trailofbits-security
Security-focused static analysis and code auditing skills from Trail of Bits. Includes CodeQL deep analysis, Semgrep scanning, and SARIF result processing. Use when performing security audits, running static analysis, scanning for vulnerabilities, or processing scan results.
Best use case
trailofbits-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Security-focused static analysis and code auditing skills from Trail of Bits. Includes CodeQL deep analysis, Semgrep scanning, and SARIF result processing. Use when performing security audits, running static analysis, scanning for vulnerabilities, or processing scan results.
Teams using trailofbits-security should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/trailofbits-security/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How trailofbits-security Compares
| Feature / Agent | trailofbits-security | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Security-focused static analysis and code auditing skills from Trail of Bits. Includes CodeQL deep analysis, Semgrep scanning, and SARIF result processing. Use when performing security audits, running static analysis, scanning for vulnerabilities, or processing scan results.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Trail of Bits Security Skills Security-focused static analysis and code auditing toolkit from Trail of Bits. ## Available Sub-Skills | Skill | File | Use When | |-------|------|----------| | CodeQL Analysis | [codeql-SKILL.md](codeql-SKILL.md) | Deep interprocedural taint tracking, data flow analysis | | Semgrep Scanning | [semgrep-SKILL.md](semgrep-SKILL.md) | Fast pattern-based security scanning with parallel execution | | SARIF Parsing | [sarif-parsing-SKILL.md](sarif-parsing-SKILL.md) | Processing and aggregating static analysis results | ## When to Use - **Security audit** of a codebase -> Start with Semgrep for speed, then CodeQL for depth - **Quick vulnerability scan** -> Semgrep with "important only" mode - **Deep data flow analysis** -> CodeQL with custom data extensions - **Processing scan results** -> SARIF parsing for aggregation, deduplication, CI/CD integration ## Workflow 1. Run Semgrep for fast initial scan (pattern-based) 2. Run CodeQL for deep interprocedural analysis (data flow + taint tracking) 3. Use SARIF parsing to aggregate, deduplicate, and prioritize findings 4. Review and triage results by severity ## Source From [trailofbits/skills](https://github.com/trailofbits/skills) - the `static-analysis` plugin.
Related Skills
owasp-security
Use when reviewing code for security vulnerabilities, implementing authentication/authorization, handling user input, or discussing web application security. Covers OWASP Top 10:2025, ASVS 5.0, and Agentic AI security (2026).
webapp-testing
Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs.
web-quality
Web quality optimization skills based on Google Lighthouse guidelines and Core Web Vitals. Use when asked to audit web quality, optimize performance, improve accessibility, fix SEO, apply best practices, or analyze Core Web Vitals (LCP, INP, CLS).
vercel-react-native-skills
React Native and Expo best practices for building performant mobile apps. Use when building React Native components, optimizing list performance, implementing animations, or working with native modules. Triggers on tasks involving React Native, Expo, mobile performance, or native platform APIs.
upgrade-packages-js
Safely upgrade JavaScript packages with breaking change detection, migration guidance, and automated code migrations (npm/pnpm/yarn). Cross-platform with git safety branch enforcement.
uiux-toolkit
Comprehensive UX/UI evaluation meta-skill combining design theory and UX methodology. Use when conducting UI/UX audits, visual design reviews, accessibility compliance (WCAG 2.2), user flow analysis, responsive testing, interaction design evaluation, or design system audits. Evaluates using Nielsen's heuristics, Gestalt principles, typography theory, color theory, and modern methodologies (OOUX, JTBD, Cognitive Walkthrough).
ui-ux-pro-max
UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 9 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind, shadcn/ui). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient. Integrations: shadcn/ui MCP for component search and examples.
token-optimizer
Reduce token count in prompts, docs, and prose. Covers prompt compression (40-60% savings), doc formatting, TOON data serialization, and Strunk's prose clarity rules. Use when compressing prompts, optimizing docs for LLM context, or writing clear technical prose.
testing-automation-expert
Production-grade testing strategies for robust, maintainable systems. Covers unit/integration/E2E testing, contract testing, accessibility, mutation testing, and CI/CD patterns. Supports Python (pytest) and TypeScript (Jest/Vitest/Playwright).
test-levels
This skill explains the 3 test levels (Unit, Integration, E2E) using the "Building a Car" analogy and provides guidance on when to use each type. Includes project-specific Playwright examples.
terraform
Terraform infrastructure-as-code skills from HashiCorp. Covers HCL code generation with style conventions, testing with .tftest.hcl files, and module refactoring. Use when writing, reviewing, generating, or refactoring Terraform configurations, creating tests, or designing modules.
system-architect
System architecture skill for designing scalable, maintainable software systems. Covers microservices/monolith decisions, API design, DB selection, caching, security, and scalability planning.