By emarai
Comprehensive smart contract security toolkit based on Trail of Bits' Building Secure Contracts framework. Includes vulnerability scanners for 6 blockchains and 5 development guideline assistants.
Scans Algorand smart contracts for 11 common vulnerabilities including rekeying attacks, unchecked transaction fees, missing field validations, and access control issues. Use when auditing Algorand projects (TEAL/PyTeal). (project, gitignored)
Prepare your codebase for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes dead code, ensures accessibility, and generates comprehensive documentation (flowcharts, user stories, inline comments). (project, gitignored)
Scans Cairo/StarkNet smart contracts for 6 critical vulnerabilities including felt252 arithmetic overflow, L1-L2 messaging issues, address conversion problems, and signature replay. Use when auditing StarkNet projects. (project, gitignored)
Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations. (project, gitignored)
Scans Cosmos SDK blockchains for 9 consensus-critical vulnerabilities including non-determinism, incorrect signers, ABCI panics, and rounding errors. Use when auditing Cosmos chains or CosmWasm contracts. (project, gitignored)
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
A Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows.
/plugin marketplace add trailofbits/skills
/plugin menu
To add the marketplace locally (e.g., for testing or development), navigate to the parent directory of this repository:
cd /path/to/parent # e.g., if repo is at ~/projects/skills, be in ~/projects
/plugins marketplace add ./skills
| Plugin | Description |
|---|---|
| building-secure-contracts | Smart contract security toolkit with vulnerability scanners for 6 blockchains |
| entry-point-analyzer | Identify state-changing entry points in smart contracts for security auditing |
| Plugin | Description |
|---|---|
| audit-context-building | Build deep architectural context through ultra-granular code analysis |
| burpsuite-project-parser | Search and extract data from Burp Suite project files |
| differential-review | Security-focused differential review of code changes with git history analysis |
| insecure-defaults | Detect insecure default configurations, hardcoded credentials, and fail-open security patterns |
| semgrep-rule-creator | Create and refine Semgrep rules for custom vulnerability detection |
| semgrep-rule-variant-creator | Port existing Semgrep rules to new target languages with test-driven validation |
| sharp-edges | Identify error-prone APIs, dangerous configurations, and footgun designs |
| static-analysis | Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing |
| testing-handbook-skills | Skills from the Testing Handbook: fuzzers, static analysis, sanitizers, coverage |
| variant-analysis | Find similar vulnerabilities across codebases using pattern-based analysis |
| Plugin | Description |
|---|---|
| constant-time-analysis | Detect compiler-induced timing side-channels in cryptographic code |
| property-based-testing | Property-based testing guidance for multiple languages and smart contracts |
| spec-to-code-compliance | Specification-to-code compliance checker for blockchain audits |
| Plugin | Description |
|---|---|
| fix-review | Verify fix commits address audit findings without introducing bugs |
| Plugin | Description |
|---|---|
| dwarf-expert | Interact with and understand the DWARF debugging format |
| Plugin | Description |
|---|---|
| firebase-apk-scanner | Scan Android APKs for Firebase security misconfigurations |
| Plugin | Description |
|---|---|
| ask-questions-if-underspecified | Clarify requirements before implementing |
| modern-python | Modern Python tooling and best practices with uv, ruff, and pytest |
| Plugin | Description |
|---|---|
| culture-index | Interpret Culture Index survey results for individuals and teams |
| Plugin | Description |
|---|---|
| claude-in-chrome-troubleshooting | Diagnose and fix Claude in Chrome MCP extension connectivity issues |
Bugs discovered using Trail of Bits Skills. Found something? Let us know!
When reporting bugs you've found, feel free to mention:
Found using Trail of Bits Skills
| Skill | Bug |
|---|---|
| constant-time-analysis | Timing side-channel in ML-DSA signing |
We welcome contributions! Please see CLAUDE.md for skill authoring guidelines.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Trail of Bits is a security research and consulting firm.
npx claudepluginhub emarai/skills --plugin building-secure-contractsSecurity-focused differential review of code changes with git history analysis and blast radius estimation
Property-based testing guidance for multiple languages and smart contracts
Detect compiler-induced timing side-channels in cryptographic code
Build deep architectural context through ultra-granular code analysis before vulnerability hunting
Verifies that code changes address security audit findings without introducing bugs
Comprehensive skill pack with 66 specialized skills for full-stack developers: 12 language experts (Python, TypeScript, Go, Rust, C++, Swift, Kotlin, C#, PHP, Java, SQL, JavaScript), 10 backend frameworks, 6 frontend/mobile, plus infrastructure, DevOps, security, and testing. Features progressive disclosure architecture for 50% faster loading.
Design fluency for frontend development. 1 skill with 23 commands (/impeccable polish, /impeccable audit, /impeccable critique, etc.) and curated anti-pattern detection.
Harness-native ECC operator layer - 67 agents, 278 skills, 94 legacy command shims, reusable hooks, rules, selective install profiles, and production-ready workflows for Claude Code, Codex, OpenCode, Cursor, and related agent harnesses
Lazy senior dev mode. Forces the simplest, shortest solution that actually works: YAGNI, stdlib first, no unrequested abstractions.
Behavioral guidelines to reduce common LLM coding mistakes, derived from Andrej Karpathy's observations on LLM coding pitfalls
Develop, test, build, and deploy Godot 4.x games with Claude Code. Includes GdUnit4 testing, web/desktop exports, CI/CD pipelines, and deployment to Vercel/GitHub Pages/itch.io.