From fold
Security audit skill — two-track architecture: Track A (tool-based: static analysis → decide) and Track B (AI-based: context → review → decide). Wraps Trail of Bits plugins for language-agnostic security auditing. Commands: /security-audit static, /security-audit context, /security-audit review, /security-audit diff, /security-audit variants, /security-audit decide, /security-audit finding, /security-audit entry-points, /security-audit compliance, /security-audit cycle
npx claudepluginhub roderik/fold --plugin foldThis skill is limited to using the following tools:
Security audit commands wrapping Trail of Bits plugins with project-specific context. Language and framework agnostic — works on any codebase.
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Security audit commands wrapping Trail of Bits plugins with project-specific context. Language and framework agnostic — works on any codebase.
References (loaded by commands that need them):
references/finding-analysis.md — Finding Analysis shared procedure (FP gate, confidence scoring, classification)references/fix-now-procedure.md — Fix-Now shared procedure (eligibility, implementation, verification)Two independent tracks. They never call each other.
Track A (tool-based) Track B (AI-based)
───────────────────── ──────────────────
/security-audit static /security-audit context --scope <path>
→ Run static analysis tools → Build architectural context
→ Classify, dedup, assign scope → Map trust boundaries
→ Report findings
/security-audit entry-points --scope /security-audit review --scope <path>
→ Map attack surface → Full security review
→ Identify ungated entry points → Guidelines + sharp edges + patterns
→ Report findings with confidence
/security-audit decide
──────────────────────
→ Assess each finding
→ FP gate (3 checks)
→ Present recommendation to human
→ Register human's decision
/security-audit diff /security-audit variants --pattern <type>
→ Security diff review → Hunt similar vulnerabilities
→ Current branch vs base → Cross-codebase pattern search
/security-audit compliance --spec <reference>
→ Verify spec-to-code compliance
All tracks converge on /security-audit decide for assessment and human decision.
static/review creates finding →
decide assesses (read code, FP gate, confidence score) →
presents recommendation → human decides →
confirmed → fix (code changed, tests added)
false-positive → document and dismiss
accepted-risk → document rationale
fix-planned → track for later
staticRun static analysis tools on the codebase and report findings.
Usage: /security-audit static [--scope <path>]
Trail of Bits skill: static-analysis
Workflow:
--scope provided, limit analysis to that directory. Otherwise, analyze the full project.Skill({ skill: "static-analysis" }) scoped to the project/path.## Static Analysis Report
### Tools Run
| Tool | Version | Rules | Findings |
|------|---------|-------|----------|
### Critical Findings
| ID | Tool | File:Line | Rule | Description |
|----|------|-----------|------|-------------|
### High Findings
...
### Summary
- Total: N findings (X critical, Y high, Z medium)
- Files analyzed: N
- Deduplicated: N findings merged
entry-pointsMap the attack surface by identifying all externally reachable entry points.
Usage: /security-audit entry-points --scope <path>
Trail of Bits skill: entry-point-analyzer
Workflow:
--scope to determine which code to analyze.Skill({ skill: "entry-point-analyzer" }) scoped to the path.## Entry Points: <scope>
### Ungated (No Auth Required) — HIGH PRIORITY
| File | Function/Route | Input Sources | Risk |
|------|---------------|---------------|------|
### Authenticated
| File | Function/Route | Auth Method | Input Sources |
|------|---------------|-------------|---------------|
### Authorized (Role-Gated)
| File | Function/Route | Required Role | Input Sources |
|------|---------------|---------------|---------------|
### Summary
- Total entry points: N
- Ungated: N (priority review)
- Input validation coverage: N%
contextBuild deep architectural analysis context for a scope before vulnerability hunting.
Usage: /security-audit context --scope <path>
Trail of Bits skill: audit-context-building
Workflow:
--scope to determine analysis target.Skill({ skill: "audit-context-building" }) scoped to the path.## Audit Context: <scope>
### Architecture
- Dependency graph (internal + external)
- Data flow diagram
- Trust boundaries
### Trust Boundaries
- Authentication boundaries
- Authorization layers
- External service boundaries
- User input processing boundaries
### Data Flow
- Sensitive data paths (credentials, PII, tokens)
- State mutation paths
- External API interactions
### Attack Surface Summary
- External inputs: <list>
- Privileged operations: <list>
- Cryptographic operations: <list>
- File/network I/O: <list>
reviewFull security review combining guidelines, sharp edges, and pattern analysis.
