Security

A comprehensive security review skill that provides checklists and code examples for secure coding practices. It covers secrets management, input validation, SQL injection prevention, XSS/CSRF protection, authentication, rate limiting, cloud IAM, logging, CI/CD pipeline security, and disaster recovery. This is purely educational documentation with no executable code.

Applies the STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to systematically identify security threats. Provides templates for threat model documents, Python code examples for building automated analysis tools, and guidance for conducting threat modeling sessions.

This skill provides comprehensive guidance for implementing PCI DSS (Payment Card Industry Data Security Standard) compliance. It covers the 12 core requirements, tokenization strategies using payment processors like Stripe, encryption for data at rest and in transit, access control patterns, and audit logging best practices for secure payment processing.

This skill guides the setup and configuration of Static Application Security Testing (SAST) tools including Semgrep, SonarQube, and CodeQL. It helps developers integrate security scanning into CI/CD pipelines, create custom security rules, and establish quality gates for vulnerability detection across multiple programming languages.

A comprehensive guide to smart contract security for Solidity developers. Covers critical vulnerabilities like reentrancy, integer overflow, and access control issues, along with secure coding patterns, gas optimization techniques, and testing strategies for blockchain applications.

A comprehensive security research reference skill that documents anti-reversing techniques, binary analysis patterns, memory forensics with Volatility, and protocol reverse engineering. Designed for authorized security professionals conducting malware analysis, incident response, firmware security audits, and CTF competitions.

This skill provides comprehensive security threat modeling capabilities using the STRIDE methodology. It helps security professionals build attack trees to visualize threat paths, map threats to security controls, extract security requirements from threat models, and configure SAST tools for automated vulnerability detection.

A comprehensive guide for using Semgrep, a fast static analysis tool for finding bugs and security vulnerabilities. Covers installation, custom rule writing, CI/CD integration with GitHub Actions, and best practices for security scanning without sharing code with third parties.

CodeQL is a powerful static analysis framework that queries code as a database for security vulnerabilities and code patterns. This skill provides comprehensive documentation on creating CodeQL databases, writing custom queries, integrating with CI/CD pipelines, and using the framework for interprocedural control flow and data flow analysis across C/C++, Go, Java, JavaScript, Python, and other supported languages.

A variant analysis skill that helps security researchers find similar vulnerabilities across a codebase after discovering an initial bug. It provides a structured methodology for pattern-based searching, ready-to-use Semgrep rule templates for multiple languages (Python, JavaScript, Java, Go, C++), and documentation templates for tracking findings.

Wycheproof is a documentation skill that teaches developers how to validate cryptographic implementations using test vectors. It covers testing workflows for AES-GCM, ECDSA, ECDH, RSA, and other algorithms, with examples in Python and JavaScript.

This skill automates the creation of Claude Code skills from the Trail of Bits Testing Handbook (appsec.guide). It analyzes handbook content for security testing tools (static analysis, fuzzers), techniques (sanitizers, coverage), and domains (cryptography, web security), then generates properly structured skills using templates. The generator includes a two-pass system for content and cross-references, automated validation, and self-improvement workflows.

Ruzzy is a reference skill that teaches how to use Trail of Bits' coverage-guided Ruby fuzzer. It provides installation instructions, harness writing patterns, and sanitizer configuration for finding memory corruption bugs in Ruby code and C extensions.

OSS-Fuzz is a technique skill that guides users through setting up continuous fuzzing for open source projects using Google's free distributed infrastructure. It covers project enrollment, running harnesses locally with the helper.py CLI, coverage analysis, and integrating with multiple fuzzing engines including libFuzzer, AFL++, and Atheris for Python projects.

A comprehensive reference guide for libFuzzer, the LLVM-integrated coverage-guided fuzzer for C/C++ projects. Covers harness writing, compilation, corpus management, sanitizer integration, and running fuzzing campaigns with practical examples and troubleshooting tips.

