[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74039":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":27,"readmeContent":28,"aiSummary":29,"trendingCount":16,"starSnapshotCount":16,"syncStatus":30,"lastSyncTime":31,"discoverSource":32},74039,"skills","trailofbits\u002Fskills","trailofbits","Trail of Bits Claude Code skills for security research, vulnerability detection, and audit workflows","",null,"Python",5645,493,64,22,0,68,148,519,204,39.08,"Creative Commons Attribution Share Alike 4.0 International",false,"main",[26],"agent-skills","2026-06-12 02:03:21","# Trail of Bits Skills Marketplace\n\nA Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows.\n\n> Also see: [claude-code-config](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-config) · [skills-curated](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills-curated) · [claude-code-devcontainer](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fclaude-code-devcontainer) · [dropkit](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fdropkit)\n\n## Installation\n\n### Claude Code Marketplace\n\n```\n\u002Fplugin marketplace add trailofbits\u002Fskills\n```\n\n### Browse and Install Plugins\n\n```\n\u002Fplugin menu\n```\n\n### Codex\n\nCodex-native skill discovery is supported via the sidecar `.codex\u002Fskills\u002F` tree in this repository.\n\nInstall with:\n\n```sh\ngit clone https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills.git ~\u002F.codex\u002Ftrailofbits-skills\n~\u002F.codex\u002Ftrailofbits-skills\u002F.codex\u002Fscripts\u002Finstall-for-codex.sh\n```\n\nSee [`.codex\u002FINSTALL.md`](.codex\u002FINSTALL.md) for additional details.\n\n### Local Development\n\nTo add the marketplace locally (e.g., for testing or development), navigate to the **parent directory** of this repository:\n\n```\ncd \u002Fpath\u002Fto\u002Fparent  # e.g., if repo is at ~\u002Fprojects\u002Fskills, be in ~\u002Fprojects\n\u002Fplugins marketplace add .\u002Fskills\n```\n\n## Available Plugins\n\n### Smart Contract Security\n\n| Plugin | Description |\n|--------|-------------|\n| [building-secure-contracts](plugins\u002Fbuilding-secure-contracts\u002F) | Smart contract security toolkit with vulnerability scanners for 6 blockchains |\n| [entry-point-analyzer](plugins\u002Fentry-point-analyzer\u002F) | Identify state-changing entry points in smart contracts for security auditing |\n\n### Code Auditing\n\n| Plugin | Description |\n|--------|-------------|\n| [agentic-actions-auditor](plugins\u002Fagentic-actions-auditor\u002F) | Audit GitHub Actions workflows for AI agent security vulnerabilities |\n| [audit-context-building](plugins\u002Faudit-context-building\u002F) | Build deep architectural context through ultra-granular code analysis |\n| [burpsuite-project-parser](plugins\u002Fburpsuite-project-parser\u002F) | Search and extract data from Burp Suite project files |\n| [c-review](plugins\u002Fc-review\u002F) | Comprehensive C\u002FC++ security review with clustered parallel workers and SARIF output |\n| [differential-review](plugins\u002Fdifferential-review\u002F) | Security-focused differential review of code changes with git history analysis |\n| [dimensional-analysis](plugins\u002Fdimensional-analysis\u002F) | Annotate codebases with dimensional analysis comments to detect unit mismatches and formula bugs |\n| [fp-check](plugins\u002Ffp-check\u002F) | Systematic false positive verification for security bug analysis with mandatory gate reviews |\n| [insecure-defaults](plugins\u002Finsecure-defaults\u002F) | Detect insecure default configurations, hardcoded credentials, and fail-open security patterns |\n| [semgrep-rule-creator](plugins\u002Fsemgrep-rule-creator\u002F) | Create and refine Semgrep rules for custom vulnerability detection |\n| [semgrep-rule-variant-creator](plugins\u002Fsemgrep-rule-variant-creator\u002F) | Port existing Semgrep rules to new target languages with test-driven validation |\n| [sharp-edges](plugins\u002Fsharp-edges\u002F) | Identify error-prone APIs, dangerous configurations, and footgun designs |\n| [static-analysis](plugins\u002Fstatic-analysis\u002F) | Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing |\n| [supply-chain-risk-auditor](plugins\u002Fsupply-chain-risk-auditor\u002F) | Audit supply-chain threat landscape of project dependencies |\n| [testing-handbook-skills](plugins\u002Ftesting-handbook-skills\u002F) | Skills from the [Testing Handbook](https:\u002F\u002Fappsec.guide): fuzzers, static analysis, sanitizers, coverage |\n| [trailmark](plugins\u002Ftrailmark\u002F) | Code graph analysis, Mermaid diagrams, mutation testing triage, and protocol verification |\n| [variant-analysis](plugins\u002Fvariant-analysis\u002F) | Find similar vulnerabilities across