo`) to review diffs and optional project files. It executes shell commands and sends repository diffs and `CLAUDE.md`/`AGENTS.md` to external services, creating remote network activity and local file access.

This skill generates devcontainer configuration and helper scripts (`.devcontainer/`, `Dockerfile`, `install.sh`) for a project. It downloads-and-executes remote installers (`https://claude.ai/install.sh` / `curl ... | bash`), requests `--cap-add=NET_ADMIN`/`--cap-add=NET_RAW`, and sets Claude `bypassPermissions` in `~/.claude/settings.json`.

Debug guide for the Buttercup CRS that collects diagnostic data and provides commands to triage Kubernetes/Redis issues. The skill instructs running shell diagnostics (`kubectl`, `kubectl exec`, `redis-cli`, `bash scripts/diagnose.sh`) which execute commands in-cluster and connect to `redis-master:6379`.

Safely analyzes and cleans up local git branches and worktrees by categorizing them as merged, squash-merged, superseded, or active work.

This skill guides use of the GitHub CLI (`gh`) to browse, clone, and manage repositories, PRs, issues, releases, and Actions. It includes shell commands like `gh repo clone ...` and `mkdir -p ...`, uses the user's authenticated token (`gh` automatic auth), and calls GitHub endpoints such as `api.github.com`.