Agent skill

trailmark-structural

Runs full trailmark structural analysis with all pre-analysis passes (blast radius, taint propagation, privilege boundaries, complexity hotspots). Use when vivisect needs detailed structural data for a target. Triggers: structural analysis, blast radius, taint analysis, complexity hotspots.

View SKILL.md on GitHub Repository
Stars 4,181
Forks 369

Install this agent skill to your Project

npx add-skill https://github.com/trailofbits/skills/tree/main/plugins/trailmark/skills/trailmark-structural

SKILL.md

Trailmark Structural Analysis

Runs trailmark analyze with all four pre-analysis passes.

When to Use

  • Vivisect Phase 1 needs full structural data (hotspots, taint, blast radius, privilege boundaries)
  • Detailed pre-analysis passes for a specific target scope
  • Generating complexity and taint data for audit prioritization

When NOT to Use

  • Quick overview only (use trailmark-summary instead)
  • Ad-hoc code graph queries (use the main trailmark skill directly)
  • Target is a single small file where structural analysis adds no value

Rationalizations to Reject

Rationalization Why It's Wrong Required Action
"Summary analysis is enough" Summary skips taint, blast radius, and privilege boundary data Run full structural analysis when detailed data is needed
"One pass is sufficient" Passes cross-reference each other — taint without blast radius misses critical nodes Run all four passes
"Tool isn't installed, I'll analyze manually" Manual analysis misses what tooling catches Report "trailmark is not installed" and return
"Empty pass output means the pass failed" Some passes produce no data for some codebases (e.g., no privilege boundaries) Return full output regardless

Usage

The target directory is passed via the args parameter.

Execution

Step 1: Check that trailmark is available.

bash
trailmark analyze --help 2>/dev/null || \
  uv run trailmark analyze --help 2>/dev/null

If neither command works, report "trailmark is not installed" and return. Do NOT run pip install, uv pip install, git clone, or any install command. The user must install trailmark themselves.

Step 2: Detect the primary language.

bash
find {args} -type f \( -name '*.rs' -o -name '*.py' \
  -o -name '*.go' -o -name '*.js' -o -name '*.jsx' \
  -o -name '*.ts' -o -name '*.tsx' -o -name '*.sol' \
  -o -name '*.c' -o -name '*.h' -o -name '*.cpp' \
  -o -name '*.hpp' -o -name '*.hh' -o -name '*.cc' \
  -o -name '*.cxx' -o -name '*.hxx' \
  -o -name '*.rb' -o -name '*.php' -o -name '*.cs' \
  -o -name '*.java' -o -name '*.hs' -o -name '*.erl' \
  -o -name '*.cairo' -o -name '*.circom' \) 2>/dev/null | \
  sed 's/.*\.//' | sort | uniq -c | sort -rn | head -5

Map the most common extension to a language flag:

  • .rs -> --language rust
  • .py -> (no flag, Python is default)
  • .go -> --language go
  • .js/.jsx -> --language javascript
  • .ts/.tsx -> --language typescript
  • .sol -> --language solidity
  • .c/.h -> --language c
  • .cpp/.hpp/.hh/.cc/.cxx/.hxx -> --language cpp
  • .rb -> --language ruby
  • .php -> --language php
  • .cs -> --language c_sharp
  • .java -> --language java
  • .hs -> --language haskell
  • .erl -> --language erlang
  • .cairo -> --language cairo
  • .circom -> --language circom

Step 3: Run the full structural analysis.

bash
trailmark analyze \
  --passes blast_radius,taint,privilege_boundary,complexity \
  {language_flag} {args} 2>&1 || \
uv run trailmark analyze \
  --passes blast_radius,taint,privilege_boundary,complexity \
  {language_flag} {args} 2>&1

Step 4: Verify the output.

The output should include:

  • Hotspot scores (complexity data)
  • Tainted node list (taint propagation data)
  • Blast radius data
  • Privilege boundary information

Some passes may produce no data for some codebases (this is normal). Return the full output regardless.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

trailofbits/skills

gh-cli

Enforces authenticated gh CLI workflows over unauthenticated curl/WebFetch patterns. Use when working with GitHub URLs, API access, pull requests, or issues.

4,181 369
Explore
trailofbits/skills

supply-chain-risk-auditor

Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.

4,181 369
Explore
trailofbits/skills

zeroize-audit

Detects missing zeroization of sensitive data in source code and identifies zeroization removed by compiler optimizations, with assembly-level analysis, and control-flow verification. Use for auditing C/C++/Rust code handling secrets, keys, passwords, or other sensitive data.

4,181 369
Explore
trailofbits/skills

sharp-edges

Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration.

4,181 369
Explore
trailofbits/skills

insecure-defaults

Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.

4,181 369
Explore
trailofbits/skills

dwarf-expert

Provides expertise for analyzing DWARF debug files and understanding the DWARF debug format/standard (v3-v5). Triggers when understanding DWARF information, interacting with DWARF files, answering DWARF-related questions, or working with code that parses DWARF data.

4,181 369
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results