trailofbits-security
Trail of Bits Security Skills
Security-focused static analysis and code auditing toolkit from Trail of Bits.
Available Sub-Skills
| Skill | File | Use When |
|---|---|---|
| CodeQL Analysis | codeql-SKILL.md | Deep interprocedural taint tracking, data flow analysis |
| Semgrep Scanning | semgrep-SKILL.md | Fast pattern-based security scanning with parallel execution |
| SARIF Parsing | sarif-parsing-SKILL.md | Processing and aggregating static analysis results |
When to Use
- Security audit of a codebase -> Start with Semgrep for speed, then CodeQL for depth
- Quick vulnerability scan -> Semgrep with "important only" mode
- Deep data flow analysis -> CodeQL with custom data extensions
- Processing scan results -> SARIF parsing for aggregation, deduplication, CI/CD integration
Workflow
- Run Semgrep for fast initial scan (pattern-based)
- Run CodeQL for deep interprocedural analysis (data flow + taint tracking)
- Use SARIF parsing to aggregate, deduplicate, and prioritize findings
- Review and triage results by severity
Source
From trailofbits/skills - the static-analysis plugin.
More from georgekhananaev/claude-skills-vault
system-architect
System architecture skill for designing scalable, maintainable software systems. Covers microservices/monolith decisions, API design, DB selection, caching, security, and scalability planning.
21skill-creator
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.
12code-quality
Multi-language code quality standards and review for TypeScript, Python, Go, and Rust. Enforces type safety, security, performance, and maintainability. Use when writing, reviewing, or refactoring code. Includes review process, checklist, and Python PEP 8 deep-dive.
12token-optimizer
Reduce token count in prompts, docs, and prose. Covers prompt compression (40-60% savings), doc formatting, TOON data serialization, and Strunk's prose clarity rules. Use when compressing prompts, optimizing docs for LLM context, or writing clear technical prose.
12file-converter
Convert & transform files - images (resize, format, HEIC), markdown (PDF/HTML), data (CSV/JSON/YAML/TOML/XML), SVG, base64, text encoding. Cross-platform, single & batch mode. This skill should be used when converting file formats, resizing images, generating PDFs from markdown, or transforming data between formats.
12brainstorm
Transform ideas into fully-formed designs through collaborative dialogue. This skill should be used when brainstorming features, exploring implementation approaches, designing system architecture, or when the user has a vague idea that needs refinement. Uses incremental validation with 200-300 word sections.
11