LibAFL is a comprehensive guide for using the modular LibAFL fuzzing library. It covers installation, writing fuzz harnesses, building custom fuzzers in Rust, and running fuzzing campaigns with features like multi-core support, dictionary fuzzing, and crash deduplication.

A comprehensive guide for writing effective fuzzing harnesses in C++, Rust, and Go. Covers harness patterns, input structuring with FuzzedDataProvider, tool-specific guidance for libFuzzer, AFL++, cargo-fuzz, and go-fuzz, plus troubleshooting tips.

This skill teaches developers techniques for modifying source code to overcome common fuzzing obstacles. It covers conditional compilation patterns in C/C++ and Rust to bypass checksums, deterministic PRNG seeding, and validation checks during fuzzing builds while preserving production behavior.

This skill provides comprehensive guidance on creating fuzzing dictionaries - specialized files containing domain-specific tokens that help fuzzers discover bugs in parsers, protocols, and file format handlers. It covers dictionary format syntax, generation methods from various sources (LLM, headers, binaries), and integration with popular fuzzers like libFuzzer, AFL++, and cargo-fuzz.

A comprehensive guide to code coverage analysis during fuzzing. It explains how to instrument code with LLVM or GCC coverage flags, generate coverage reports, and interpret results to improve fuzzing harness effectiveness and identify hard-to-reach code paths.

A comprehensive guide for auditing cryptographic code for timing side-channel vulnerabilities. It covers constant-time testing theory, common vulnerability patterns like secret-dependent branches and cache-timing attacks, and provides practical workflows using tools like dudect for statistical analysis and timecop for dynamic tracing.

Atheris is a comprehensive reference skill for Python fuzzing using Google's Atheris library. It provides installation guides, harness writing patterns, Docker configurations, corpus management strategies, and AddressSanitizer integration for detecting memory corruption in Python code and C extensions.

AFL++ is a documentation skill that teaches how to use the AFL++ fuzzer for finding bugs in C/C++ code. It covers installation, harness writing, compilation, multi-core fuzzing campaigns, sanitizer integration, and coverage analysis with practical examples.

This skill provides comprehensive documentation on AddressSanitizer (ASan), a memory error detection tool used during software testing and fuzzing. It covers compilation flags, configuration options, integration with popular fuzzing tools (libFuzzer, AFL++, cargo-fuzz, honggfuzz), and troubleshooting guidance.

Guides blockchain auditors through verifying that smart contract code implements exactly what specification documents describe. Uses a 6-phase methodology with intermediate representations to systematically compare whitepapers and design docs against actual code implementation, identifying gaps, mismatches, and undocumented behavior.

A comprehensive skill for parsing and analyzing SARIF (Static Analysis Results Interchange Format) files from security scanning tools. It provides ready-to-use jq queries, Python helper functions for extracting findings, and best practices for aggregating, deduplicating, and integrating SARIF data into CI/CD pipelines.

Sharp Edges is a security analysis skill that identifies error-prone APIs, dangerous configurations, and footgun designs that enable developer mistakes. It provides comprehensive reference documentation covering cryptographic API pitfalls, configuration security patterns, authentication footguns, and language-specific sharp edges across 11 programming languages.

This skill helps security engineers port existing Semgrep rules to new programming languages. It provides a structured 4-phase workflow including applicability analysis, test-first development, rule creation, and validation. The skill includes detailed guidance for translating patterns between languages and ensuring rules are properly tested.

This skill guides users through creating production-quality Semgrep rules for detecting security vulnerabilities and bug patterns. It follows a test-first approach: write test cases, analyze AST structure, write the rule, and iterate until all tests pass. Supports both taint mode for data flow analysis and pattern matching for syntactic detection.

Entry Point Analyzer is a security auditing skill for smart contracts. It systematically identifies all state-changing entry points (externally callable functions that modify state) in smart contract codebases across Solidity, Vyper, Solana, Move, TON, and CosmWasm. The skill classifies each entry point by access control level and generates structured audit reports to guide security analysis.