Agents
Why Implexa
Pricing
Resources
Install
Sign in
Sign up
back to leaderboard
TR
@trailofbits
contributor on implexa, with 75 skills ranked by
SkillRank
across 1 source.
trailofbits on github
publishes to skills.sh
skills, ranked by SkillRank
score
source
skill
8.2
skills.sh
sharp-edges
sharp-edges identifies api and configuration designs that enable developer misuse by analyzing algorithm selection footguns, dangerous defaults, type confusion, and silent failures. applies systematic threat modeling across three adversary personas.
7.9
skills.sh
substrate-vulnerability-scanner
substrate-vulnerability-scanner systematically detects 7 critical vulnerability patterns in Substrate/FRAME pallets including arithmetic overflow, panic dos, weight miscalculation, and origin validation failures. targets auditors reviewing custom runtime code before chain launch.
7.8
skills.sh
sarif-parsing
sarif-parsing provides comprehensive strategies for extracting, aggregating, and deduplicating static analysis findings using jq, python libraries, and fingerprinting techniques. covers path normalization, schema validation, and ci/cd integration patterns.
7.8
skills.sh
solana-vulnerability-scanner
solana-vulnerability-scanner audits native and anchor solana programs for 6 critical vulnerability patterns including arbitrary cpi, improper pda validation, missing signer and ownership checks, sysvar spoofing, and instruction introspection flaws. includes detection patterns, remediation code, and testing strategies.
7.6
skills.sh
semgrep-rule-variant-creator
semgrep-rule-variant-creator ports existing semgrep rules to new languages through mandatory applicability analysis, test-first validation, ast-aware rule translation, and per-language independent cycles. enforces strict test passage before output.
7.3
skills.sh
codeql
codeql performs interprocedural security vulnerability scanning across eight languages using data flow analysis, database quality checks, and custom query suites to avoid silent result filtering.
7.2
skills.sh
audit-context-building
audit-context-building establishes a structured, line-by-line code analysis discipline for building stable architectural understanding before vulnerability discovery, using first-principles reasoning and explicit invariant tracking across function and module boundaries.
7.2
skills.sh
supply-chain-risk-auditor
supply-chain-risk-auditor evaluates project dependencies against six specific risk criteria (single maintainer, unmaintained status, low popularity, high-risk features, past cves, absent security contact) and generates a structured report with flagged dependencies and suggested alternatives.
7.2
skills.sh
harness-writing
harness-writing covers fuzzing harness design across c/c++, rust, go, and python with entry point patterns, input parsing strategies, and tool-specific implementations for libfuzzer, afl++, cargo-fuzz, and go-fuzz.
7.2
skills.sh
semgrep
semgrep runs parallel static analysis with automatic language detection, pro cross-file taint tracking fallback to oss mode, and merged sarif output. requires explicit user approval before execution.
7.1
skills.sh
fp-check
fp-check systematically verifies suspected security bugs through structured claim analysis, data flow tracing, and evidence-based verdicts. covers standard and deep verification paths with explicit rejection criteria and false positive pattern detection.
6.8
skills.sh
token-integration-analyzer
token-integration-analyzer systematically identifies token security risks across erc20/erc721 implementations and integrations using trail of bits methodology, detects 24+ non-standard token behaviors, and delivers prioritized remediation guidance with defensive transfer patterns.
6.3
skills.sh
ton-vulnerability-scanner
ton-vulnerability-scanner identifies three security patterns in ton smart contracts (integer-as-boolean misuse, fake jetton handlers, unsafe gas forwarding). detects funC code via file extensions and project structure, then surfaces vulnerable code with pocs and fix recommendations.
6.2
skills.sh
testing-handbook-generator
meta-skill for generating security testing skills from the trail of bits handbook via two-pass content generation and cross-reference population, with detailed phase workflows and template application rules.
6.2
skills.sh
property-based-testing
property-based-testing guides developers to apply generative test strategies across serialization, parsing, validation, smart contracts and mathematical code. detection triggers identify high-value candidates for stronger coverage than example tests.
6.2
skills.sh
guidelines-advisor
guidelines-advisor audits smart contract codebases against trail of bits security practices, generating documentation, architecture analysis, and prioritized remediation across 11 assessment areas with file-level specificity.
5.9
skills.sh
agentic-actions-auditor
agentic-actions-auditor provides conceptual framing for auditing github actions workflows that invoke ai coding agents, but omits concrete procedural steps and concrete examples of detected vulnerabilities.
5.7
skills.sh
dwarf-expert
dwarf-expert covers the dwarf debug format standard (v3-v5) including file parsing, standard questions, and code interaction. scope is deliberately bounded away from compilers, runtime debugging, and reverse engineering tools.
5.5
skills.sh
secure-workflow-guide
secure-workflow-guide covers smart contract security through slither scanning, architectural diagram generation, property documentation, and manual review guidance aligned with trail of bits' methodology.
5.3
skills.sh
second-opinion
second-opinion delegates code review to external llm cli tools (openai codex or google gemini) on git diffs and uncommitted changes. useful for cross-model validation and specific review angles before pr submission.
