trailofbits/mutation-testing
plugins/mutation-testing/skills/mutation-testing/SKILL.md
Configures mewt or muton mutation testing campaigns — scopes targets, tunes timeouts, and optimizes long-running runs. Use when the user mentions mewt, muton, mutation testing, or wants to configure or optimize a mutation testing campaign.
$ install --global
skillsauthnpx skillsauth add trailofbits/skills mutation-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 6, 2026, 2:46 AM142.6s4 files scanned
SKILL.md
- name:
- mutation-testing
- description:
- Configures mewt or muton mutation testing campaigns — scopes targets, tunes timeouts, and optimizes long-running runs. Use when the user mentions mewt, muton, mutation testing, or wants to configure or optimize a mutation testing campaign.
- allowed-tools:
- Read Write Bash Grep
Mutation Testing — Campaign Configuration (mewt/muton)
Note: muton and mewt share identical interfaces but target different languages — mewt for general-purpose languages (Rust, Solidity, Go, TypeScript, JavaScript), muton for TON smart contracts (Tact, Tolk, FunC). All examples use
mewtcommands, but they work exactly the same withmuton. File names change accordingly:mewt.toml→muton.toml,mewt.sqlite→muton.sqlite.
When to Use
Use this skill when the user:
- Mentions "mewt", "muton", or "mutation testing"
- Needs to configure or optimize a mutation testing campaign
- Wants to run
mewt runand needs help getting set up first
When NOT to Use
Do not use this skill when the user:
- Wants to analyze or report on completed campaign results
- Asks about tests or coverage without mentioning mutation testing
Quick Start
Load workflows/configuration.md — a 5-phase guide from mewt init to a validated, ready-to-run campaign.
General question or unfamiliar command?
Run mewt --help or mewt <subcommand> --help, then assist.
Reference Index
| File | Content | |------|---------| | workflows/configuration.md | 5-phase guide: init, scope, optimize, validate, run | | references/optimization-strategies.md | Per-file targeting, two-phase campaigns, mutation type filtering |
Essential Commands
# Initialize and mutate
mewt init # Create mewt.toml and mewt.sqlite
mewt mutate [paths] # Generate mutants without running tests
mewt run [paths] # Run the full campaign
# Inspect configuration and scope
mewt print config # View effective configuration
mewt print targets # Table of all targeted files
mewt print mutations --language [lang] # Available mutation types
mewt status # Mutant count and per-file breakdown
# Investigate specific mutants
mewt print mutants --target [path] # All mutants for a file
mewt print mutants --severity high # Filter by severity
mewt print mutant --id [id] # View mutated code diff
mewt test --ids [ids] # Re-test specific mutants
What Results Mean
- Caught/TestFail: Tests detected the mutation (good)
- Uncaught: Mutation survived — indicates untested logic
- Timeout: Tests took too long, inconclusive
- Skipped: A more severe mutant already failed on the same line
Related Skills
trailofbits/semgrep-rule-creator
development
VerifiedTrustedCommunity
Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns. Use when writing Semgrep rules or building custom static analysis detections.
5,647SKILL.mdUpdated Apr 26, 2026
trailofbits/second-opinion
tools
VerifiedTrustedCommunity
Runs external LLM code reviews (OpenAI Codex or Google Gemini CLI) on uncommitted changes, branch diffs, or specific commits. Use when the user asks for a second opinion, external review, codex review, gemini review, or mentions /second-opinion.
5,647SKILL.mdUpdated Apr 26, 2026
trailofbits/gh-cli
tools
VerifiedTrustedCommunity
Enforces authenticated gh CLI workflows over unauthenticated curl/WebFetch patterns. Use when working with GitHub URLs, API access, pull requests, or issues.
5,570SKILL.mdUpdated Jun 6, 2026
trailofbits/chrome-mcp-troubleshooting
tools
VerifiedTrustedCommunity
Diagnose and fix Claude in Chrome MCP extension connectivity issues. Use when mcp__claude-in-chrome__* tools fail, return "Browser extension is not connected", or behave erratically.
5,570SKILL.mdUpdated Jun 6, 2026