Trailmark
Skill AktivBuilds and queries multi-language source code graphs for security analysis. Includes pre-analysis passes for blast radius, taint propagation, privilege boundaries, and entry point enumeration. Use when analyzing call paths, mapping attack surface, finding complexity hotspots, enumerating entry points, tracing taint propagation, measuring blast radius, or building a code graph for audit prioritization. Prefer `trailmark.parse.detect_languages()` or `--language auto` when the target language is unknown or polyglot.
To enable in-depth security analysis of source code by building detailed call graphs and identifying critical security-related code constructs.
Funktionen
- Builds multi-language source code graphs
- Performs pre-analysis for security insights
- Enables querying of call paths and attack surfaces
- Identifies complexity hotspots and entry points
- Supports programmatic API and CLI usage
Anwendungsfälle
- Analyzing call paths from user input to sensitive functions
- Finding complexity hotspots for audit prioritization
- Identifying attack surface and entry points in codebases
- Preparing code for security reviews or audits
Nicht-Ziele
- Single-file script analysis where graphs add no value
- Runtime behavior analysis (it is static)
- Architecture diagrams not derived from code
- Mutation testing triage (though it can be used by other tools)
Trust
- warning:Issues AttentionIn the last 90 days, 13 issues were opened and 4 were closed, indicating a low closure rate (approximately 24%) and a significant number of open issues.
Installation
Zuerst Marketplace hinzufügen
/plugin marketplace add trailofbits/skills/plugin install trailmark@trailofbitsQualitätspunktzahl
Vertrauenssignale
Ähnliche Erweiterungen
Semgrep Rule Creator
100Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.
Metal
100Extract the conceptual essence of a repository as skills, agents, and teams — the project's roles, procedures, and coordination patterns expressed as agentskills.io-standard definitions. Reads an arbitrary codebase and produces generalized definitions that capture WHAT the project does and WHO operates it, without replicating HOW it does it. Use when onboarding to a new codebase and wanting to understand its conceptual architecture, when bootstrapping an agentic system from an existing project, when studying a project's organizational DNA for cross-pollination, or when creating a skill/agent/team library inspired by a reference implementation.
Lean Ctx
100Context Runtime für KI-Agenten — 59 MCP-Tools, 10 Lesemodi, über 95 Shell-Muster, Tree-sitter AST für 18 Sprachen. Komprimiert LLM-Kontext um bis zu 99%. Verwenden Sie es beim Lesen von Dateien, Ausführen von Shell-Befehlen, Suchen von Code oder Erkunden von Verzeichnissen. Automatische Installation, falls nicht vorhanden.
Pathfinder
100Ordnet eine Codebasis in Feature-gruppierte Flussdiagramme ein, identifiziert doppelte Belange über Features hinweg und schlägt eine einheitliche Architektur vor. Wird verwendet, wenn nach "dem idealen Pfad" gefragt wird, duplizierte Systeme vereinheitlicht oder die Architektur vor einem Refactoring auditiert werden soll. Gibt ein vorgeschlagenes einheitliches Flussdiagramm sowie Prompts zum Erstellen eines Plans pro System aus.
Codacy Audit
100Codacy Cloud workflow for this repository -- run Codacy's analyzers locally before `git push` (mirrors what Codacy CI runs), and fetch/cluster Codacy issues for any PR via the v3 API. Use when the user mentions Codacy, "codacy analysis", `codacy-analysis-cli`, "codacy issues on PR", "fix codacy CI", "codacy markdownlint findings", or any Codacy gate failing on a netdata-org PR. Ships scripts analyze-local.sh (docker/binary runner for codacy-analysis-cli) and pr-issues.sh (paginated v3 issue fetch + group-by tool/pattern/severity/file). Token-safe -- CODACY_TOKEN never reaches assistant-visible stdout. Read-only by design in the current SOW; write actions (mark FP, mark fixed) are deferred.
Domain Extract
100Extract domain knowledge from existing project sources and generate domain rules. Also handles vault sync and domain listing.