5.2
skills.sh
fuzzing-obstacles
fuzzing-obstacles documents conditional compilation patterns to disable checksums, global state dependencies, and validation barriers in code under test, enabling deeper fuzzer coverage without altering production builds.
5.1
skills.sh
trailmark
trailmark builds directed graphs of source code structure (functions, classes, calls, metadata) for security analysis, audit prep, and attack surface mapping across multiple languages.
5.1
skills.sh
firebase-apk-scanner
firebase-apk-scanner extracts firebase configuration from decompiled android apks and tests realtime databases, firestore, storage, and cloud functions for unauthenticated access, with fallback curl procedures for failed automated scans.
5.1
skills.sh
code-maturity-assessor
code-maturity-assessor applies trail of bits' 9-category framework to evaluate blockchain codebases, mapping security posture against arithmetic safety, auditing, access controls, and other engineering dimensions. output is a scored maturity card with improvement roadmap.
4.9
skills.sh
mutation-testing
mutation-testing provides trigger patterns and scope bounds for configuring mewt/muton campaigns across multiple languages, but lacks substantive procedural steps, failure handling, or concrete workflow examples.
4.9
skills.sh
insecure-defaults
insecure-defaults identifies configuration vulnerabilities where applications default to weak or missing secrets rather than failing safely. detects fail-open patterns in env variable handling and hardcoded credentials across audit and deployment contexts.
4.9
skills.sh
aflpp
aflpp enables multi-core fuzzing campaigns for c/c++ codebases using diverse mutation strategies, positioned as a mature alternative to libfuzzer for throughput-constrained projects.
4.8
skills.sh
cosmos-vulnerability-scanner
cosmos-vulnerability-scanner audits cosmos sdk modules and cosmwasm contracts against consensus-critical failures (chain halts, fund loss, state divergence). supports go and rust with parallel specialised agents and structured remediation output.
4.8
skills.sh
gh-cli
gh-cli redirects github-bound workflows from curl/fetch to authenticated gh command patterns. covers repos, prs, issues, and releases but lacks implementation detail.
4.2
skills.sh
entry-point-analyzer
entry-point-analyzer documents a workflow for identifying state-changing external functions in smart contracts during security audits. the skill lacks actionable steps, specific detection methods, or guidance on edge cases like proxy patterns or delegatecall risks.
4.2
skills.sh
ossfuzz
ossfuzz documents the infrastructure and configuration needed for continuous fuzzing enrollment, covering base images, harness building, and project metadata, but lacks actionable enrollment procedures.
4.1
skills.sh
graph-evolution
graph-evolution builds code graphs at two snapshots and surfaces structural diffs, capturing security-relevant changes like attack paths and taint shifts that text diffs miss.
3.9
skills.sh
let-fate-decide
let-fate-decide uses tarot card draws to introduce structured randomness into ambiguous planning decisions. interprets spreads via the 12 houses of the zodiac framework but lacks automation integration and decision-mapping logic.
3.8
skills.sh
dimensional-analysis
dimensional-analysis provides a workflow controller for unit and dimension tracking across numeric codebases, delegating annotation and validation to subagents. intended for defi, financial, and scientific code audits where unit mismatches cause bugs.
3.8
skills.sh
diagramming-code
diagramming-code converts code graph metadata into mermaid diagrams. claude selects diagram types and parameters while delegating syntax generation to a pre-made script. five use cases documented, none explicitly excluded.
3.5
skills.sh
c-review
c-review orchestrates multi-agent security analysis of c/c++ code for memory corruption and platform vulnerabilities via worker subagents and deduplication/false-positive filtering, but lacks concrete step-by-step procedure and decision logic.
3.3
skills.sh
address-sanitizer
address-sanitizer documents memory error detection via compile-time instrumentation and shadow memory tracking, but lacks actionable procedure, trigger conditions, and failure mode coverage.
2.9
skills.sh
atheris
atheris is a coverage-guided fuzzer for python code and c extensions, providing memory corruption detection via integrated AddressSanitizer support, but lacks actionable setup and execution guidance.
2.8
skills.sh
ruzzy
ruzzy is a coverage-guided fuzzer for ruby built on libfuzzer, supporting pure ruby code and c extensions with sanitizer integration for memory corruption detection.
