gh-cli
This skill enforces the use of GitHub's authenticated `gh` CLI tool instead of unauthenticated methods like curl or wget when accessing GitHub repositories, pull requests, issues, and APIs. Use it when working with GitHub content to ensure proper authentication, access to private repositories, and compliance with API rate limits.
git clone --depth 1 https://github.com/trailofbits/skills /tmp/gh-cli && cp -r /tmp/gh-cli/plugins/gh-cli/skills/gh-cli ~/.claude/skills/gh-cliSKILL.md
# gh-cli ## When to Use - Working with GitHub repositories, pull requests, issues, releases, or raw file URLs. - You need authenticated access to private repositories or higher API rate limits. - You are about to use `curl`, `wget`, or unauthenticated web fetches against GitHub. ## When NOT to Use - The target is not GitHub. - Plain local git operations already solve the task. ## Guidance Prefer the authenticated `gh` CLI over raw HTTP fetches for GitHub content. In particular: - Prefer `gh repo view`, `gh pr view`, `gh pr list`, `gh issue view`, and `gh api` over unauthenticated `curl` or `wget`. - Prefer cloning a repository and reading files locally over fetching `raw.githubusercontent.com` blobs directly. - Avoid using GitHub API `/contents/` endpoints as a substitute for cloning and reading repository files. Examples: ```sh gh repo view owner/repo gh pr view 123 --repo owner/repo gh api repos/owner/repo/pulls ``` For the hook implementation, see: - `plugins/gh-cli/README.md` - `plugins/gh-cli/hooks/`
Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations including Claude Code Action, Gemini CLI, OpenAI Codex, and GitHub AI Inference. Detects attack vectors where attacker-controlled input reaches AI agents running in CI/CD pipelines, including env var intermediary patterns, direct expression injection, dangerous sandbox configurations, and wildcard user allowlists. Use when reviewing workflow files that invoke AI coding agents, auditing CI/CD pipeline security for prompt injection risks, or evaluating agentic action configurations.
Clarify requirements before implementing. Use when serious doubts arise.
Enables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug finding.
Scans Algorand smart contracts for 11 common vulnerabilities including rekeying attacks, unchecked transaction fees, missing field validations, and access control issues. Use when auditing Algorand projects (TEAL/PyTeal).
Prepares codebases for security review using Trail of Bits' checklist. Helps set review goals, runs static analysis tools, increases test coverage, removes dead code, ensures accessibility, and generates documentation (flowcharts, user stories, inline comments).
Scans Cairo/StarkNet smart contracts for 6 critical vulnerabilities including felt252 arithmetic overflow, L1-L2 messaging issues, address conversion problems, and signature replay. Use when auditing StarkNet projects.
Systematic code maturity assessment using Trail of Bits' 9-category framework. Analyzes codebase for arithmetic safety, auditing practices, access controls, complexity, decentralization, documentation, MEV risks, low-level code, and testing. Produces professional scorecard with evidence-based ratings and actionable recommendations.
Scans Cosmos SDK blockchain modules and CosmWasm contracts for consensus-critical vulnerabilities — chain halts, fund loss, state divergence. 25 core + 16 IBC + 10 EVM + 3 CosmWasm patterns. Use when auditing custom x/ modules, reviewing IBC integrations, or assessing pre-launch chain security. Updated for SDK v0.53.x.