codebases using pattern-based analysis |\n\n### Malware Analysis\n\n| Plugin | Description |\n|--------|-------------|\n| [yara-authoring](plugins\u002Fyara-authoring\u002F) | YARA detection rule authoring with linting, atom analysis, and best practices |\n\n### Verification\n\n| Plugin | Description |\n|--------|-------------|\n| [constant-time-analysis](plugins\u002Fconstant-time-analysis\u002F) | Detect compiler-induced timing side-channels in cryptographic code |\n| [mutation-testing](plugins\u002Fmutation-testing\u002F) | Configure mewt\u002Fmuton mutation testing campaigns — scope targets, tune timeouts, optimize long runs |\n| [property-based-testing](plugins\u002Fproperty-based-testing\u002F) | Property-based testing guidance for multiple languages and smart contracts |\n| [spec-to-code-compliance](plugins\u002Fspec-to-code-compliance\u002F) | Specification-to-code compliance checker for blockchain audits |\n| [zeroize-audit](plugins\u002Fzeroize-audit\u002F) | Detect missing or compiler-eliminated zeroization of secrets in C\u002FC++ and Rust |\n\n### Reverse Engineering\n\n| Plugin | Description |\n|--------|-------------|\n| [dwarf-expert](plugins\u002Fdwarf-expert\u002F) | Interact with and understand the DWARF debugging format |\n\n### Mobile Security\n\n| Plugin | Description |\n|--------|-------------|\n| [firebase-apk-scanner](plugins\u002Ffirebase-apk-scanner\u002F) | Scan Android APKs for Firebase security misconfigurations |\n\n### Development\n\n| Plugin | Description |\n|--------|-------------|\n| [ask-questions-if-underspecified](plugins\u002Fask-questions-if-underspecified\u002F) | Clarify requirements before implementing |\n| [devcontainer-setup](plugins\u002Fdevcontainer-setup\u002F) | Create pre-configured devcontainers with Claude Code and language-specific tooling |\n| [gh-cli](plugins\u002Fgh-cli\u002F) | Intercept GitHub URL fetches and redirect to the authenticated `gh` CLI |\n| [git-cleanup](plugins\u002Fgit-cleanup\u002F) | Safely clean up git worktrees and local branches with gated confirmation workflow |\n| [let-fate-decide](plugins\u002Flet-fate-decide\u002F) | Draw Tarot cards using cryptographic randomness to add entropy to vague planning |\n| [modern-python](plugins\u002Fmodern-python\u002F) | Modern Python tooling and best practices with uv, ruff, and pytest |\n| [seatbelt-sandboxer](plugins\u002Fseatbelt-sandboxer\u002F) | Generate minimal macOS Seatbelt sandbox configurations |\n| [second-opinion](plugins\u002Fsecond-opinion\u002F) | Run code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on changes, diffs, or commits. Bundles Codex's built-in MCP server. |\n| [skill-improver](plugins\u002Fskill-improver\u002F) | Iterative skill refinement loop using automated fix-review cycles |\n| [workflow-skill-design](plugins\u002Fworkflow-skill-design\u002F) | Design patterns for workflow-based Claude Code skills with review agent |\n\n### Team Management\n\n| Plugin | Description |\n|--------|-------------|\n| [culture-index](plugins\u002Fculture-index\u002F) | Interpret Culture Index survey results for individuals and teams |\n\n### Tooling\n\n| Plugin | Description |\n|--------|-------------|\n| [claude-in-chrome-troubleshooting](plugins\u002Fclaude-in-chrome-troubleshooting\u002F) | Diagnose and fix Claude in Chrome MCP extension connectivity issues |\n\n### Infrastructure\n\n| Plugin | Description |\n|--------|-------------|\n| [debug-buttercup](plugins\u002Fdebug-buttercup\u002F) | Debug [Buttercup](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fbuttercup) Kubernetes deployments |\n\n## Trophy Case\n\nBugs discovered using Trail of Bits Skills. Found something? [Let us know!](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills\u002Fissues\u002Fnew?template=trophy-case.yml)\n\nWhen reporting bugs you've found, feel free to mention:\n> Found using [Trail of Bits Skills](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills)\n\n| Skill | Bug |\n|-------|-----|\n| constant-time-analysis | [Timing side-channel in ML-DSA signing](https:\u002F\u002Fgithub.com\u002FRustCrypto\u002Fsignatures\u002Fpull\u002F1144) |\n\n## Contributing\n\nWe welcome contributions! Please see [CLAUDE.md](CLAUDE.md) for skill authoring guidelines.\n\n## License\n\nThis work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](https:\u002F\u002Fcreativecommons.org\u002Flicenses\u002Fby-sa\u002F4.0\u002F). Made by [Trail of Bits](https:\u002F\u002Fwww.trailofbits.com\u002F).\n","trailofbits\u002Fskills 是一个由 Trail of Bits 提供的 Claude Code 插件市场，旨在通过增强 AI 辅助的安全分析、测试和开发工作流程来提升安全研究、漏洞检测和审计效率。其核心功能包括智能合约安全工具包、代码审计助手等，利用 Python 编程语言实现，并支持多种区块链平台上的智能合约安全扫描以及 GitHub Actions 工作流的安全审计等功能。适用于需要进行深度代码审查、智能合约安全评估及自动化安全测试的场景，如企业级软件开发、区块链项目安全检查等领域。",2,"2026-06-11 03:48:30","high_star"]