—
skills.sh
vector-forge
Mutation-driven test vector generation. Finds implementations of a cryptographic algorithm or protocol, runs mutation testing to identify escaped mutants, then…
—
skills.sh
genotoxic
Graph-informed mutation testing triage. Parses codebases with Trailmark, runs mutation testing and necessist, then uses survived mutants, unnecessary test…
—
skills.sh
mermaid-to-proverif
Translates Mermaid sequenceDiagrams describing cryptographic protocols into ProVerif formal verification models (.pv files). Use when generating a ProVerif…
—
skills.sh
trailmark-structural
Runs full Trailmark structural analysis on Trailmark 0.2.x by building a graph, running `preanalysis()`, and reporting hotspots, taint, blast radius, privilege…
—
skills.sh
trailmark-summary
Runs a Trailmark summary analysis on a codebase. Returns auto-detected languages, entry point count, and dependency list. Use when vivisect or galvanize needs…
—
skills.sh
audit-augmentation
Augments Trailmark code graphs with external audit findings from SARIF static analysis results and weAudit annotation files. Maps findings to graph nodes by…
—
skills.sh
crypto-protocol-diagram
Extracts protocol message flow from source code, RFCs, academic papers, pseudocode, informal prose, ProVerif (.pv), or Tamarin (.spthy) models and generates…
—
skills.sh
claude-in-chrome-troubleshooting
Diagnose and fix Claude in Chrome MCP extension connectivity issues. Use when mcp__claude-in-chrome__* tools fail, return "Browser extension is not connected",…
—
skills.sh
seatbelt-sandboxer
Generates minimal macOS Seatbelt sandbox configurations. Use when sandboxing, isolating, or restricting macOS applications with allowlist-based profiles.
—
skills.sh
zeroize-audit
Detects missing zeroization of sensitive data in source code and identifies zeroization removed by compiler optimizations, with assembly-level analysis, and…
—
skills.sh
designing-workflow-skills
Guides the design and structuring of workflow-based Claude Code skills with multi-step phases, decision trees, subagent delegation, and progressive disclosure.…
—
skills.sh
debug-buttercup
Debugs the Buttercup CRS (Cyber Reasoning System) running on Kubernetes. Use when diagnosing pod crashes, restart loops, Redis failures, resource pressure,…
—
skills.sh
skill-improver
Iteratively reviews and fixes Claude Code skill quality issues until they meet standards. Runs automated fix-review cycles using the skill-reviewer agent. Use…
—
skills.sh
git-cleanup
Safely analyzes and cleans up local git branches and worktrees by categorizing them as merged, squash-merged, superseded, or active work.
—
skills.sh
burpsuite-project-parser
Searches and explores Burp Suite project files (.burp) from the command line. Use when searching response headers or bodies with regex patterns, extracting…
—
skills.sh
yara-rule-authoring
Guides authoring of high-quality YARA-X detection rules for malware identification. Use when writing, reviewing, or optimizing YARA rules. Covers naming…
—
skills.sh
devcontainer-setup
Creates devcontainers with Claude Code, language-specific tooling (Python/Node/Rust/Go), and persistent volumes. Use when adding devcontainer support to a…
—
skills.sh
libafl
LibAFL is a modular fuzzing library for building custom fuzzers. Use for advanced fuzzing needs, custom mutators, or non-standard fuzzing targets.
—
skills.sh
wycheproof
Wycheproof provides test vectors for validating cryptographic implementations. Use when testing crypto code for known attacks and edge cases.
—
skills.sh
interpreting-culture-index
Interprets Culture Index (CI) surveys, behavioral profiles, and personality assessment data. Supports individual profile interpretation, team composition…
—
skills.sh
cairo-vulnerability-scanner
Scans Cairo/StarkNet smart contracts for 6 critical vulnerabilities including felt252 arithmetic overflow, L1-L2 messaging issues, address conversion problems,…
—
skills.sh
libfuzzer
Coverage-guided fuzzer built into LLVM for C/C++ projects. Use for fuzzing C/C++ code that can be compiled with Clang.
—
skills.sh
constant-time-testing
Constant-time testing detects timing side channels in cryptographic code. Use when auditing crypto implementations for timing vulnerabilities.
—
skills.sh
algorand-vulnerability-scanner
Scans Algorand smart contracts for 11 common vulnerabilities including rekeying attacks, unchecked transaction fees, missing field validations, and access…
—
skills.sh
fuzzing-dictionary
Fuzzing dictionaries guide fuzzers with domain-specific tokens. Use when fuzzing parsers, protocols, or format-specific code.
—
skills.sh
cargo-fuzz
cargo-fuzz is the de facto fuzzing tool for Rust projects using Cargo. Use for fuzzing Rust code with libFuzzer backend.
—
skills.sh
constant-time-analysis
Detects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets,…
—
skills.sh
coverage-analysis
Coverage analysis measures code exercised during fuzzing. Use when assessing harness effectiveness or identifying fuzzing blockers.
—
skills.sh
audit-prep-assistant
Prepares codebases for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes…
—
skills.sh
semgrep-rule-creator
Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static…
—
skills.sh
spec-to-code-compliance
Verifies code implements exactly what documentation specifies for blockchain audits. Use when comparing code against whitepapers, finding gaps between specs…
—
skills.sh
variant-analysis
Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing…
—
skills.sh
differential-review
Performs security-focused differential review of code changes (PRs, commits, diffs). Adapts analysis depth to codebase size, uses git history for context,…
—
skills.sh
modern-python
Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
—
skills.sh
ask-questions-if-underspecified
Clarify requirements before implementing. Use when serious doubts arise.
—
skills.sh
fix-review
>