Testing Handbook Skills
Comprehensive security testing toolkit generated from the [Trail of Bits Application Security Testing Handbook](https://appsec.guide/).
Best use case
Testing Handbook Skills is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Comprehensive security testing toolkit generated from the [Trail of Bits Application Security Testing Handbook](https://appsec.guide/).
Teams using Testing Handbook Skills should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/testing-handbook-skills/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Testing Handbook Skills Compares
| Feature / Agent | Testing Handbook Skills | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Comprehensive security testing toolkit generated from the [Trail of Bits Application Security Testing Handbook](https://appsec.guide/).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Testing Handbook Skills Comprehensive security testing toolkit generated from the [Trail of Bits Application Security Testing Handbook](https://appsec.guide/). ## When to Use - Setting up fuzzing campaigns for C/C++, Rust, Python, or Ruby - Writing fuzzing harnesses for target functions - Analyzing code coverage to guide testing - Running sanitizers (AddressSanitizer, UBSan, MSan) to catch memory bugs - Performing constant-time testing for cryptographic code - Using Wycheproof test vectors for crypto validation ## When NOT to Use - Smart contract auditing (use security-building-secure-contracts) - Writing custom Semgrep rules (use semgrep-rule-creator) - General code review (use security-differential-review) - Vulnerability hunting without a testing plan (use audit-context-building first) ## Sub-Skills (17 total) ### Fuzzers | Fuzzer | Language | Best For | Skill Path | |--------|----------|----------|------------| | **libFuzzer** | C/C++ | LLVM-based coverage-guided fuzzing | [skills/libfuzzer/SKILL.md](skills/libfuzzer/SKILL.md) | | **AFL++** | C/C++ | Advanced mutation-based fuzzing | [skills/aflpp/SKILL.md](skills/aflpp/SKILL.md) | | **libAFL** | C/C++ | LibAFL-based custom fuzzers | [skills/libafl/SKILL.md](skills/libafl/SKILL.md) | | **cargo-fuzz** | Rust | Rust native fuzzing with libFuzzer backend | [skills/cargo-fuzz/SKILL.md](skills/cargo-fuzz/SKILL.md) | | **Atheris** | Python | Python coverage-guided fuzzing | [skills/atheris/SKILL.md](skills/atheris/SKILL.md) | | **Ruzzy** | Ruby | Ruby coverage-guided fuzzing | [skills/ruzzy/SKILL.md](skills/ruzzy/SKILL.md) | ### Techniques | Technique | Purpose | Skill Path | |-----------|---------|------------| | **Harness Writing** | Writing effective fuzzing harnesses | [skills/harness-writing/SKILL.md](skills/harness-writing/SKILL.md) | | **Coverage Analysis** | Measuring and improving code coverage | [skills/coverage-analysis/SKILL.md](skills/coverage-analysis/SKILL.md) | | **Fuzzing Dictionary** | Creating effective fuzzing dictionaries | [skills/fuzzing-dictionary/SKILL.md](skills/fuzzing-dictionary/SKILL.md) | | **Fuzzing Obstacles** | Overcoming common fuzzing barriers | [skills/fuzzing-obstacles/SKILL.md](skills/fuzzing-obstacles/SKILL.md) | | **AddressSanitizer** | Memory error detection with ASan | [skills/address-sanitizer/SKILL.md](skills/address-sanitizer/SKILL.md) | ### Static Analysis | Tool | Purpose | Skill Path | |------|---------|------------| | **Semgrep** | Fast pattern-matching security scans | [skills/semgrep/SKILL.md](skills/semgrep/SKILL.md) | | **CodeQL** | Deep semantic code analysis | [skills/codeql/SKILL.md](skills/codeql/SKILL.md) | ### Cryptographic Testing | Tool | Purpose | Skill Path | |------|---------|------------| | **Wycheproof** | Test vectors for crypto implementations | [skills/wycheproof/SKILL.md](skills/wycheproof/SKILL.md) | | **Constant-Time Testing** | Verify constant-time crypto properties | [skills/constant-time-testing/SKILL.md](skills/constant-time-testing/SKILL.md) | ### Infrastructure | Tool | Purpose | Skill Path | |------|---------|------------| | **OSS-Fuzz** | Google's continuous fuzzing service | [skills/ossfuzz/SKILL.md](skills/ossfuzz/SKILL.md) | ### Meta | Tool | Purpose | Skill Path | |------|---------|------------| | **Generator** | Generate new skills from the Testing Handbook | [skills/testing-handbook-generator/SKILL.md](skills/testing-handbook-generator/SKILL.md) | ## Workflow ### Starting a fuzzing campaign 1. **Choose a fuzzer** based on your target language (see Fuzzers table) 2. **Write a harness** using the harness-writing skill 3. **Build with sanitizers** (AddressSanitizer recommended as baseline) 4. **Create a seed corpus** with representative inputs 5. **Run the campaign** and monitor coverage 6. **Analyze coverage** to find uncovered code and improve the harness 7. **Triage crashes** and deduplicate findings ### Setting up CI/CD testing 1. **OSS-Fuzz** for open-source projects (continuous fuzzing) 2. **Semgrep + CodeQL** for static analysis in PRs 3. **Wycheproof** test vectors for crypto validation ## Quick Start by Language | Language | Fuzzer | Harness | Sanitizer | |----------|--------|---------|-----------| | C/C++ | libFuzzer or AFL++ | `LLVMFuzzerTestOneInput` | ASan + UBSan | | Rust | cargo-fuzz | `fuzz_target!` macro | Built-in sanitizers | | Python | Atheris | `atheris.FuzzedDataProvider` | N/A | | Ruby | Ruzzy | `ruzzy` harness pattern | N/A | ## Source Material Generated from the [Trail of Bits Application Security Testing Handbook](https://appsec.guide/) using the testing-handbook-generator meta-skill.
