From trailmark
Builds and queries multi-language source code graphs for security analysis. Includes pre-analysis passes for blast radius, taint propagation, privilege boundaries, and entry point enumeration. Use when analyzing call paths, mapping attack surface, finding complexity hotspots, enumerating entry points, tracing taint propagation, measuring blast radius, or building a code graph for audit prioritization. Prefer `trailmark.parse.detect_languages()` or `--language auto` when the target language is unknown or polyglot.
How this skill is triggered — by the user, by Claude, or both
Slash command
/trailmark:trailmarkThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Parses source code into a directed graph of functions, classes, calls, and
Parses source code into a directed graph of functions, classes, calls, and semantic metadata for security analysis.
diagramming-code skill or draw by hand)| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "I'll just read the source files manually" | Manual reading misses call paths, blast radius, and taint data | Install trailmark and use the API |
| "Pre-analysis isn't needed for a quick query" | Blast radius, taint, and privilege data are only available after preanalysis() | Always run engine.preanalysis() before handing off to other skills |
| "The graph is too large, I'll sample" | Sampling misses cross-module attack paths | Build the full graph; use subgraph queries to focus |
| "Uncertain edges don't matter" | Dynamic dispatch is where type confusion bugs hide | Account for uncertain edges in security claims |
| "Single-language analysis is enough" | Polyglot repos have FFI boundaries where bugs cluster | Use the correct --language flag per component |
| "Complexity hotspots are the only thing worth checking" | Low-complexity functions on tainted paths are high-value targets | Combine complexity with taint and blast radius data |
MANDATORY: If uv run trailmark fails (command not found, import error,
ModuleNotFoundError), install trailmark before doing anything else:
uv pip install trailmark
DO NOT fall back to "manual verification", "manual analysis", or reading source files by hand as a substitute for running trailmark. The tool must be installed and used programmatically. If installation fails, report the error to the user instead of silently switching to manual code reading.
# Auto-detect and merge every supported language under the tree
uv run trailmark analyze --language auto --summary {targetDir}
# Explicit languages (single language or comma-separated list)
uv run trailmark analyze --language rust {targetDir}
uv run trailmark analyze --language python,rust {targetDir}
# Complexity hotspots
uv run trailmark analyze --language auto --complexity 10 {targetDir}
from trailmark.parse import detect_languages, supported_languages
from trailmark.query.api import QueryEngine
# Ask the installed Trailmark build what it supports
supported_languages()
detect_languages("{targetDir}")
# Prefer auto for unknown or polyglot trees; use explicit lists when needed
engine = QueryEngine.from_directory("{targetDir}", language="auto")
engine = QueryEngine.from_directory("{targetDir}", language="python,rust")
engine.callers_of("function_name")
engine.callees_of("function_name")
engine.paths_between("entry_func", "db_query")
engine.complexity_hotspots(threshold=10)
engine.attack_surface()
engine.summary()
engine.to_json()
# Run pre-analysis (blast radius, entrypoints, privilege
# boundaries, taint propagation)
result = engine.preanalysis()
# Query subgraphs created by pre-analysis
engine.subgraph_names()
engine.subgraph("tainted")
engine.subgraph("high_blast_radius")
engine.subgraph("privilege_boundary")
engine.subgraph("entrypoint_reachable")
# Add LLM-inferred annotations
from trailmark.models import AnnotationKind
engine.annotate("function_name", AnnotationKind.ASSUMPTION,
"input is URL-encoded", source="llm")
# Query annotations (including pre-analysis results)
engine.annotations_of("function_name")
engine.annotations_of("function_name",
kind=AnnotationKind.BLAST_RADIUS)
engine.annotations_of("function_name",
kind=AnnotationKind.TAINT_PROPAGATION)
Always run engine.preanalysis() before handing off to genotoxic or
diagramming-code skills. Pre-analysis enriches the graph with four passes:
Results are stored as annotations and named subgraphs on the graph.
For detailed documentation, see references/preanalysis-passes.md.
Do not hardcode a stale language table in downstream workflows. Ask the installed Trailmark build what it supports:
from trailmark.parse import detect_languages, supported_languages
supported_languages()
detect_languages("{targetDir}")
CLI patterns:
# Auto-detect and merge
uv run trailmark analyze --language auto {targetDir}
# Explicit list for a known polyglot target
uv run trailmark analyze --language python,rust {targetDir}
Node kinds: function, method, class, module, struct,
interface, trait, enum, namespace, contract, library,
template
Edge kinds: calls, inherits, implements, contains, imports
Edge confidence: certain (direct call, self.method()), inferred
(attribute access on non-self object), uncertain (dynamic dispatch)
assumption, precondition, postcondition, invariant,
blast_radius, privilege_boundary, taint_propagation, finding,
audit_note (last two set by augment_sarif / augment_weaudit)Declared contract vs. effective input domain: Trailmark separates what a function declares it accepts from what can actually reach it via call paths. Mismatches are where vulnerabilities hide:
Edge confidence: Dynamic dispatch produces uncertain edges. Account for
confidence when making security claims.
Subgraphs: Named collections of node IDs produced by pre-analysis.
Query with engine.subgraph("name"). Available after engine.preanalysis().
See references/query-patterns.md for common security analysis patterns.
See references/preanalysis-passes.md for pre-analysis pass documentation.
npx claudepluginhub sandbox-open-tools/skills --plugin trailmark2plugins reuse this skill
First indexed Jul 18, 2026
Guides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Enforces test-driven development: write failing test first, then minimal code to pass. Use when implementing features or bugfixes.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.