Usage: /security-audit review --scope <path>
Trail of Bits skills: sharp-edges, audit-context-building
Workflow:
--scope to determine review target.context workflow internally to understand architecture.Skill({ skill: "sharp-edges" }) — identify dangerous APIs, footgun patterns, and common misuse.
b. Cross-reference with project-specific patterns:
references/finding-analysis.md): read source → trace data flow → FP gate (3 checks) → "Do Not Report" filters → confidence scoring → classification. Only findings with confidence >= 75 get fix recommendations.## Security Review: <scope>
### Critical Findings
| ID | Confidence | File:Line | Issue | Recommendation |
|----|------------|-----------|-------|----------------|
### High Findings
...
### Low-Confidence (below 60 — human review needed)
| ID | Confidence | File:Line | Issue | Why Low-Confidence |
|----|------------|-----------|-------|--------------------|
### Informational
...
diffSecurity-focused review of current branch changes.
Usage: /security-audit diff [--base <branch>]
Trail of Bits skill: differential-review
Workflow:
main (or master). Override with --base.git diff <base>...HEADSkill({ skill: "differential-review" }) with the diff and security context.## Differential Security Review
### Changed Files (security-relevant)
| File | Relevance | Change Summary |
|------|-----------|----------------|
### Security-Relevant Changes
| Severity | File:Line | Change | Risk | Recommendation |
|----------|-----------|--------|------|----------------|
### Dependency Changes
| Package | Old | New | Advisory Check |
|---------|-----|-----|----------------|
### Blast Radius
- Files changed: N (M security-relevant)
- New entry points: N
- Removed guards: N
variantsHunt for similar vulnerabilities across the codebase based on a known pattern.
Usage: /security-audit variants --pattern <type>
Trail of Bits skill: variant-analysis
Pattern types:
injection — SQL, command, path traversal, XSS, template injectionauth-bypass — Missing or incorrect authentication/authorization checksrace-condition — TOCTOU, double-spend, concurrent modificationcrypto-misuse — Weak algorithms, hardcoded keys, timing attacksinput-validation — Unchecked parameters, type confusion, overflowresource-exhaustion — Unbounded loops, memory allocation, file handlesinfo-leak — Sensitive data in logs, errors, responses, headersdeserialization — Untrusted deserialization, prototype pollutionWorkflow:
--pattern <type>.Skill({ skill: "variant-analysis" }) with:
--scope if provided)## Variant Analysis: <pattern-type>
### Known Pattern
<description of the vulnerability pattern being hunted>
### Instances Found
| ID | File:Line | Function | Confidence | Description |
|----|-----------|----------|------------|-------------|
### False Positives (reviewed and dismissed)
| File:Line | Function | Why Dismissed |
|-----------|----------|---------------|
### Recommendations
- <actionable recommendation per instance>
complianceVerify specification-to-code compliance.
Usage: /security-audit compliance --spec <reference>
Trail of Bits skill: spec-to-code-compliance
The --spec argument can be:
Workflow:
--spec to load the specification reference.Skill({ skill: "spec-to-code-compliance" }) with the spec and implementation.## Compliance Report: <spec-name>
### Specification Coverage
| Requirement | Implementation | Status | Notes |
|-------------|---------------|--------|-------|
### Deviations
| Requirement | Expected | Actual | Severity | Justification Needed |
|-------------|----------|--------|----------|---------------------|
### Extensions (beyond spec)
| Extension | Implementation | Deviation Risk |
|-----------|---------------|----------------|
decideAssess findings and register human decisions. Convergence point for all tracks.
Usage:
/security-audit decide — interactive: present each finding, ask for decision/security-audit decide --finding "<description>" — assess a specific findingTrail of Bits skills: sharp-edges (for assessment)
Decision types: confirmed, false-positive, accepted-risk, fix-planned, fix-now, wont-fix
Workflow:
Collect all unresolved findings from the current session or a previous audit report.
For each finding, execute the Finding Analysis shared procedure (see references/finding-analysis.md): read source → trace data flow → cross-reference project context → invoke sharp-edges → FP gate (3 checks) → "Do Not Report" filters → confidence scoring → classification.
