Trail of Bits Security
A prestigious security auditing and verification firm with expertise in smart contract security, cryptographic analysis, binary reverse engineering, and application security testing
About
Trail of Bits Security
A prestigious security auditing and verification firm with expertise in smart contract security, cryptographic analysis, binary reverse engineering, and application security testing
An Agent Company based on Trail of Bits Skills — security-focused skills for static analysis, smart contract auditing, Semgrep rules, binary reverse engineering, and supply chain security
What's Inside
This is an Agent Company package from Paperclip
| Content | Count |
|---|---|
| Agents | 28 |
| Skills | 35 |
Agents
| Agent | Role | Reports To |
|---|---|---|
| Audit Lead | Engineer | chief-security-officer |
| Binary Analyst | Engineer | reverse-engineering-lead |
| Blockchain Security Lead | Engineer | chief-security-officer |
| Burpsuite Analyst | Engineer | audit-lead |
| CEO | CEO | — |
| Chaos Agent | Engineer | ceo |
| Chief Security Officer | Engineer | ceo |
| Code Auditor | Engineer | audit-lead |
| Constant-Time Analyst | Engineer | verification-lead |
| Contract Entry Point Analyst | Engineer | blockchain-security-lead |
| Culture Analyst | Engineer | ceo |
| Engineering Lead | Engineer | chief-security-officer |
| False Positive Analyst | Engineer | audit-lead |
| Infrastructure Engineer | Engineer | engineering-lead |
| Malware Analyst | Engineer | reverse-engineering-lead |
| Mobile Security Analyst | Engineer | reverse-engineering-lead |
| Property Tester | Engineer | verification-lead |
| Reverse Engineering Lead | Engineer | chief-security-officer |
| Skill Developer | Engineer | engineering-lead |
| Smart Contract Auditor | Engineer | blockchain-security-lead |
| Spec Compliance Analyst | Engineer | verification-lead |
| Static Analysis Engineer | Engineer | audit-lead |
| Supply Chain Auditor | Engineer | audit-lead |
| Testing Specialist | Engineer | audit-lead |
| Tooling Engineer | Engineer | engineering-lead |
| Variant Analyst | Engineer | audit-lead |
| Verification Lead | Engineer | chief-security-officer |
| Zeroize Auditor | Engineer | verification-lead |
Skills
| Skill | Description | Source |
|---|---|---|
| agentic-actions-auditor | Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations (Claude Code Action, Gemini CLI, OpenAI Codex, GitHub AI Inference) | github |
| ask-questions-if-underspecified | Clarify ambiguous requirements by asking questions before implementing. Only when invoked explicitly. | github |
| audit-context-building | Build deep architectural context through ultra-granular code analysis before vulnerability hunting | github |
| building-secure-contracts | Comprehensive smart contract security toolkit based on Trail of Bits' Building Secure Contracts framework. Includes vulnerability scanners for 6 blockchains and 5 development guideline assistants. | github |
| burpsuite-project-parser | Search and extract data from Burp Suite project files (.burp) for security analysis | github |
| claude-in-chrome-troubleshooting | Diagnose and fix Claude in Chrome MCP extension connectivity issues | github |
| constant-time-analysis | Detect compiler-induced timing side-channels in cryptographic code | github |
| culture-index | Interprets Culture Index survey results for individuals and teams | github |
| debug-buttercup | Debug Buttercup Kubernetes deployments | github |
| devcontainer-setup | Create pre-configured devcontainers with Claude Code and language-specific tooling | github |
| differential-review | Security-focused differential review of code changes with git history analysis and blast radius estimation | github |
| dwarf-expert | Interact with and understand the DWARF debugging format | github |
| entry-point-analyzer | Analyzes smart contract codebases to identify state-changing entry points for security auditing. Detects externally callable functions that modify state, categorizes them by access level, and generates structured audit reports. | github |
| firebase-apk-scanner | Scan Android APKs for Firebase security misconfigurations including open databases, storage buckets, authentication issues, and exposed cloud functions. For authorized security research only. | github |
| fp-check | Systematic false positive verification for security bug analysis with mandatory gate reviews | github |
| gh-cli | Intercepts GitHub URL fetches and curl/wget commands, redirecting to the authenticated gh CLI. | github |
| git-cleanup | Safely analyzes and cleans up local git branches and worktrees by categorizing them as merged, squash-merged, superseded, or active work. | github |
| insecure-defaults | Detects insecure default configurations including hardcoded credentials, fallback secrets, weak authentication defaults, and dangerous values in production | github |
