sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Stars5k

Favorites0

Comments0

AddedMay 7, 2026

CategorySecurity Audit

Install Command

npx skills add trailofbits/skills --skill sharp-edges

Curation Score

This skill scores 85/100, which means it is a solid listing candidate for directory users who need misuse-resistance analysis for APIs, configuration, and crypto-facing interfaces. The repository gives enough workflow structure and reference depth to justify installation, though it is more analysis-oriented than task-automating and lacks an explicit install command in SKILL.md.

85/100

Strengths

Strong triggerability: the description names clear use cases and triggers such as footgun, misuse-resistant, secure defaults, API usability, and dangerous configuration.
Operationally useful workflow: the skill defines when to use it and not use it, and the agent section describes a four-phase analysis workflow with on-demand language-specific references.
Good supporting evidence: 16 reference files cover authentication, configuration, cryptographic APIs, case studies, and multiple languages, giving agents concrete patterns to consult.

Cautions

No install command is provided in SKILL.md, so users may need to infer setup or usage from the repository structure.
The skill is broad and analytical rather than narrowly scoped, so agents may still need judgment to map a specific codebase or interface to the right reference.

API Security Design Development Auth Crypto Configuration

Overview

Overview of sharp-edges skill

What sharp-edges does

The sharp-edges skill helps you spot security footguns: APIs, config options, and interface choices that make insecure use the easiest use. It is most useful when you need a sharp-edges for Security Audit lens on a library, service, or SDK and want to know whether the design itself encourages mistakes.

Who should install it

Use the sharp-edges skill if you review API design, authentication flows, cryptographic wrappers, or security-sensitive configuration. It is a strong fit for engineers, appsec reviewers, and AI agents that need to judge whether an interface is misuse-resistant rather than merely functional.

Why it differs from a normal prompt

A generic prompt often asks “is this secure?” and returns shallow findings. sharp-edges is aimed at the harder question: does the easy path lead to insecure outcomes? That makes it better for finding dangerous defaults, ambiguous zero values, algorithm selection problems, and APIs that invite silent misuse.

How to Use sharp-edges skill

Install and load it correctly

Use the repository install flow, then run the skill in the context of the target codebase:
npx skills add trailofbits/skills --skill sharp-edges

For best results, pair the skill with the component you are evaluating, not the whole monorepo by default. The skill is strongest when you give it a specific API, config file, package, or authentication surface.

Give the skill the right input

A good sharp-edges usage prompt names the surface, the threat, and the decision you want made. For example:

“Review this login API for misuse-resistant design and footguns.”
“Assess whether this config schema has dangerous zero/null semantics.”
“Evaluate this crypto wrapper for algorithm-selection and downgrade risks.”
“Use sharp-edges to identify insecure defaults before we ship this SDK.”

Include the actual interface, sample configs, and any “safe by default” expectations. If you only say “analyze security,” the result will be less precise.

Read these files first

Start with SKILL.md, then inspect the references/ files that match your stack and surface area. The most useful first reads are usually:

references/config-patterns.md
references/crypto-apis.md
references/auth-patterns.md
one language-specific file such as references/lang-python.md or references/lang-javascript.md
references/case-studies.md for real misuse patterns

These references help you translate a vague concern into concrete checks instead of guessing.

Workflow that produces better findings

A practical sharp-edges guide workflow is:

Identify the security decision the interface exposes.
Look for defaults, sentinel values, and “skip” behavior.
Test whether untrusted input can choose algorithms, modes, or trust boundaries.
Check whether the safe path is simpler than the unsafe one.
Validate whether the design prevents misuse or merely documents it.

If you are using the sharp-edges skill on your own prompt, explicitly ask for footguns, unsafe defaults, and boundary cases. That nudges the analysis toward design-level risk instead of implementation bugs.

sharp-edges skill FAQ

Is sharp-edges only for code reviews?

No. It is also useful for reviewing API proposals, SDK ergonomics, config schemas, and security-sensitive product settings. The best fit is any place where a user can accidentally choose an insecure option.

When should I not use it?

Do not use sharp-edges for ordinary implementation bugs, general business logic mistakes, or performance tuning. Those need different review methods. This skill is about design-level misuse risk, not every security issue.

Is it beginner-friendly?

Yes, if you can describe the interface you are reviewing and what “safe” should mean. Beginners get the best value when they provide a concrete file, endpoint, or config block instead of a broad request.

Does it replace a security audit?

No. It supports a Security Audit by finding footguns and insecure defaults, but it does not replace threat modeling, code review, or exploit validation. Use it early to catch design mistakes before they spread.

How to Improve sharp-edges skill

Provide the interface, not just the goal

The sharp-edges skill improves when you include the exact surface under review. Better input looks like:

“Review AuthConfig in config.ts for null/zero semantics and insecure defaults.”
“Assess whether this JWT verification wrapper allows algorithm confusion.”
“Check whether this password reset API is misuse-resistant for callers.”

That is better than “find problems,” because the analysis can focus on the sharp edges that matter.

Tell it what counts as unsafe

State your security expectations up front: no algorithm downgrades, no silent fallback, no zero meaning “disable protection,” no caller-controlled trust decisions. This makes the sharp-edges skill compare the design against a clear safety bar.

Expect the first pass to surface design issues

The first output often identifies obvious footguns: ambiguous flags, dangerous defaults, missing validation, or API shapes that invite insecure use. Improve the next pass by asking for one of these:

“List the highest-risk misuse paths first.”
“Show which calls are safe by default and which require extra care.”
“Map each finding to the exact input or option that makes it dangerous.”

Iterate with real examples

The fastest way to sharpen results is to provide real call sites, sample configs, or API docs. If a finding is about sharp-edges for Security Audit, ask the model to test the risky path with concrete values like null, 0, empty strings, or user-selected algorithms. That usually reveals whether the edge is theoretical or actually exploitable.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

supabase-postgres-best-practices

by supabase

supabase-postgres-best-practices is a Supabase Postgres optimization skill for query tuning, indexing, schema design, RLS performance, locking, and connection management.

Database Engineering

Favorites 0GitHub 1.7k

entra-agent-id

by microsoft

entra-agent-id is a Microsoft Entra Agent ID preview skill for backend development teams building OAuth2-capable AI agent identities with Graph beta. It covers blueprint setup, blueprint principals, agent identities, permissions, sponsors, workload identity federation, and sidecar-based auth. Use it to understand entra-agent-id install, usage, and rollout constraints.

Backend Development

Favorites 0GitHub 0

token-integration-analyzer

by trailofbits

token-integration-analyzer is a security-review skill for token implementations and token integrations. It checks ERC20/ERC721 conformity, weird token patterns, owner privileges, scarcity, and non-standard token handling for Security Audit workflows. Use the token-integration-analyzer guide to reduce guesswork and assess compatibility risk.

Security Audit

Favorites 0GitHub 4.9k

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

ruzzy

by trailofbits

ruzzy is a coverage-guided Ruby fuzzing skill for testing pure Ruby code and Ruby C extensions. Use the ruzzy guide to set up a supported Linux environment, verify sanitizer wiring, and build practical fuzzing workflows for Security Audit work.

Security Audit

Favorites 0GitHub 5k

libfuzzer

by trailofbits

libfuzzer is a coverage-guided fuzzer for C/C++ projects compiled with Clang. This libfuzzer skill helps you install, understand, and use the workflow for harnessing targets, running sanitizers, and starting a practical security audit with minimal setup.

Security Audit

Favorites 0GitHub 5k