Related Skills
performing-visual-regression-testing
This skill enables Claude to execute visual regression tests using tools like Percy, Chromatic, and BackstopJS. It captures screenshots, compares them against baselines, and analyzes visual differences to identify unintended UI changes. Use this skill when the user requests visual testing, UI change verification, or regression testing for a web application or component. Trigger phrases include "visual test," "UI regression," "check visual changes," or "/visual-test".
performing-security-testing
This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.
performance-testing
This skill enables Claude to design, execute, and analyze performance tests using the performance-test-suite plugin. It is activated when the user requests load testing, stress testing, spike testing, or endurance testing, and when discussing performance metrics such as response time, throughput, and error rates. It identifies performance bottlenecks related to CPU, memory, database, or network issues. The plugin provides comprehensive reporting, including percentiles, graphs, and recommendations.
performing-penetration-testing
This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.
automating-mobile-app-testing
This skill enables automated testing of mobile applications on iOS and Android platforms using frameworks like Appium, Detox, XCUITest, and Espresso. It generates end-to-end tests, sets up page object models, and handles platform-specific elements. Use this skill when the user requests mobile app testing, test automation for iOS or Android, or needs assistance with setting up device farms and simulators. The skill is triggered by terms like "mobile testing", "appium", "detox", "xcuitest", "espresso", "android test", "ios test".
load-testing-apis
Execute comprehensive load and stress testing to validate API performance and scalability. Use when validating API performance under load. Trigger with phrases like "load test the API", "stress test API", or "benchmark API performance".
testing-load-balancers
This skill enables Claude to test load balancing strategies. It validates traffic distribution across backend servers, tests failover scenarios when servers become unavailable, verifies sticky sessions, and assesses health check functionality. Use this skill when the user asks to "test load balancer", "validate traffic distribution", "test failover", "verify sticky sessions", or "test health checks". It is specifically designed for testing load balancing configurations using the `load-balancer-tester` plugin.
managing-database-testing
This skill manages database testing by generating test data, wrapping tests in transactions, and validating database schemas. It is used to create robust and reliable database interactions. Claude uses this skill when the user requests database testing utilities, including test data generation, transaction management, schema validation, or migration testing. Trigger this skill by mentioning "database testing," "test data factories," "transaction rollback," "schema validation," or using the `/db-test` or `/dbt` commands.
backtesting-trading-strategies
Backtest crypto and traditional trading strategies against historical data. Calculates performance metrics (Sharpe, Sortino, max drawdown), generates equity curves, and optimizes strategy parameters. Use when user wants to test a trading strategy, validate signals, or compare approaches. Trigger with phrases like "backtest strategy", "test trading strategy", "historical performance", "simulate trades", "optimize parameters", or "validate signals".
api-testing-helper
Api Testing Helper - Auto-activating skill for API Development. Triggers on: api testing helper, api testing helper Part of the API Development skill category.
automating-api-testing
This skill automates API endpoint testing, including request generation, validation, and comprehensive test coverage for REST and GraphQL APIs. It is used when the user requests API testing, contract testing, or validation against OpenAPI specifications. The skill analyzes API endpoints and generates test suites covering CRUD operations, authentication flows, and security aspects. It also validates response status codes, headers, and body structure. Use this skill when the user mentions "API testing", "REST API tests", "GraphQL API tests", "contract tests", or "OpenAPI validation".
suggest-awesome-github-copilot-skills
Suggest relevant GitHub Copilot skills from the awesome-copilot repository based on current repository context and chat history, avoiding duplicates with existing skills in this repository, and identifying outdated skills that need updates.