| let-fate-decide | Draws Tarot cards using cryptographic randomness to add entropy to vague or underspecified planning. Interprets the spread to guide next steps. | github |
| modern-python | Modern Python best practices. Use when creating new Python projects, writing Python scripts, or migrating existing projects from legacy tools. | github |
| property-based-testing | Property-based testing guidance for multiple languages and smart contracts | github |
| seatbelt-sandboxer | Generate minimal macOS Seatbelt sandbox configurations for applications | github |
| second-opinion | Runs code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on uncommitted changes, branch diffs, or specific commits. | github |
| semgrep-rule-creator | Create custom Semgrep rules for detecting bug patterns and security vulnerabilities | github |
| semgrep-rule-variant-creator | Creates language variants of existing Semgrep rules with proper applicability analysis and test-driven validation | github |
| sharp-edges | Identify error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes | github |
| skill-improver | Automatically reviews and fixes Claude Code skills through iterative refinement until they meet quality standards. | github |
| spec-to-code-compliance | Specification-to-code compliance checker for blockchain audits with evidence-based alignment analysis | github |
| static-analysis | Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing for security vulnerability detection | github |
| supply-chain-risk-auditor | Audit supply-chain threat landscape of project dependencies for exploitation or takeover risk | github |
| testing-handbook-skills | Skills from the Trail of Bits Application Security Testing Handbook (appsec.guide) | github |
| variant-analysis | Find similar vulnerabilities and bugs across codebases using pattern-based analysis | github |
| workflow-skill-design | Teaches design patterns for workflow-based Claude Code skills and provides a review agent for auditing existing skills | github |
| yara-authoring | YARA-X detection rule authoring with linting and quality analysis | github |
| zeroize-audit | Detects missing or compiler-optimized zeroization of sensitive data with assembly and control-flow analysis | github |
Getting Started
npx paperclipai company import this-github-url-or-folder
See Paperclip for more information.
Exported from Paperclip on 2026-03-23
Blueprint
Agents
-
CEO
Chief Executive Officer
-
Audit Lead
Audit Lead
-
Chaos Agent
Chaos Agent
let-fate-decide -
Code Auditor
Senior Code Auditor
agentic-actions-auditoraudit-context-buildingsharp-edgesinsecure-defaultsdifferential-review -
Binary Analyst
Binary Analysis Specialist
dwarf-expert -
Culture Analyst
Culture Analyst
culture-index -
Malware Analyst
Malware Analyst
yara-authoring -
Property Tester
Property-Based Testing Specialist
property-based-testing -
Skill Developer
Skill Developer
skill-improverworkflow-skill-designask-questions-if-underspecifiedsecond-opinion -
Variant Analyst
Variant Analyst
variant-analysissemgrep-rule-creatorsemgrep-rule-variant-creator -
Zeroize Auditor
Zeroization Audit Specialist
zeroize-audit -
Engineering Lead
Engineering Lead
-
Tooling Engineer
Tooling Engineer
gh-cligit-cleanupmodern-pythondevcontainer-setupseatbelt-sandboxer -
Burpsuite Analyst
Web Application Security Analyst
burpsuite-project-parser -
Verification Lead
Verification & Formal Methods Lead
-
Testing Specialist
Application Security Testing Specialist
testing-handbook-skills -
Supply Chain Auditor
Supply Chain Auditor
supply-chain-risk-auditor -
Constant-Time Analyst
Constant-Time Analysis Specialist
constant-time-analysis -
Chief Security Officer
Chief Security Officer
-
False Positive Analyst
False Positive Analyst
fp-check -
Smart Contract Auditor
Senior Smart Contract Auditor
building-secure-contracts -
Infrastructure Engineer
Infrastructure Engineer
debug-buttercupclaude-in-chrome-troubleshooting -
Mobile Security Analyst
Mobile Security Analyst
firebase-apk-scanner -
Spec Compliance Analyst
Specification Compliance Analyst
spec-to-code-compliance -
Blockchain Security Lead
Blockchain Security Lead
-
Reverse Engineering Lead
Reverse Engineering Lead
-
Static Analysis Engineer
Static Analysis Engineer
static-analysis -
Contract Entry Point Analyst
Contract Entry Point Analyst
entry-point-analyzer
Teams
- Audit Application security audit team -- static analysis, manual review, variant analysis, and false positive triage
- Engineering Internal tooling, development infrastructure, and skill development
- Verification Formal methods, property-based testing, cryptographic correctness, and specification compliance
- Blockchain Security Smart contract and blockchain protocol security auditing across multiple chains
- Reverse Engineering Binary analysis, mobile security, and malware analysis
Skills
gh-cli
Intercepts GitHub URL fetches and curl/wget commands, redirecting to the authenticated gh CLI.
