> browse/registry

> ruzzy

Ruzzy is a coverage-guided Ruby fuzzer by Trail of Bits. Use for fuzzing pure Ruby code and Ruby C extensions.

> address-sanitizer

AddressSanitizer detects memory errors during fuzzing. Use when fuzzing C/C++ code to find buffer overflows and use-after-free bugs.

> ossfuzz

The agent uses OSS-Fuzz, Google's free distributed continuous fuzzing platform, to build, run, and manage fuzzing infrastructure for open-source projects. It configures project enrollment files (project.yaml, Dockerfile, build.sh), builds fuzzers locally with helper.py, runs harnesses with AddressSanitizer and other sanitizers, generates coverage reports, and troubleshoots build failures. The agent applies this technique when setting up continuous fuzzing for C/C++, Rust, Python (Atheris), or Go

> testing-handbook-skills

Application security testing toolkit from the Trail of Bits Testing Handbook. Helps the agent set up fuzzing campaigns, write fuzz harnesses, run coverage-guided fuzzers (libFuzzer, AFL++, cargo-fuzz, Atheris, Ruzzy), and triage crashes. Covers memory-safety sanitizers (AddressSanitizer, UBSan, MSan), static analysis with Semgrep and CodeQL, cryptographic validation using Wycheproof test vectors, and constant-time verification. Use when testing C, C++, Rust, Python, or Ruby code for vulnerabilit

> secure-workflow-guide

Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.

> libfuzzer

Coverage-guided fuzzer built into LLVM for C/C++ projects. Use for fuzzing C/C++ code that can be compiled with Clang.

> libafl

The agent uses LibAFL, a modular Rust fuzzing library, to build custom fuzzers with fine-grained control over observers, feedback mechanisms, mutators, schedulers, and executors. It supports drop-in libFuzzer replacement mode via libFuzzer.a, fully custom fuzzer construction with InProcessExecutor and coverage-guided feedback, multi-core fuzzing with Launcher, crash deduplication via BacktraceObserver, and dictionary-based token mutations. The agent applies LibAFL when standard fuzzers like libF

> fuzzing-obstacles

The agent patches the system under test (SUT) to overcome common fuzzing obstacles using conditional compilation. It bypasses checksum and hash verification, replaces non-deterministic PRNG seeding with fixed seeds, skips complex multi-stage validation, and provides safe default values to prevent false positives. The agent uses FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION in C/C++ and cfg!(fuzzing) in Rust to ensure patches apply only during fuzzing builds. It applies this technique when coverage re

> fuzzing-dictionary

The agent creates and manages fuzzing dictionaries containing domain-specific tokens, magic bytes, protocol keywords, and format-specific strings to guide mutation-based fuzzers past early validation checks. It generates dictionary entries from header files, binary strings, man pages, and LLM prompts, and passes them to libFuzzer via -dict=, AFL++ via -x, or cargo-fuzz. The agent applies this technique when fuzzing parsers (JSON, XML, config files), protocol handlers (HTTP, DNS), file format pro

> coverage-analysis

The agent uses coverage analysis to measure which code paths, branches, and functions are exercised during fuzzing campaigns. It generates LLVM and GCC coverage reports, identifies uncovered code blocks, detects magic value checks that block fuzzer progress, and tracks coverage trends over time. The agent applies this technique when assessing harness effectiveness, diagnosing coverage plateaus, comparing differential coverage between campaigns, or integrating coverage instrumentation into CMake

> cargo-fuzz

cargo-fuzz is the primary fuzzing tool for Rust projects built with Cargo. It enables developers to set up fuzz testing, write fuzz harnesses, and run fuzzing campaigns using the libFuzzer backend. Covers installation, harness writing, structure-aware fuzzing with the arbitrary crate, sanitizer integration including AddressSanitizer, coverage analysis, seed corpus management, and troubleshooting common issues. Useful when a developer needs to fuzz Rust code, find memory bugs, test parsers, or im

> atheris

Atheris is a coverage-guided Python fuzzing framework built on libFuzzer for finding bugs, crashes, and security vulnerabilities in pure Python code and Python C extensions. It provides AddressSanitizer integration for detecting memory corruption, buffer overflows, and use-after-free errors. Assists with writing fuzz harnesses, configuring sanitizers, managing corpora, running fuzzing campaigns, and setting up Docker-based fuzzing environments. Covers instrumentation of Python imports, parallel

> aflpp

AFL++ is a fork of AFL with better fuzzing performance and advanced features. Use for multi-core fuzzing of C/C++ projects.

> harness-writing

The agent writes and improves fuzzing harnesses — the entrypoint functions that receive random data from fuzzers and route it to the system under test (SUT). It implements LLVMFuzzerTestOneInput for C/C++ with libFuzzer and AFL++ persistent mode, fuzz_target! macros for Rust with cargo-fuzz and the arbitrary crate, and go-fuzz Fuzz functions for Go. The agent structures inputs using FuzzedDataProvider, applies interleaved fuzzing patterns for multi-operation targets, handles input size validatio

> fast-check

Find edge-case bugs with property-based testing using fast-check — generate thousands of random inputs automatically. Use when someone asks to "find edge cases", "fast-check", "property-based testing", "fuzz testing in TypeScript", "generate random test data", "QuickCheck for JavaScript", or "test with random inputs". Covers property definitions, arbitraries, shrinking, model-based testing, and integration with Vitest/Jest.

> solidity-testing

[AUTO-INVOKE] MUST be invoked BEFORE writing or modifying any test files (*.t.sol). Covers test structure, naming conventions, coverage requirements, fuzz testing, and Foundry cheatcodes. Trigger: any task involving creating, editing, or running Solidity tests.

> schemathesis

Automatically test APIs by generating test cases from OpenAPI/GraphQL schemas. Use when tasks involve API fuzzing, finding edge cases in REST or GraphQL APIs, testing schema compliance, generating property-based tests from API specs, finding crashes and 500 errors, or validating API contracts. Schemathesis generates thousands of test cases from your schema and finds bugs that manual testing misses.

> burp-suite

Test web application security with Burp Suite. Use when a user asks to intercept HTTP traffic, test for web vulnerabilities, fuzz API endpoints, analyze authentication flows, or perform manual web application pentesting.

> ffuf

Discover hidden content, directories, subdomains, and API endpoints with ffuf — the fastest web fuzzer. Use when someone asks to "find hidden directories", "fuzz URLs", "discover API endpoints", "subdomain enumeration", "content discovery", "ffuf", "brute force paths", or "find hidden files on a website". Covers directory fuzzing, parameter fuzzing, subdomain discovery, virtual host enumeration, and recursive scanning.

> foundry

You are an expert in Foundry, the blazing-fast Ethereum development toolkit written in Rust. You help developers write, test, deploy, and debug Solidity smart contracts using Forge (testing), Cast (CLI interactions), Anvil (local node), and Chisel (Solidity REPL) — with native Solidity testing (no JavaScript), fuzz testing, gas optimization, and fork testing against mainnet state.