Trail of Bits Security Skills
Comprehensive security analysis toolkit with 12+ specialized skills for code auditing, vulnerability detection, smart contract analysis, cryptographic review, and reverse engineering. Built by Trail of Bits, one of the most respected security research firms in the industry.
Description
A collection of security-focused skills that transform Claude Code into a specialized security auditor. Each skill targets a specific domain of security analysis, from web application vulnerabilities to smart contract exploits.
Instructions
Each skill file should be saved individually. Use the appropriate skill by invoking its slash command during a security review session.
Available Skills
1. Code Audit (/security-audit)
Performs comprehensive security review of source code, identifying OWASP Top 10 vulnerabilities, injection flaws, authentication weaknesses, and insecure configurations.
2. Vulnerability Scanner (/vuln-scan)
Scans dependencies for known CVEs using package manifests (package.json, requirements.txt, Cargo.toml). Cross-references with NVD and GitHub Advisory databases.
3. Smart Contract Audit (/contract-audit)
Analyzes Solidity/Vyper contracts for reentrancy, integer overflow, access control, and gas optimization issues. References common attack patterns from SWC Registry.
4. Cryptographic Review (/crypto-review)
Reviews cryptographic implementations for weak algorithms, improper key management, insufficient entropy, and timing side-channels.
5. API Security (/api-security)
Audits REST/GraphQL APIs for authentication bypass, authorization flaws, rate limiting gaps, injection points, and data exposure.
6. Binary Analysis (/binary-analysis)
Analyzes compiled binaries for exploit primitives, memory corruption vulnerabilities, and reverse engineering insights.
7. Supply Chain (/supply-chain)
Evaluates dependency trees for supply chain risks, typosquatting, maintainer compromises, and excessive permissions.
8. Threat Model (/threat-model)
Generates STRIDE-based threat models for system architectures, identifying attack surfaces and recommending mitigations.
Rules
- Always report findings with severity levels (Critical, High, Medium, Low, Info)
- Include CWE identifiers for each vulnerability class
- Provide specific remediation steps, not just descriptions
- Never auto-fix security issues without explicit approval
- Flag false positives clearly and explain reasoning
- Reference OWASP, CWE, and NIST standards where applicable
Examples
Running a Code Audit
> /security-audit src/auth/
## Security Audit Results: src/auth/
### CRITICAL: SQL Injection in login handler
- **File**: src/auth/login.ts:42
- **CWE**: CWE-89
- **Finding**: User input directly interpolated into SQL query
- **Fix**: Use parameterized queries
### HIGH: Weak password hashing
- **File**: src/auth/password.ts:15
- **CWE**: CWE-916
- **Finding**: Using MD5 for password hashing
- **Fix**: Migrate to bcrypt/argon2
Threat Modeling
> /threat-model --architecture microservices --diagram arch.png
## STRIDE Threat Model
| Threat | Component | Risk | Mitigation |
|--------|-----------|------|------------|
| Spoofing | API Gateway | High | Implement mTLS between services |
| Tampering | Message Queue | Medium | Sign messages with HMAC |
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
Full-Stack Code Reviewer
Comprehensive code review skill that checks for security vulnerabilities, performance issues, accessibility, and best practices across frontend and backend code.
Test Suite Generator
Generates comprehensive test suites with unit tests, integration tests, and edge cases. Supports Jest, Vitest, Pytest, and Go testing.
Pro Architecture Workspace
Battle-tested skill for architectural, decision, making, framework. Includes structured workflows, validation checks, and reusable patterns for development.