gh-cli
Intercepts GitHub URL fetches and curl/wget commands, redirecting to the authenticated gh CLI.
Summary
This skill intercepts GitHub URL fetches and curl/wget commands, automatically redirecting them to the authenticated gh CLI for secure, efficient GitHub interactions.
- It streamlines workflows by using your existing GitHub credentials, avoiding manual token management or raw API calls.
Overview
A Claude Code plugin marketplace from Trail of Bits providing skills to enhance AI-assisted security analysis, testing, and development workflows. Codex can load this marketplace through its Claude marketplace compatibility.
Also see: claude-code-config · skills-curated · claude-code-devcontainer · dropkit
Installation
Claude Code Marketplace
/plugin marketplace add trailofbits/skillsBrowse and Install Plugins
/plugin menuCodex
Codex supports Claude plugin marketplaces directly, so this repository does not need Codex-specific sidecar metadata.
Install the marketplace with:
codex plugin marketplace add trailofbits/skills
codex plugin list
codex plugin add <plugin-name>@trailofbitsLocal Development
To add the marketplace locally (e.g., for testing or development), navigate to the parent directory of this repository:
cd /path/to/parent # e.g., if repo is at ~/projects/skills, be in ~/projects
/plugins marketplace add ./skillsAvailable Plugins
Smart Contract Security
| Plugin | Description |
|---|---|
| building-secure-contracts | Smart contract security toolkit with vulnerability scanners for 6 blockchains |
| entry-point-analyzer | Identify state-changing entry points in smart contracts for security auditing |
Code Auditing
| Plugin | Description |
|---|---|
| agentic-actions-auditor | Audit GitHub Actions workflows for AI agent security vulnerabilities |
| audit-context-building | Build deep architectural context through ultra-granular code analysis |
| burpsuite-project-parser | Search and extract data from Burp Suite project files |
| c-review | Comprehensive C/C++ security review with clustered parallel workers and SARIF output |
| differential-review | Security-focused differential review of code changes with git history analysis |
| dimensional-analysis | Annotate codebases with dimensional analysis comments to detect unit mismatches and formula bugs |
| fp-check | Systematic false positive verification for security bug analysis with mandatory gate reviews |
| insecure-defaults | Detect insecure default configurations, hardcoded credentials, and fail-open security patterns |
| semgrep-rule-creator | Create and refine Semgrep rules for custom vulnerability detection |
| semgrep-rule-variant-creator | Port existing Semgrep rules to new target languages with test-driven validation |
| sharp-edges | Identify error-prone APIs, dangerous configurations, and footgun designs |
| static-analysis | Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing |
| supply-chain-risk-auditor | Audit supply-chain threat landscape of project dependencies |
| testing-handbook-skills | Skills from the Testing Handbook: fuzzers, static analysis, sanitizers, coverage |
| trailmark | Code graph analysis, Mermaid diagrams, mutation testing triage, and protocol verification |
| variant-analysis | Find similar vulnerabilities across codebases using pattern-based analysis |
Malware Analysis
| Plugin | Description |
|---|---|
| yara-authoring | YARA detection rule authoring with linting, atom analysis, and best practices |
Verification
| Plugin | Description |
|---|---|
| constant-time-analysis | Detect compiler-induced timing side-channels in cryptographic code |
| mutation-testing | Configure mewt/muton mutation testing campaigns — scope targets, tune timeouts, optimize long runs |
| property-based-testing | Property-based testing guidance for multiple languages and smart contracts |
| spec-to-code-compliance | Specification-to-code compliance checker for blockchain audits |
| zeroize-audit | Detect missing or compiler-eliminated zeroization of secrets in C/C++ and Rust |
Reverse Engineering
| Plugin | Description |
|---|---|
| dwarf-expert | Interact with and understand the DWARF debugging format |
Mobile Security
| Plugin | Description |
|---|---|
| firebase-apk-scanner | Scan Android APKs for Firebase security misconfigurations |
Development
| Plugin | Description |
|---|---|
| ask-questions-if-underspecified | Clarify requirements before implementing |
| devcontainer-setup | Create pre-configured devcontainers with Claude Code and language-specific tooling |
| gh-cli | Intercept GitHub URL fetches and redirect to the authenticated gh CLI |
| git-cleanup | Safely clean up git worktrees and local branches with gated confirmation workflow |
| let-fate-decide | Draw Tarot cards using cryptographic randomness to add entropy to vague planning |
| modern-python | Modern Python tooling and best practices with uv, ruff, and pytest |
| seatbelt-sandboxer | Generate minimal macOS Seatbelt sandbox configurations |
| second-opinion | Run code reviews using external LLM CLIs (OpenAI Codex, Google Gemini) on changes, diffs, or commits. Bundles Codex's built-in MCP server. |
| skill-improver | Iterative skill refinement loop using automated fix-review cycles |
| workflow-skill-design | Design patterns for workflow-based Claude Code skills with review agent |
Team Management
| Plugin | Description |
|---|---|
| culture-index | Interpret Culture Index survey results for individuals and teams |
Tooling
| Plugin | Description |
|---|---|
| claude-in-chrome-troubleshooting | Diagnose and fix Claude in Chrome MCP extension connectivity issues |
Infrastructure
| Plugin | Description |
|---|---|
| debug-buttercup | Debug Buttercup Kubernetes deployments |
Trophy Case
Bugs discovered using Trail of Bits Skills. Found something? Let us know!
When reporting bugs you've found, feel free to mention:
Found using Trail of Bits Skills
| Skill | Bug |
|---|---|
| constant-time-analysis | Timing side-channel in ML-DSA signing |
Contributing
We welcome contributions! Please see CLAUDE.md for skill authoring guidelines.
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Made by Trail of Bits.
Install & Usage
/plugin marketplace add <org/repo>Add the configuration to /plugin install gh-cli@<marketplace>
/pluginUse Cases
Usage Examples
/gh-cli fetch https://github.com/trailofbits/skills/issues/1
curl https://api.github.com/repos/trailofbits/skills/readme
wget https://github.com/trailofbits/skills/releases/latest/download/skills.tar.gz
Security Audits
Frequently Asked Questions
What is gh-cli?
This skill intercepts GitHub URL fetches and curl/wget commands, automatically redirecting them to the authenticated gh CLI for secure, efficient GitHub interactions. It streamlines workflows by using your existing GitHub credentials, avoiding manual token management or raw API calls.
How to install gh-cli?
To install gh-cli: add a marketplace (/plugin marketplace add <org/repo>), then add the config to /plugin install gh-cli@<marketplace>. Finally, /plugin in Claude Code.
What is gh-cli best for?
gh-cli is a plugin categorized under General. Created by William Tan.
What can I use gh-cli for?
gh-cli is useful for: Fetch a GitHub issue or pull request details without leaving the terminal.; Download release assets from a GitHub repository using authenticated access.; List repository contents or file metadata via the GitHub API seamlessly.; Clone a private repository using gh CLI instead of raw git commands.; Create or manage GitHub gists directly from Claude Code.; Search for code or issues across repositories with authenticated queries..