Trail of Bits Skills MCP — 사용 사례, 설치 & 라이브 데모

Name: Trail of Bits Skills MCP Server
Author: trailofbits

왜 쓰나요

핵심 기능

Written by a security firm, not a hobbyist — patterns reflect real incidents
Covers C/C++, Rust, Solidity, Python, Go, TypeScript
Defensive-only: audit/review flows, not offensive tooling
Modular — pull individual skills without adopting the whole bundle
CC-BY-SA-4.0 licensed, attribution required

라이브 데모

실제 사용 모습

준비됨

설치

클라이언트 선택

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop → Settings → Developer → Edit Config 열기. 저장 후 앱 재시작.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

Cursor는 Claude Desktop과 동일한 mcpServers 스키마 사용. 프로젝트 설정이 전역보다 우선.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

Cline 사이드바의 MCP Servers 아이콘 클릭 후 "Edit Configuration" 선택.

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "trailofbits-skill": {
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ],
      "_inferred": true
    }
  }
}

Claude Desktop과 같은 형식. Windsurf 재시작 후 적용.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "trailofbits-skill",
      "command": "git",
      "args": [
        "clone",
        "https://github.com/trailofbits/skills",
        "~/.claude/skills/skills"
      ]
    }
  ]
}

Continue는 맵이 아닌 서버 오브젝트 배열 사용.

~/.config/zed/settings.json

{
  "context_servers": {
    "trailofbits-skill": {
      "command": {
        "path": "git",
        "args": [
          "clone",
          "https://github.com/trailofbits/skills",
          "~/.claude/skills/skills"
        ]
      }
    }
  }
}

context_servers에 추가. 저장 시 Zed가 핫 리로드.

claude mcp add trailofbits-skill -- git clone https://github.com/trailofbits/skills ~/.claude/skills/skills

한 줄 명령. claude mcp list로 확인, claude mcp remove로 제거.

사용 사례

실전 활용법: Trail of Bits Skills

Add a security-review pass to every PR

👤 Teams without a dedicated security engineer ⏱ ~30 min intermediate

언제 쓸까: Your PRs currently go straight from code-review to merge — no security eyes.

사전 조건

Skills installed — git clone https://github.com/trailofbits/skills ~/.claude/skills/trailofbits

흐름

Scope the diff

Use trailofbits/pr-review skill on the current PR. List files the skill thinks are security-relevant with reasons.✓ 복사됨

→ Concrete file-by-file relevance reasons
Deep review

For each flagged file, run the appropriate domain skill (crypto, input-validation, auth). Report findings with severity.✓ 복사됨

→ Severity-ranked list with code refs
Summary for reviewer

Write a 5-bullet PR comment summarizing the findings, non-scary but precise.✓ 복사됨

→ Reviewer-friendly summary with exact line citations

결과: A security review comment on every PR that catches real issues without drowning you in false positives.

함정

Skill flags style issues as security — Calibrate by prompting: "focus on exploitable issues only"

함께 쓰기: github · filesystem

Audit cryptographic code paths in a service

👤 Devs maintaining auth/encryption code ⏱ ~90 min advanced

언제 쓸까: You have a JWT/HMAC/encryption layer and want someone smart to double-check.

흐름

Find crypto

Use trailofbits/crypto-review. Scan /src for files that touch crypto APIs. Report them.✓ 복사됨

→ Crypto call-site inventory
Audit each

For each site: what algorithm? Key management? Nonce reuse risk? IV handling? Cite source.✓ 복사됨

→ Per-site audit with code refs
Remediation plan

For any medium+ finding, draft a remediation — concrete code change, not "consider using ...".✓ 복사됨

→ Applicable diffs, not vague advice

결과: A crypto audit report with concrete fixes, from a baseline of common mistakes ToB has seen in real engagements.

함정

Not a substitute for a real audit — Use for self-review; hire professionals before launch of high-value surfaces

함께 쓰기: github

조합

다른 MCP와 조합해 10배 효율

trailofbits-skill + github

Post findings as a PR review comment

Post the review as a PR comment — severities as labels.✓ 복사됨

trailofbits-skill + filesystem

Scan the whole repo offline

Run the full security sweep across /src and write report to /audit/report.md.✓ 복사됨

도구

이 MCP가 노출하는 것

도구	입력	언제 호출
scope_review	diff\|path	Before deep dive
crypto_review	path	Crypto code specifically
input_validation_review	path	API/boundary code
iac_review	path	Terraform / CloudFormation / K8s manifests

비용 및 제한

운영 비용

API 쿼터: N/A
호출당 토큰: Review is reading-heavy; budget proportional to diff size
금액: Free (CC-BY-SA)
팁: Scope first — don't run deep skills on irrelevant files

보안

권한, 시크릿, 파급범위

최소 스코프: filesystem-read

자격 증명 저장: None

데이터 외부 송신: None from skill; reviewed code is in your LLM context

절대 부여 금지: write access unless auto-remediating

Not a replacement for a formal security audit — use it to catch the obvious before paying for experts

문제 해결

자주 발생하는 오류와 해결

Skill flags safe code as vulnerable

Ask for rationale; if weak, dismiss with reason. Calibration improves over sessions.

Misses obvious bugs

The skill codifies Trail of Bits' patterns — if your stack is unusual (e.g. niche Rust crate), it may miss. Add custom patterns.

Outputs too long to review

Constrain: "top 5 highest-severity findings only"

대안

Trail of Bits Skills 다른 것과 비교

대안	언제 쓰나	단점/장점
Semgrep rules	You want static analysis in CI, not interactive review	Narrower pattern set; no LLM reasoning
CodeQL	You want deep dataflow analysis	Much more setup; not a skill

Trail of Bits Skills