# Trail of Bits Skills — Security Plugin Marketplace > Add Trail of Bits’ marketplace to run security code reviews, static analysis, and supply-chain checks via repeatable Claude Code plugins. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: # Trail of Bits Skills — Security Plugin Marketplace > Add Trail of Bits’ marketplace to run security code reviews, static analysis, and supply-chain checks via repeatable Claude Code plugins. ## Quick Use 1. Install: ```bash /plugin marketplace add trailofbits/skills ``` 2. Run: ```bash /plugin menu ``` 3. Verify: - Install one plugin and confirm the skill triggers on a small test repo (e.g., flags insecure defaults). --- ## Intro Add Trail of Bits’ marketplace to run security code reviews, static analysis, and supply-chain checks via repeatable Claude Code plugins. - **Best for:** security-minded teams who want consistent audit checklists and tool-assisted workflows in Claude Code - **Works with:** Claude Code marketplace + plugin install flow; includes many plugins across security workflows (per repo docs) - **Setup time:** 9 minutes ### Quantitative Notes - GitHub stars + forks (verified): see Source & Thanks - Setup time ~9 minutes (marketplace add + install one plugin) - Marketplace provides many security plugins (repo docs) --- ## Practical Notes Use this marketplace to standardize security work: the same checks, the same outputs, every time. In practice, set a rule that every risky change must pass at least one plugin run (and store the outputs as artifacts). Because skills can be powerful, always review what tools they invoke and what files they read/write. **Safety note:** Install only trusted plugins and pin versions when possible; treat plugins as code in your threat model. ### FAQ **Q: Is it open source?** A: Yes. The repo is public; license is CC-BY-SA-4.0 (verified in Source & Thanks). **Q: Do I have to install everything?** A: No. Add the marketplace, then install only the plugins you need. **Q: Where should I start?** A: Pick one narrow plugin (e.g., insecure defaults) and run it on a small codebase first. --- ## Source & Thanks > GitHub: https://github.com/trailofbits/skills > Owner avatar: https://avatars.githubusercontent.com/u/2314423?v=4 > License (SPDX): CC-BY-SA-4.0 > GitHub stars (verified via `api.github.com/repos/trailofbits/skills`): 5,117 > GitHub forks (verified via `api.github.com/repos/trailofbits/skills`): 447 --- # Trail of Bits Skills——安全审计技能市场 > 把 Trail of Bits 的技能市场装进 Claude Code:用结构化插件做安全评审、静态分析与供应链检查,并产出可追踪的审计结论,适合在 PR 中做一致性检查与留档回放,更稳妥。 ## 快速使用 1. 安装: ```bash /plugin marketplace add trailofbits/skills ``` 2. 运行: ```bash /plugin menu ``` 3. 验证: - Install one plugin and confirm the skill triggers on a small test repo (e.g., flags insecure defaults). --- ## 简介 把 Trail of Bits 的技能市场装进 Claude Code:用结构化插件做安全评审、静态分析与供应链检查,并产出可追踪的审计结论,适合在 PR 中做一致性检查与留档回放,更稳妥。 - **适合谁(Best for):** 重视安全的团队,希望把审计清单与工具化流程固化到 Claude Code 的插件中 - **兼容工具(Works with):** Claude Code marketplace 与插件安装流程;覆盖多类安全工作流(仓库说明) - **安装时间(Setup time):** 9 分钟 ### 量化信息 - GitHub stars + forks(已核验):见「来源与感谢」 - 安装约 9 分钟(添加 marketplace + 安装一个插件) - 市场包含大量安全插件(仓库说明) --- ## 实战要点 把它当作安全工作的标准化工具箱:同一套检查、同一种输出,每次都一致。建议规定:涉及风险的变更,至少跑一次插件检查,并把结果作为产物留档。由于 skill 能力很强,务必审查它会调用哪些工具、会读写哪些文件。 **安全提示:** 只安装可信插件,条件允许就固定版本;在威胁模型里把插件当成“代码依赖”对待。 ### FAQ **Q: 是开源的吗?** A: 是公共仓库;许可证为 CC-BY-SA-4.0(见「来源与感谢」)。 **Q: 需要全装吗?** A: 不需要。先添加 marketplace,再按需安装具体插件即可。 **Q: 从哪开始?** A: 从一个边界清晰的插件入手(例如 insecure defaults),先在小仓库跑通再扩展。 --- ## 来源与感谢 > GitHub:https://github.com/trailofbits/skills > Owner avatar:https://avatars.githubusercontent.com/u/2314423?v=4 > 许可证(SPDX):CC-BY-SA-4.0 > GitHub stars(已通过 `api.github.com/repos/trailofbits/skills` 核验):5,117 > GitHub forks(已通过 `api.github.com/repos/trailofbits/skills` 核验):447 --- Source: https://tokrepo.com/en/workflows/trail-of-bits-skills-security-plugin-marketplace Author: Skill Factory