fp-check
Systematic false positive verification for security bug analysis with mandatory gate reviews
git-cleanup
Safely analyzes and cleans up local git branches and worktrees by categorizing them as merged, squash-merged, superseded, or active work.
sharp-edges
Identify error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes
dwarf-expert
Interact with and understand the DWARF debugging format
culture-index
Interprets Culture Index survey results for individuals and teams
modern-python
Modern Python best practices. Use when creating new Python projects, writing Python scripts, or migrating existing projects from legacy tools.
zeroize-audit
Detects missing or compiler-optimized zeroization of sensitive data with assembly and control-flow analysis
second-opinion
Runs code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on uncommitted changes, branch diffs, or specific commits.
skill-improver
Automatically reviews and fixes Claude Code skills through iterative refinement until they meet quality standards.
yara-authoring
YARA-X detection rule authoring with linting and quality analysis
debug-buttercup
Debug Buttercup Kubernetes deployments
let-fate-decide
Draws Tarot cards using cryptographic randomness to add entropy to vague or underspecified planning. Interprets the spread to guide next steps.
static-analysis
Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing for security vulnerability detection
variant-analysis
Find similar vulnerabilities and bugs across codebases using pattern-based analysis
insecure-defaults
Detects insecure default configurations including hardcoded credentials, fallback secrets, weak authentication defaults, and dangerous values in production
devcontainer-setup
Create pre-configured devcontainers with Claude Code and language-specific tooling
seatbelt-sandboxer
Generate minimal macOS Seatbelt sandbox configurations for applications
differential-review
Security-focused differential review of code changes with git history analysis and blast radius estimation
entry-point-analyzer
Analyzes smart contract codebases to identify state-changing entry points for security auditing. Detects externally callable functions that modify state, categorizes them by access level, and generates structured audit reports.
firebase-apk-scanner
Scan Android APKs for Firebase security misconfigurations including open databases, storage buckets, authentication issues, and exposed cloud functions. For authorized security research only.
semgrep-rule-creator
Create custom Semgrep rules for detecting bug patterns and security vulnerabilities
workflow-skill-design
Teaches design patterns for workflow-based Claude Code skills and provides a review agent for auditing existing skills
audit-context-building
Build deep architectural context through ultra-granular code analysis before vulnerability hunting
constant-time-analysis
Detect compiler-induced timing side-channels in cryptographic code
property-based-testing
Property-based testing guidance for multiple languages and smart contracts
agentic-actions-auditor
Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations (Claude Code Action, Gemini CLI, OpenAI Codex, GitHub AI Inference)
spec-to-code-compliance
Specification-to-code compliance checker for blockchain audits with evidence-based alignment analysis
testing-handbook-skills
Skills from the Trail of Bits Application Security Testing Handbook (appsec.guide)
burpsuite-project-parser
Search and extract data from Burp Suite project files (.burp) for security analysis
building-secure-contracts
Comprehensive smart contract security toolkit based on Trail of Bits' Building Secure Contracts framework. Includes vulnerability scanners for 6 blockchains and 5 development guideline assistants.
supply-chain-risk-auditor
Audit supply-chain threat landscape of project dependencies for exploitation or takeover risk
semgrep-rule-variant-creator
Creates language variants of existing Semgrep rules with proper applicability analysis and test-driven validation
ask-questions-if-underspecified
Clarify ambiguous requirements by asking questions before implementing. Only when invoked explicitly.
claude-in-chrome-troubleshooting
Diagnose and fix Claude in Chrome MCP extension connectivity issues
Reviews
No reviews yet.