Present assessment to the human. Always present the full analysis and wait for the human to decide. Never apply fixes before the human chooses fix-now.
If classification is confirmed AND the fix meets Fix-Now eligibility criteria (see references/fix-now-procedure.md), include a Proposed Fix section describing exactly what code changes would be made.
## Assessment: Finding #N
**File:** <file:line>
**Severity:** <severity>
**Confidence:** <score>/100
**Classification:** <confirmed|likely-fp|needs-context>
### Analysis
<key observations, data flow, FP gate results (1-2 sentences each)>
<source code observations with file:line references>
<confidence deductions with reasoning>
### Proposed Fix (if fix-now eligible)
**Eligible:** Yes | No (<reason>)
**Files:** <file paths that would be changed>
**Changes:** <description of what would be changed>
### Recommendation
**Suggested decision:** `<decision-type>`
**Rationale:** <why>
AskUserQuestion. Options must include the recommended decision (marked recommended) plus alternatives. If fix-now eligible, fix-now must be listed.fix-now → execute the Fix-Now Procedure (see references/fix-now-procedure.md): implement fix, run tests, report resultfix-planned → note for future workfalse-positive / wont-fix → document rationaleaccepted-risk → document rationale and risk acceptanceBatch mode (/security-audit decide with multiple findings): process in batches of 10 to prevent context exhaustion. Sort by severity (highest first). For each batch:
findingLog a single finding from manual code review. The agent reads the source, analyzes it, and reports it.
Usage: /security-audit finding
Workflow:
Gather the finding description via AskUserQuestion:
Run Finding Analysis (see references/finding-analysis.md): read source → FP gate → confidence scoring → classification.
Report the finding with full analysis context:
## Finding Created
**Title:** <title>
**Severity:** <severity>
**Confidence:** <score>/100
**Classification:** <confirmed|false-positive|by-design|needs-human-review>
### Analysis Summary
<FP gate results, confidence deductions, cross-references>
Next step: run `/security-audit decide` to register a decision on this finding.
cycleRun a full audit cycle. Orchestrates all commands into a comprehensive security audit.
Usage:
/security-audit cycle [--scope <path>] — full cycle/security-audit cycle --deep [--scope <path>] — full cycle with adversarial reasoning passWorkflow:
Phase 0 — Context loading.
Phase 1 — Automated analysis (sequential — findings inform each other):
/security-audit entry-points --scope <path>
/security-audit context --scope <path>
/security-audit static --scope <path>
/security-audit review --scope <path>
Phase 1.5 — Adversarial reasoning (--deep only). Spawn a separate agent that:
### Adversarial Reasoning FindingsThis phase catches logic bugs and economic exploits that structured scanning misses. Deliberately unstructured — the agent reasons freely.
Phase 2 — Cross-cutting analysis.
a. If the project implements a specification, run /security-audit compliance --spec <reference>
b. For each confirmed finding pattern from Phase 1, run /security-audit variants --pattern <type> to find similar vulnerabilities elsewhere
Phase 3 — Summary report.
## Audit Cycle: Complete
### Findings by Severity
| Severity | Count | Actionable (≥75 confidence) | Low-Confidence |
|----------|-------|----------------------------|----------------|
### Phase Results
| Phase | Command | Findings | Duration |
|-------|---------|----------|----------|
### Adversarial Findings (--deep only)
| ID | File:Line | Issue | Confidence |
|----|-----------|-------|------------|
### Next Steps
- Run `/security-audit decide` to assess and register decisions for all findings
- High-confidence findings: <list with file:line>
- Needs human review: <list with file:line>
--scope should understand the surrounding architecture, not just the scoped files.static, review, finding, or cycle goes through the full procedure in references/finding-analysis.md — FP gate, "Do Not Report" filters, confidence scoring, classification.false-positive without fix recommendations.low-confidence for human review. They do NOT get fix recommendations.decide presents recommendations and proposed fixes. Only fix-now (chosen by human) triggers the Fix-Now Procedure. The agent never applies fixes preemptively.static, finding) and Track B (cycle, review, diff, variants) are independent finding-creation tracks. /security-audit decide is the shared convergence point.--scope is provided, pass only the relevant files to the skill. Include dependencies for compilation/type-checking context but don't audit them.