trailofbits/skills

Differential analysis to verify commits address security findings without introducing bugs.

All pods run in namespace crs . Key services:

Build workflow-based skills that execute reliably by following structural patterns, not prose.

Activates when the user says "audit this project's dependencies".

Iteratively improve a Claude Code skill using the skill-reviewer agent until it meets quality standards.

Static security analysis guidance for GitHub Actions workflows that invoke AI coding agents. This skill teaches you how to discover workflow files locally or from remote GitHub repositories, identify AI action steps, follow cross-file references to composite actions and reusable workflows that may contain hidden AI...

When the path forward is unclear, let the cards speak.

Generate minimally-permissioned allowlist-based Seatbelt sandbox configurations for applications.

Detect missing zeroization of sensitive data in source code and identify zeroization that is removed or weakened by compiler optimizations (e.g., dead-store elimination), with mandatory LLVM IR/asm evidence. Capabilities include:

Always use gh instead of curl , wget , or WebFetch for GitHub URLs. The gh CLI uses the user's authenticated token automatically, so it:

If you catch yourself thinking any of these, STOP.

Use this skill when a request has multiple plausible interpretations or key details (objective, scope, constraints, environment, or safety) are unclear.

Security-focused code review for PRs, commits, and diffs.

Run a Semgrep scan with automatic language detection, parallel execution via Task subagents, and merged SARIF output.