Curated Claude Code plugins from Trail of Bits offer a secure and quality-assured marketplace, addressing the risks of malicious or poorly written AI agent extensions. By providing a rigorously vetted collection of plugins, this repository benefits developers and users seeking reliable tools, mitigating the security vulnerabilities inherent in unreviewed plugin ecosystems.

How It Works

This project functions as a curated marketplace for Claude Code plugins, emphasizing a robust vetting process. Plugins are approved either by integrating entire reviewed marketplaces or by submitting individual skills via pull requests, each undergoing a line-by-line code review by Trail of Bits engineers. This approach establishes a centralized, human-verified quality and safety gate for the AI plugin ecosystem, a novel solution to inherent risks.

Quick Start & Requirements

Installation involves adding the marketplace to a compatible plugin manager: /plugin marketplace add trailofbits/skills-curated. Specific prerequisites beyond a functional Claude Code environment are not detailed in the README.

Highlighted Details

• Features plugins categorized under Development, Security, Research, Writing, and converted OpenAI skills.
• Includes notable security plugins like ffuf-web-fuzzing, ghidra-headless, and scv-scan, alongside research tools like last30days and x-research.
• All plugins undergo code review by Trail of Bits staff, ensuring a baseline of quality and safety.
• Supports integration with various approved marketplaces, including official Anthropic and OpenAI collections.

Maintenance & Community

Code reviews are conducted by Trail of Bits staff. The README does not specify community channels (e.g., Discord, Slack), roadmap links, or notable external contributors or sponsorships.

Licensing & Compatibility

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). As a copyleft license, derivative works must be shared under the same terms, which may impose restrictions on integration into proprietary closed-source systems.

Limitations & Caveats

The curated list focuses exclusively on Claude Code plugins. The depth of dynamic security testing or runtime analysis beyond code review is not specified. Some plugins are converted from external sources (e.g., OpenAI), and their original dependencies or limitations may persist.