trailofbits
@trailofbits Organization
Public Skills
token-integration-analyzer
by trailofbits
Token integration and implementation analyzer based on Trail of Bits' token integration checklist. Analyzes token implementations for ERC20/ERC721 conformity, checks for 20+ weird token patterns, assesses contract composition and owner privileges, performs on-chain scarcity analysis, and evaluates how protocols handle non-standard tokens. Context-aware for both token implementations and token integrations.
ton-vulnerability-scanner
by trailofbits
Scans TON (The Open Network) smart contracts for 3 critical vulnerabilities including integer-as-boolean misuse, fake Jetton contracts, and forward TON without gas checks. Use when auditing FunC contracts.
guidelines-advisor
by trailofbits
Smart contract development advisor based on Trail of Bits' best practices. Analyzes codebase to generate documentation/specifications, review architecture, check upgradeability patterns, assess implementation quality, identify pitfalls, review dependencies, and evaluate testing. Provides actionable recommendations.
constant-time-analysis
by trailofbits
Detects timing side-channel vulnerabilities in cryptographic code. Use when implementing or reviewing crypto code, encountering division on secrets, secret-dependent branches, or constant-time programming questions in C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JavaScript, TypeScript, Python, or Ruby.
spec-to-code-compliance
by trailofbits
Verifies code implements exactly what documentation specifies for blockchain audits. Use when comparing code against whitepapers, finding gaps between specs and implementation, or performing compliance checks for protocol implementations.
algorand-vulnerability-scanner
by trailofbits
Scans Algorand smart contracts for 11 common vulnerabilities including rekeying attacks, unchecked transaction fees, missing field validations, and access control issues. Use when auditing Algorand projects (TEAL/PyTeal).
address-sanitizer
by trailofbits
AddressSanitizer detects memory errors during fuzzing. Use when fuzzing C/C++ code to find buffer overflows and use-after-free bugs.
sharp-edges
by trailofbits
"Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration."
second-opinion
by trailofbits
"Runs external LLM code reviews (OpenAI Codex or Google Gemini CLI) on uncommitted changes, branch diffs, or specific commits. Use when the user asks for a second opinion, external review, codex review, gemini review, or mentions /second-opinion."
burpsuite-project-parser
by trailofbits
Searches and explores Burp Suite project files (.burp) from the command line. Use when searching response headers or bodies with regex patterns, extracting security audit findings, dumping proxy history or site map data, or analyzing HTTP traffic captured in a Burp project.
gh-cli
by trailofbits
Enforces authenticated gh CLI workflows over unauthenticated curl/WebFetch patterns. Use when working with GitHub URLs, API access, pull requests, or issues.
ffuf-web-fuzzing
by trailofbits
Expert guidance for ffuf web fuzzing during authorized penetration testing. Covers directory discovery, subdomain enumeration, parameter fuzzing, authenticated fuzzing with raw requests, auto-calibration, and result analysis. Use when running ffuf scans, analyzing ffuf output, or building fuzzing strategies for web targets.
x-research
by trailofbits
Searches X/Twitter for real-time perspectives, dev discussions, product feedback, breaking news, and expert opinions using the X API v2. Provides search with engagement sorting, user profiles, thread fetching, watchlists, and result caching. Use when: (1) user says "x research", "search x for", "search twitter for", "what are people saying about", "what's twitter saying", "check x for", "x search", (2) user needs recent X discourse on a topic (library releases, API changes, product launches, industry events), (3) user wants to find what devs/experts/community thinks about a topic. NOT for: posting tweets or account management.
openai-security-ownership-map
by trailofbits
'Analyze git repositories to build a security ownership topology (people-to-file), compute
openai-screenshot
by trailofbits
Use when the user explicitly asks for a desktop or system screenshot (full screen, specific
openai-security-best-practices
by trailofbits
Perform language and framework specific security best-practice reviews and suggest improvements.
openai-spreadsheet
by trailofbits
Use when tasks involve creating, editing, analyzing, or formatting spreadsheets (.xlsx,
ghidra-headless
by trailofbits
Reverse engineers binaries using Ghidra's headless analyzer. Use when decompiling executables, extracting functions, strings, symbols, or analyzing call graphs from compiled binaries without the Ghidra GUI.
openai-gh-fix-ci
by trailofbits
Use when a user asks to debug or fix failing GitHub PR checks that run in GitHub Actions;
openai-jupyter-notebook
by trailofbits
Use when the user asks to create, scaffold, or edit Jupyter notebooks (.ipynb) for experiments,
openai-security-threat-model
by trailofbits
Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities,
openai-cloudflare-deploy
by trailofbits
Deploy applications and infrastructure to Cloudflare using Workers, Pages, and related platform
humanizer
by trailofbits
Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases. 30c5c8d (Update humanizer plugin to upstream v2.2.0)
planning-with-files
by trailofbits
Implements file-based planning for complex multi-step tasks. Creates task_plan.md, findings.md, and progress.md as persistent working memory. Use when starting tasks requiring >5 tool calls, multi-phase projects, research, or any work where losing track of goals and progress would be costly.
wooyun-legacy
by trailofbits
Provides web vulnerability testing methodology distilled from 88,636 real-world cases from the WooYun vulnerability database (2010-2016). Use when performing penetration testing, security audits, code reviews for security flaws, or vulnerability research. Covers SQL injection, XSS, command execution, file upload, path traversal, unauthorized access, information disclosure, and business logic flaws.
skill-extractor
by trailofbits
Extracts reusable skills from work sessions. Use when: (1) a non-obvious problem was solved worth preserving, (2) a pattern was discovered that would help future sessions, (3) a workaround or debugging technique needs documentation. Manual invocation only via /skill-extractor command - no automatic triggers or hooks.
security-awareness
by trailofbits
Teaches agents to recognize and avoid security threats during normal activity. Covers phishing detection, credential protection, domain verification, and social engineering defense. Use when building or operating agents that access email, credential vaults, web browsers, or sensitive data.
react-pdf
by trailofbits
"Generates PDF documents using the React-PDF library (@react-pdf/renderer) with TypeScript and JSX.
scv-scan
by trailofbits
"Audits Solidity codebases for smart contract vulnerabilities using a four-phase workflow (cheatsheet loading, codebase sweep, deep validation, reporting) covering 36 vulnerability classes. Use when auditing Solidity contracts for security issues, performing smart contract vulnerability scans, or reviewing Solidity code for common exploit patterns."
last30days
by trailofbits
"Researches a topic from the last 30 days on Reddit, X, and the web. Surfaces real community discussions with engagement metrics and synthesizes findings into actionable insights. Use when the user wants to know what people are saying about a topic right now."
openai-doc
by trailofbits
Use when the task involves reading, creating, or editing .docx documents, especially when
openai-gh-address-comments
by trailofbits
Help address review/issue comments on the open GitHub PR for the current branch using gh
openai-netlify-deploy
by trailofbits
Deploy web projects to Netlify using the Netlify CLI (npx netlify). Use when the user asks
openai-pdf
by trailofbits
Use when tasks involve reading, creating, or reviewing PDF files where rendering and layout
openai-yeet
by trailofbits
Use only when the user explicitly asks to stage, commit, push, and open a GitHub pull request
openai-sentry
by trailofbits
Use when the user asks to inspect Sentry issues or events, summarize recent production errors,
openai-develop-web-game
by trailofbits
'Use when the agent is building or iterating on a web game (HTML/JS) and needs a reliable
openai-playwright
by trailofbits
Use when the task requires automating a real browser from the terminal (navigation, form