/ الدليل / الملعب / Trail of Bits Skills
← كل الخوادم ↗ GitHub
● مجتمع trailofbits ⚡ فوري

Trail of Bits Skills

بواسطة trailofbits · trailofbits/skills

Trail of Bits' Claude Code skills for security code review, vulnerability detection, and defensive audit workflows.

The security firm Trail of Bits packaged their internal code-review playbooks as Claude Code skills. Coverage includes common-weakness detection across languages, crypto mistake catching, input-validation review, and IaC misconfig checks. CC-BY-SA-4.0 — free to use and adapt.

▶ شاهد العرض 📦 التثبيت 💡 حالات الاستخدام

لماذا تستخدمه

الميزات الأساسية

عرض مباشر

كيف يبدو في الممارسة

جاهز

التثبيت

اختر العميل

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

افتح Claude Desktop → Settings → Developer → Edit Config. أعد التشغيل بعد الحفظ.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

يستخدم Cursor نفس مخطط mcpServers مثل Claude Desktop. إعدادات المشروع أولى من الإعدادات العامة.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

انقر على أيقونة MCP Servers في شريط Cline الجانبي، ثم "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

نفس الصيغة مثل Claude Desktop. أعد تشغيل Windsurf لتطبيق التغييرات.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "trailofbits-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ]
    }
  ]
}

يستخدم Continue مصفوفة من كائنات الخادم بدلاً من خريطة.

~/.config/zed/settings.json
{
  "context_servers": {
    "trailofbits-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/trailofbits/skills",
          "~/.claude/skills/skills"
        ]
      }
    }
  }
}

أضف إلى context_servers. يعيد Zed التحميل تلقائيًا عند الحفظ.

claude mcp add trailofbits-skill -- git clone https://github.com/trailofbits/skills ~/.claude/skills/skills

أمر من سطر واحد. تحقق باستخدام claude mcp list. احذف باستخدام claude mcp remove.

حالات الاستخدام

استخدامات عملية: Trail of Bits Skills

Add a security-review pass to every PR

👤 Teams without a dedicated security engineer ⏱ ~30 min intermediate

متى تستخدمه: Your PRs currently go straight from code-review to merge — no security eyes.

المتطلبات الأساسية
  • Skills installed — git clone https://github.com/trailofbits/skills ~/.claude/skills/trailofbits
الخطوات
  1. Scope the diff
    Use trailofbits/pr-review skill on the current PR. List files the skill thinks are security-relevant with reasons.✓ تم النسخ
    → Concrete file-by-file relevance reasons
  2. Deep review
    For each flagged file, run the appropriate domain skill (crypto, input-validation, auth). Report findings with severity.✓ تم النسخ
    → Severity-ranked list with code refs
  3. Summary for reviewer
    Write a 5-bullet PR comment summarizing the findings, non-scary but precise.✓ تم النسخ
    → Reviewer-friendly summary with exact line citations

النتيجة: A security review comment on every PR that catches real issues without drowning you in false positives.

المزالق
  • Skill flags style issues as security — Calibrate by prompting: "focus on exploitable issues only"
اجمعها مع: github · filesystem

Audit cryptographic code paths in a service

👤 Devs maintaining auth/encryption code ⏱ ~90 min advanced

متى تستخدمه: You have a JWT/HMAC/encryption layer and want someone smart to double-check.

الخطوات
  1. Find crypto
    Use trailofbits/crypto-review. Scan /src for files that touch crypto APIs. Report them.✓ تم النسخ
    → Crypto call-site inventory
  2. Audit each
    For each site: what algorithm? Key management? Nonce reuse risk? IV handling? Cite source.✓ تم النسخ
    → Per-site audit with code refs
  3. Remediation plan
    For any medium+ finding, draft a remediation — concrete code change, not "consider using ...".✓ تم النسخ
    → Applicable diffs, not vague advice

النتيجة: A crypto audit report with concrete fixes, from a baseline of common mistakes ToB has seen in real engagements.

المزالق
  • Not a substitute for a real audit — Use for self-review; hire professionals before launch of high-value surfaces
اجمعها مع: github

التركيبات

اجمعها مع خوادم MCP أخرى لتحقيق نتائج x10

trailofbits-skill + github

Post findings as a PR review comment

Post the review as a PR comment — severities as labels.✓ تم النسخ
trailofbits-skill + filesystem

Scan the whole repo offline

Run the full security sweep across /src and write report to /audit/report.md.✓ تم النسخ

الأدوات

ما يوفره هذا الـ MCP

الأداةالمدخلاتمتى تستدعيهاالتكلفة
scope_review diff|path Before deep dive 0
crypto_review path Crypto code specifically 0
input_validation_review path API/boundary code 0
iac_review path Terraform / CloudFormation / K8s manifests 0

التكلفة والحدود

تكلفة التشغيل

حصة API
N/A
الرموز لكل استدعاء
Review is reading-heavy; budget proportional to diff size
التكلفة المالية
Free (CC-BY-SA)
نصيحة
Scope first — don't run deep skills on irrelevant files

الأمان

الصلاحيات والأسرار ونطاق الأثر

الحد الأدنى من الصلاحيات: filesystem-read
تخزين بيانات الاعتماد: None
نقل البيانات الخارجي: None from skill; reviewed code is in your LLM context
لا تمنح أبدًا: write access unless auto-remediating

استكشاف الأخطاء

الأخطاء الشائعة وحلولها

Skill flags safe code as vulnerable

Ask for rationale; if weak, dismiss with reason. Calibration improves over sessions.

Misses obvious bugs

The skill codifies Trail of Bits' patterns — if your stack is unusual (e.g. niche Rust crate), it may miss. Add custom patterns.

Outputs too long to review

Constrain: "top 5 highest-severity findings only"

البدائل

Trail of Bits Skills مقابل البدائل

البديلمتى تستخدمهاالمقايضة
Semgrep rulesYou want static analysis in CI, not interactive reviewNarrower pattern set; no LLM reasoning
CodeQLYou want deep dataflow analysisMuch more setup; not a skill

المزيد

الموارد

📖 اقرأ ملف README الرسمي على GitHub

🐙 تصفح القضايا المفتوحة

🔍 تصفح أكثر من 400 خادم MCP و Skills