Skip to main content
This guide will walk you through installing the marketplace, browsing available plugins, and using your first skill.

Step 1: Add the Marketplace

Run this command in Claude Code to add the Trail of Bits Skills marketplace: 
/plugin marketplace add trailofbits/skills
You should see a confirmation that the marketplace was added successfully.

Step 2: Browse Available Plugins

Open the plugin menu to see all available plugins: 
/plugin menu
You’ll see 35 plugins organized by category:
  • Smart Contract Security - Vulnerability scanners for 6 blockchains
  • Code Auditing - Static analysis, differential review, variant analysis
  • Malware Analysis - YARA rule authoring
  • Verification - Property-based testing, constant-time analysis
  • Development - Modern Python, devcontainers, GitHub CLI integration
  • And more…

Step 3: Install Your First Plugin

Let’s start with a versatile plugin that’s useful for many workflows. We’ll install the static-analysis plugin, which provides CodeQL, Semgrep, and SARIF parsing capabilities.
1

Install the Plugin

/plugin install trailofbits/skills/plugins/static-analysis
2

Verify Installation

The plugin should now be active. You can verify by checking the plugin menu again or by trying to use one of its skills.
3

Use a Skill

Try using the Semgrep skill to scan for security issues:
Use the semgrep skill to scan this codebase for OWASP Top 10 vulnerabilities
Claude will now have access to specialized knowledge about running Semgrep scans, including which rulesets to use and how to interpret results.

Example Workflows by Use Case

Choose a workflow based on what you’re trying to accomplish:
1

Install Building Secure Contracts

/plugin install trailofbits/skills/plugins/building-secure-contracts
2

Run Platform-Specific Scanner

For Solidity contracts:
Use the secure-workflow-guide skill to run comprehensive security checks on my Solidity contracts
3

Check for Vulnerabilities

Use the appropriate vulnerability scanner for my codebase to detect platform-specific issues

Understanding Plugin Components

Plugins can include multiple types of components:

Skills

Knowledge and guidance that Claude can invoke when needed. Skills provide specialized expertise without requiring explicit commands.Example: The constant-time-analysis skill teaches Claude how to detect timing side-channels in cryptographic code.

Commands

Slash commands you run explicitly to trigger specific workflows.Example: /diff-review runs security-focused differential review of code changes.

Agents

Autonomous agents that perform specialized tasks with restricted tool access.Example: The semgrep-scanner agent executes parallel Semgrep scans for a language category.

Hooks

Event hooks that intercept and modify behavior automatically.Example: The gh-cli hook intercepts GitHub URL fetches and redirects to the authenticated gh CLI.
Based on your role, here are recommended starting points:
  1. static-analysis - CodeQL, Semgrep, SARIF parsing
  2. building-secure-contracts - Smart contract security toolkit
  3. differential-review - Security-focused code change analysis
  4. variant-analysis - Find similar vulnerabilities across codebases
  5. fp-check - False positive verification with gate reviews
  1. building-secure-contracts - Comprehensive security toolkit for 6 blockchains
  2. entry-point-analyzer - Identify state-changing entry points
  3. property-based-testing - Property-based testing for smart contracts
  4. spec-to-code-compliance - Specification compliance checking
  1. yara-authoring - YARA rule authoring with linting and analysis
  2. constant-time-analysis - Timing side-channel detection
  3. zeroize-audit - Detect missing secret zeroization
  4. firebase-apk-scanner - Firebase security misconfiguration scanning
  5. supply-chain-risk-auditor - Supply chain threat landscape analysis
  1. modern-python - Modern Python tooling (uv, ruff, pytest)
  2. gh-cli - GitHub CLI integration
  3. devcontainer-setup - Pre-configured development containers
  4. git-cleanup - Safely clean up branches and worktrees
  5. second-opinion - Code reviews using external LLMs

Tips for Success

Start small - Install one or two plugins that match your immediate needs. You can always add more later.
Read plugin READMEs - Each plugin has documentation explaining its skills, commands, and example workflows.
Combine plugins - Many plugins work well together. For example, use static-analysis to find issues, then variant-analysis to find similar patterns.
Check the Trophy Case - See real vulnerabilities found using these skills for inspiration.

Common Commands Reference

CommandDescription
/plugin marketplace add trailofbits/skillsAdd the Trail of Bits marketplace
/plugin menuBrowse available plugins
/plugin install <plugin-path>Install a specific plugin
/plugin listList installed plugins

What’s Next?

Explore All Plugins

Browse the complete catalog of 35 plugins with detailed descriptions

Core Concepts

Learn about plugins, skills, commands, and agents

Trophy Case

See real vulnerabilities discovered using Trail of Bits Skills

Contributing

Learn how to author your own skills and contribute to the marketplace

Need Help?

Build docs developers (and LLMs) love

Get started for freeTalk to us