constant-time-analysis

Trail of Bits Skills Marketplace

A Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows.

Also see: claude-code-config · skills-curated · claude-code-devcontainer · dropkit

Installation

Claude Code Marketplace

/plugin marketplace add trailofbits/skills

Browse and Install Plugins

/plugin menu

Codex

Codex-native skill discovery is supported via the sidecar .codex/skills/ tree in this repository.

Install with:

git clone https://github.com/trailofbits/skills.git ~/.codex/trailofbits-skills
~/.codex/trailofbits-skills/.codex/scripts/install-for-codex.sh

See .codex/INSTALL.md for additional details.

Local Development

To add the marketplace locally (e.g., for testing or development), navigate to the parent directory of this repository:

cd /path/to/parent  # e.g., if repo is at ~/projects/skills, be in ~/projects
/plugins marketplace add ./skills

Available Plugins

Smart Contract Security

Plugin	Description
building-secure-contracts	Smart contract security toolkit with vulnerability scanners for 6 blockchains
entry-point-analyzer	Identify state-changing entry points in smart contracts for security auditing

Code Auditing

Plugin	Description
agentic-actions-auditor	Audit GitHub Actions workflows for AI agent security vulnerabilities
audit-context-building	Build deep architectural context through ultra-granular code analysis
burpsuite-project-parser	Search and extract data from Burp Suite project files
differential-review	Security-focused differential review of code changes with git history analysis
dimensional-analysis	Annotate codebases with dimensional analysis comments to detect unit mismatches and formula bugs
fp-check	Systematic false positive verification for security bug analysis with mandatory gate reviews
insecure-defaults	Detect insecure default configurations, hardcoded credentials, and fail-open security patterns
semgrep-rule-creator	Create and refine Semgrep rules for custom vulnerability detection
semgrep-rule-variant-creator	Port existing Semgrep rules to new target languages with test-driven validation
sharp-edges	Identify error-prone APIs, dangerous configurations, and footgun designs
static-analysis	Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing
supply-chain-risk-auditor	Audit supply-chain threat landscape of project dependencies
testing-handbook-skills	Skills from the Testing Handbook: fuzzers, static analysis, sanitizers, coverage
trailmark	Code graph analysis, Mermaid diagrams, mutation testing triage, and protocol verification
variant-analysis	Find similar vulnerabilities across codebases using pattern-based analysis

Malware Analysis

Plugin	Description
yara-authoring	YARA detection rule authoring with linting, atom analysis, and best practices

Verification

Plugin	Description
constant-time-analysis	Detect compiler-induced timing side-channels in cryptographic code
mutation-testing	Configure mewt/muton mutation testing campaigns — scope targets, tune timeouts, optimize long runs
property-based-testing	Property-based testing guidance for multiple languages and smart contracts
spec-to-code-compliance	Specification-to-code compliance checker for blockchain audits
zeroize-audit	Detect missing or compiler-eliminated zeroization of secrets in C/C++ and Rust

Reverse Engineering

Plugin	Description
dwarf-expert	Interact with and understand the DWARF debugging format

Mobile Security