> browse/registry

> api-fuzzing-bug-bounty

Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.

> cargo-fuzz

cargo-fuzz is the primary fuzzing tool for Rust projects built with Cargo. It enables developers to set up fuzz testing, write fuzz harnesses, and run fuzzing campaigns using the libFuzzer backend. Covers installation, harness writing, structure-aware fuzzing with the arbitrary crate, sanitizer integration including AddressSanitizer, coverage analysis, seed corpus management, and troubleshooting common issues. Useful when a developer needs to fuzz Rust code, find memory bugs, test parsers, or im

> atheris

Atheris is a coverage-guided Python fuzzing framework built on libFuzzer for finding bugs, crashes, and security vulnerabilities in pure Python code and Python C extensions. It provides AddressSanitizer integration for detecting memory corruption, buffer overflows, and use-after-free errors. Assists with writing fuzz harnesses, configuring sanitizers, managing corpora, running fuzzing campaigns, and setting up Docker-based fuzzing environments. Covers instrumentation of Python imports, parallel

> harness-writing

The agent writes and improves fuzzing harnesses — the entrypoint functions that receive random data from fuzzers and route it to the system under test (SUT). It implements LLVMFuzzerTestOneInput for C/C++ with libFuzzer and AFL++ persistent mode, fuzz_target! macros for Rust with cargo-fuzz and the arbitrary crate, and go-fuzz Fuzz functions for Go. The agent structures inputs using FuzzedDataProvider, applies interleaved fuzzing patterns for multi-operation targets, handles input size validatio

> testing-handbook-skills

Application security testing toolkit from the Trail of Bits Testing Handbook. Helps the agent set up fuzzing campaigns, write fuzz harnesses, run coverage-guided fuzzers (libFuzzer, AFL++, cargo-fuzz, Atheris, Ruzzy), and triage crashes. Covers memory-safety sanitizers (AddressSanitizer, UBSan, MSan), static analysis with Semgrep and CodeQL, cryptographic validation using Wycheproof test vectors, and constant-time verification. Use when testing C, C++, Rust, Python, or Ruby code for vulnerabilit

> coverage-analysis

The agent uses coverage analysis to measure which code paths, branches, and functions are exercised during fuzzing campaigns. It generates LLVM and GCC coverage reports, identifies uncovered code blocks, detects magic value checks that block fuzzer progress, and tracks coverage trends over time. The agent applies this technique when assessing harness effectiveness, diagnosing coverage plateaus, comparing differential coverage between campaigns, or integrating coverage instrumentation into CMake

> fuzzing-obstacles

The agent patches the system under test (SUT) to overcome common fuzzing obstacles using conditional compilation. It bypasses checksum and hash verification, replaces non-deterministic PRNG seeding with fixed seeds, skips complex multi-stage validation, and provides safe default values to prevent false positives. The agent uses FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION in C/C++ and cfg!(fuzzing) in Rust to ensure patches apply only during fuzzing builds. It applies this technique when coverage re

> fuzzing-dictionary

The agent creates and manages fuzzing dictionaries containing domain-specific tokens, magic bytes, protocol keywords, and format-specific strings to guide mutation-based fuzzers past early validation checks. It generates dictionary entries from header files, binary strings, man pages, and LLM prompts, and passes them to libFuzzer via -dict=, AFL++ via -x, or cargo-fuzz. The agent applies this technique when fuzzing parsers (JSON, XML, config files), protocol handlers (HTTP, DNS), file format pro

> libafl

The agent uses LibAFL, a modular Rust fuzzing library, to build custom fuzzers with fine-grained control over observers, feedback mechanisms, mutators, schedulers, and executors. It supports drop-in libFuzzer replacement mode via libFuzzer.a, fully custom fuzzer construction with InProcessExecutor and coverage-guided feedback, multi-core fuzzing with Launcher, crash deduplication via BacktraceObserver, and dictionary-based token mutations. The agent applies LibAFL when standard fuzzers like libF

> ossfuzz

The agent uses OSS-Fuzz, Google's free distributed continuous fuzzing platform, to build, run, and manage fuzzing infrastructure for open-source projects. It configures project enrollment files (project.yaml, Dockerfile, build.sh), builds fuzzers locally with helper.py, runs harnesses with AddressSanitizer and other sanitizers, generates coverage reports, and troubleshoots build failures. The agent applies this technique when setting up continuous fuzzing for C/C++, Rust, Python (Atheris), or Go

> offensive-fuzzing

offensive-fuzzing skill from SnailSploit/Claude-Red

> offensive-fuzzing-course

offensive-fuzzing-course skill from SnailSploit/Claude-Red

> ffuf

Discover hidden content, directories, subdomains, and API endpoints with ffuf — the fastest web fuzzer. Use when someone asks to "find hidden directories", "fuzz URLs", "discover API endpoints", "subdomain enumeration", "content discovery", "ffuf", "brute force paths", or "find hidden files on a website". Covers directory fuzzing, parameter fuzzing, subdomain discovery, virtual host enumeration, and recursive scanning.

> schemathesis

Automatically test APIs by generating test cases from OpenAPI/GraphQL schemas. Use when tasks involve API fuzzing, finding edge cases in REST or GraphQL APIs, testing schema compliance, generating property-based tests from API specs, finding crashes and 500 errors, or validating API contracts. Schemathesis generates thousands of test cases from your schema and finds bugs that manual testing misses.

> aflpp

AFL++ is a fork of AFL with better fuzzing performance and advanced features. Use for multi-core fuzzing of C/C++ projects.

> libfuzzer

Coverage-guided fuzzer built into LLVM for C/C++ projects. Use for fuzzing C/C++ code that can be compiled with Clang.

> ruzzy

Ruzzy is a coverage-guided Ruby fuzzer by Trail of Bits. Use for fuzzing pure Ruby code and Ruby C extensions.

> secure-workflow-guide

Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.

> debug-buttercup

Debugs the Buttercup CRS (Cyber Reasoning System) running on Kubernetes. Use when diagnosing pod crashes, restart loops, Redis failures, resource pressure, disk saturation, DinD issues, or any service misbehavior in the crs namespace. Covers triage, log analysis, queue inspection, and common failure patterns for: redis, fuzzer-bot, coverage-bot, seed-gen, patcher, build-bot, scheduler, task-server, task-downloader, program-model, litellm, dind, tracer-bot, merger-bot, competition-api, pov-reprod

> address-sanitizer

AddressSanitizer detects memory errors during fuzzing. Use when fuzzing C/C++ code to find buffer overflows and use-after-free bugs.