Security skills for static analysis with CodeQL/Semgrep, code auditing, and vulnerability detection.
What it does
Generic security advice from Claude is surface-level: "validate inputs", "use parameterised queries", "don't store passwords in plaintext." Trail of Bits is one of the world's most respected security research firms — they've audited Ethereum's core contracts, Mozilla Firefox, and hundreds of other critical systems. This skill loads their actual code review methodology: CodeQL and Semgrep query patterns for systematic static analysis, the specific vulnerability classes they look for in smart contracts and systems code, and the audit documentation format they use in real engagements. Made by Trail of Bits.
Use case
Security-critical code review: smart contracts before deployment, cryptographic implementations, authentication systems, or any code where a vulnerability has significant consequences. This is institutional security research firm knowledge, not generic advice.
"Audit this smart contract using the Trail of Bits methodology." "Write a Semgrep rule to detect this vulnerability pattern across the codebase." "Review this authentication implementation — what would Trail of Bits flag?" "Generate a CodeQL query to find all instances of this vulnerable pattern." "Write a security audit finding for this vulnerability in the standard format."
Provide the code to audit and describe the security context — what it does, what assets it protects.
Claude applies the Trail of Bits review methodology: systematic analysis, not opportunistic pattern-matching.
For static analysis: Claude generates Semgrep or CodeQL rules you can run across the entire codebase.
Input
Code to audit and context about what it does and what assets it protects.
Output
Security audit findings in the Trail of Bits format: vulnerability description, severity, impact, proof of concept, and recommended remediation. Semgrep or CodeQL rules for systematic detection.
npx skillsadd trailofbits/skills/trail-of-bits-security
Requires skills.sh CLI
Automated UI code auditing against Vercel's web interface guidelines. Reviews for accessibility, design compliance, and best practices.
Pressure-test spec documents with LLM reasoning before writing code — catch design flaws early.