zeroize-audit
Detects missing and compiler-optimized-away zeroization of sensitive data in C/C++/Rust source code with assembly and IR-level proof.
- Identifies 11 finding categories including missing zeroization, partial wipes, compiler optimizations that eliminate cleanup, stack retention, and control-flow gaps in error paths
- Requires valid build context (compile_commands.json for C/C++ or Cargo.toml for Rust) and produces structured JSON findings plus markdown reports with evidence cross-references
- Generates bespoke proof-of-concept programs for each finding, validates them at compile and runtime, and verifies they actually demonstrate the claimed vulnerability
- Supports optional semantic analysis via Serena MCP for symbol resolution and data-flow tracking; downgrades findings gracefully when MCP is unavailable
- Runs 11 specialized agents across 8 phases with persistent working directories, enabling parallel execution and recovery after context compression
zeroize-audit — Claude Skill
When to Use
- Auditing cryptographic implementations (keys, seeds, nonces, secrets)
- Reviewing authentication systems (passwords, tokens, session data)
- Analyzing code that handles PII or sensitive credentials
- Verifying secure cleanup in security-critical codebases
- Investigating memory safety of sensitive data handling
When NOT to Use
- General code review without security focus
- Performance optimization (unless related to secure wiping)
- Refactoring tasks not related to sensitive data
- Code without identifiable secrets or sensitive values
Purpose
Detect missing zeroization of sensitive data in source code and identify zeroization that is removed or weakened by compiler optimizations (e.g., dead-store elimination), with mandatory LLVM IR/asm evidence. Capabilities include:
More from trailofbits/skills
ask-questions-if-underspecified
Clarify requirements before implementing. Use when serious doubts arise.
4.2Ksemgrep
>-
3.8Kmodern-python
Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
3.7Kcodeql
>-
3.6Kinsecure-defaults
Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling.
3.5Ksecure-workflow-guide
Guides through Trail of Bits' 5-step secure development workflow. Runs Slither scans, checks special features (upgradeability/ERC conformance/token integration), generates visual security diagrams, helps document security properties for fuzzing/verification, and reviews manual security areas.
3.4K