>_SkillsHub

> static-analysis

Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing for security vulnerability detection. Use when running static analysis scans, writing custom detection rules, or processing analysis results.

fetch
$curl "https://skillshub.wtf/elizaOS/eliza/static-analysis?format=md"
SKILL.mdstatic-analysis

Static Analysis

Comprehensive static analysis toolkit for security vulnerability detection, based on the Trail of Bits Application Security Testing Handbook.

When to Use

  • Running security scans on codebases (any language)
  • Writing custom CodeQL queries or Semgrep rules
  • Processing and triaging SARIF output files from analysis tools
  • Setting up static analysis in CI/CD pipelines
  • Comparing and aggregating results from multiple tools

When NOT to Use

  • Writing Semgrep rules from scratch (use semgrep-rule-creator skill instead)
  • Dynamic analysis or fuzzing (use testing-handbook-skills)
  • Smart contract auditing (use security-building-secure-contracts)

Sub-Skills

ToolPurposeBest ForSkill Path
CodeQLSemantic code analysis with database queriesDeep data flow tracking, taint analysis, cross-function analysisskills/codeql/SKILL.md
SemgrepFast pattern-matching static analysisQuick scans, custom rules, CI integration, lightweight checksskills/semgrep/SKILL.md
SARIF ParsingParse and process SARIF result filesAggregating results, CI/CD integration, multi-tool triageskills/sarif-parsing/SKILL.md

Tool Selection Guide

ScenarioRecommended Tool
Quick security scanSemgrep
Deep vulnerability analysisCodeQL
Data flow / taint trackingCodeQL (best) or Semgrep taint mode
Custom pattern detectionSemgrep (simpler) or CodeQL (more powerful)
CI/CD integrationSemgrep (fastest) + CodeQL (thorough)
Processing scan resultsSARIF Parsing
Non-building codebaseSemgrep (works on incomplete code)

Quick Start

Semgrep (fast scan)

# Install
pip install semgrep

# Run with recommended rulesets
semgrep --config=auto .

# Run specific ruleset
semgrep --config=p/security-audit .

CodeQL (deep analysis)

# Create database
codeql database create mydb --language=python --source-root=.

# Run security queries
codeql database analyze mydb codeql/python-queries:codeql-suites/python-security-extended.qls --format=sarif-latest --output=results.sarif

SARIF Processing

# Parse results with jq
jq '.runs[].results[] | {ruleId, message: .message.text, location: .locations[0].physicalLocation.artifactLocation.uri}' results.sarif

Workflow

  1. Quick scan with Semgrep for fast results
  2. Deep analysis with CodeQL for thorough coverage
  3. Aggregate results using SARIF parsing
  4. Triage findings by severity and exploitability
  5. Custom rules for project-specific patterns

Related Skills

  • semgrep-rule-creator - Dedicated skill for writing production-quality Semgrep rules
  • variant-analysis - Find similar vulnerabilities using CodeQL/Semgrep patterns
  • security-differential-review - Security-focused code review using static analysis findings

> related_skills --same-repo

> yara-rule-authoring

Guides authoring of high-quality YARA-X detection rules for malware identification. Use when writing, reviewing, or optimizing YARA rules. Covers naming conventions, string selection, performance optimization, migration from legacy YARA, and false positive reduction. Triggers on: YARA, YARA-X, malware detection, threat hunting, IOC, signature, crx module, dex module.

> weather

Get current weather and forecasts (no API key required). Use when the user asks about the weather, temperature, forecast, wind, humidity, or climate conditions for a city or location. Fetches real-time weather data from free services using curl.

> wacli

Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.

> voice-call

Initiates, manages, and inspects voice calls through the Otto voice-call plugin using Twilio, Telnyx, Plivo, or mock providers. Supports starting outbound calls, continuing conversations, speaking messages, ending calls, and checking call status. Use when the user wants to make a phone call, dial a number, place a voice call, check call status, send a voice message, or speak to someone over the phone.

┌ stats

installs/wk0
░░░░░░░░░░
github stars17.8K
██████████
first seenMar 17, 2026
└────────────

┌ repo

elizaOS/eliza
by elizaOS
└────────────

┌ tags

#audit#security#writing
└────────────