wycheproof

by trailofbits

The wycheproof skill helps validate cryptographic implementations with Wycheproof test vectors, focusing on known attacks, edge cases, and pass/fail decisions for Security Audit workflows. Use it to inspect AES-GCM, ECDSA, ECDH, RSA, and related primitives with less guesswork than a generic crypto prompt.

Stars0

Favorites0

Comments0

AddedMay 7, 2026

CategorySecurity Audit

Install Command

npx skills add trailofbits/skills --skill wycheproof

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users. The repository provides enough real workflow content to help an agent recognize when to use Wycheproof and apply it to crypto-testing tasks with less guesswork than a generic prompt, though it lacks some adoption aids like an install command or supporting files.

78/100

Strengths

Clear trigger and scope for cryptographic validation: the frontmatter says to use it for testing crypto code for known attacks and edge cases.
Substantial operational content: the body is large and structured with many headings, workflow sections, and code fences, giving an agent enough material to follow.
Concrete domain value: it explains key concepts like test vectors, test groups, and result flags, which improves agent leverage for implementation testing.

Cautions

No install command or companion scripts/resources, so users may need to wire invocation and execution steps themselves.
The description is concise and support-file sparse, so some environment-specific setup and integration details may still require manual interpretation.

Testing Crypto Cryptography Security Validation Google

Overview

Overview of wycheproof skill

What wycheproof is for

The wycheproof skill helps you use Wycheproof test vectors to validate cryptographic implementations against known edge cases and attack patterns. It is best for a Security Audit workflow when you need to check whether a library, service, or product accepts the right inputs, rejects the wrong ones, and fails safely on ambiguous cases.

Who should install it

Install the wycheproof skill if you audit crypto code, maintain a security-sensitive application, or need a repeatable way to test primitives like AES-GCM, ECDSA, ECDH, or RSA. It is especially useful when a quick prompt is not enough because the failure mode is subtle: the code may “work” on happy-path examples while still being vulnerable.

What makes it different

Wycheproof is not a general crypto tutorial. The value of the wycheproof skill is that it focuses on known-bad inputs, structured test groups, and pass/fail/acceptable outcomes. That makes it more useful than a generic “test my crypto” prompt when you need decision-quality results for a review or fix.

How to Use wycheproof skill

Install and inspect the skill

Use the wycheproof install flow from your skills manager, then open SKILL.md first. In this repo, SKILL.md is the only support file, so there is no separate script or rules layer to learn. That means your main job is to extract the workflow, test categories, and constraints from the skill body itself.

Turn a rough goal into a useful prompt

The wycheproof usage works best when you provide the crypto primitive, implementation language, and testing goal up front. A weak request is: “Check my crypto code.” A stronger request is: “Use the wycheproof skill to test our Java ECDSA verifier against malformed signatures and boundary cases; report which vectors should pass, fail, or be treated as acceptable by our policy.”

Start with the right inputs

For best results, include:

the algorithm or protocol
the language or library
what counts as success in your environment
whether you want regression testing, audit support, or triage of a failing case
any constraints such as FIPS mode, legacy compatibility, or platform limits

These details matter because wycheproof output changes depending on whether you are validating strict rejection, compatibility behavior, or a known exception list.

Read the workflow in order

A practical wycheproof guide should be read as: background, key concepts, when to use, then the testing workflow sections. If you are using it for a Security Audit, pay special attention to how the skill distinguishes valid vectors from invalid or acceptable ones, because that classification is the main thing that prevents false conclusions.

wycheproof skill FAQ

Is wycheproof only for security audits?

No. The wycheproof skill is valuable for audits, but it is also useful during implementation and regression testing. If you ship cryptography, this skill helps you catch issues before they become audit findings.

Do I need to be a crypto expert first?

No, but you do need enough context to name the primitive and describe the expected behavior. If you cannot say whether a vector should pass, fail, or be accepted under a compatibility rule, the output will be less actionable.

How is this different from a normal prompt?

A normal prompt may produce a generic checklist. The wycheproof skill is better when you need structured test-vector reasoning and edge-case coverage. It reduces guesswork by anchoring the task to known attack patterns instead of broad advice.

When should I not use it?

Do not use wycheproof if you are trying to design a crypto protocol from scratch or explain cryptography at a high level. It is for validation and testing, not for theoretical teaching or product architecture.

How to Improve wycheproof skill

Give the skill the exact crypto target

The biggest quality boost comes from naming the primitive, implementation, and failure mode. For example, “RSA-PSS verifier in Python cryptography, failing on certain salt lengths” is far better than “my signature code is broken.” The more exact the target, the easier it is to map to the right Wycheproof vectors.

State your acceptance policy early

One common failure mode in wycheproof work is mixing security correctness with product compatibility. Say whether you want strict rejection of invalid vectors, compatibility with legacy inputs, or a documented allowlist. That distinction changes the result and prevents noisy back-and-forth after the first pass.

Iterate on the vector class, not just the bug

If the first output finds a failure, refine the next request by asking for adjacent cases: nearby key sizes, malformed encodings, truncated inputs, or boundary values from the same test group. That is usually more useful than asking for a broad rerun, because Wycheproof’s strength is coverage of families of edge cases.

Use the output to drive regression tests

After you confirm a finding, convert the failing case into a permanent test in your own suite. The wycheproof skill is most valuable when it produces a durable security audit trail: which vector failed, why it failed, and what condition should be enforced on future releases.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

supabase-postgres-best-practices

by supabase

supabase-postgres-best-practices is a Supabase Postgres optimization skill for query tuning, indexing, schema design, RLS performance, locking, and connection management.

Database Engineering

Favorites 0GitHub 1.7k

entra-agent-id

by microsoft

entra-agent-id is a Microsoft Entra Agent ID preview skill for backend development teams building OAuth2-capable AI agent identities with Graph beta. It covers blueprint setup, blueprint principals, agent identities, permissions, sponsors, workload identity federation, and sidecar-based auth. Use it to understand entra-agent-id install, usage, and rollout constraints.

Backend Development

Favorites 0GitHub 0

token-integration-analyzer

by trailofbits

token-integration-analyzer is a security-review skill for token implementations and token integrations. It checks ERC20/ERC721 conformity, weird token patterns, owner privileges, scarcity, and non-standard token handling for Security Audit workflows. Use the token-integration-analyzer guide to reduce guesswork and assess compatibility risk.

Security Audit

Favorites 0GitHub 4.9k

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

ruzzy

by trailofbits

ruzzy is a coverage-guided Ruby fuzzing skill for testing pure Ruby code and Ruby C extensions. Use the ruzzy guide to set up a supported Linux environment, verify sanitizer wiring, and build practical fuzzing workflows for Security Audit work.

Security Audit

Favorites 0GitHub 5k