Cosmos Vulnerability Scanner

Spawns parallel Cosmos SDK / CosmWasm scanners for chain-halt and fund-loss bugs across 54 documented patterns.

Tested · Works

Test report

Verdict
Tested · Works
Score
9.2/10
Tested
Jul 14, 2026
Environment
Claude Code 2.x (agent harness)
Upstream re-checked
Jul 18, 2026 · 840a45d

Fed it a synthetic Cosmos rewards module with a map-iteration bug and an unvalidated msg_server payout; the skill's own pattern docs caught both plus a third bug a generic review missed (panic-on-error in EndBlock), each tagged with the exact fund-loss-vs-chain-halt severity class from the reference file. The claimed pattern counts (25 core / 16 IBC / 10 EVM / 3 CosmWasm) check out exactly against the scanner-role table in the SKILL.md itself.

Scored on four weighted criteria — install, triggering, output vs. baseline, docs. How scoring works

  • Installs cleanly 5/5
  • Triggers reliably 5/5
  • Output vs. baseline 8/10
  • Docs & honesty 5/5

What Cosmos Vulnerability Scanner does

Runs a structured multi-agent security scan of Cosmos SDK modules and CosmWasm contracts, checking code against 54 documented vulnerability patterns (non-determinism, ABCI panics, signer mismatches, IBC, EVM, CosmWasm) and writing one markdown finding per bug to an output directory. Triggers when auditing custom x/ modules, reviewing IBC integrations, or doing pre-launch chain security review, and explicitly declines pure-Solidity or non-consensus-critical work.

How to install Cosmos Vulnerability Scanner

git clone https://github.com/trailofbits/skills
cd skills
mkdir -p ~/.claude/skills
cp -r plugins/building-secure-contracts/skills/cosmos-vulnerability-scanner ~/.claude/skills/cosmos-vulnerability-scanner

Skills live in ~/.claude/skills/ (global) or .claude/skills/ (per-project). Restart Claude Code after installing.

Commands — how to trigger Cosmos Vulnerability Scanner

  • /cosmos-vulnerability-scanner Spawns parallel Cosmos SDK / CosmWasm scanners for chain-halt and fund-loss bugs across 54 documented patterns.

It also activates on plain-language prompts like these:

  • Audit my Cosmos SDK module for vulnerabilities
  • Scan this ABCI handler for chain-halt panics
  • Check my Cosmos module for unauthenticated payouts

Frequently asked questions

Is the Cosmos Vulnerability Scanner skill free?
Yes. The skill itself is free from trailofbits/skills. SkillProof publishes the install command and an independent test verdict at no cost.
Does Cosmos Vulnerability Scanner work with Claude Code?
We tested it with Claude Code 2.x (agent harness) on Jul 14, 2026. Verdict: Tested · Works. Fed it a synthetic Cosmos rewards module with a map-iteration bug and an unvalidated msg_server payout; the skill's own pattern docs caught both plus a third bug a generic review missed (panic-on-error in EndBlock), each tagged with the exact fund-loss-vs-chain-halt severity class from the reference file. The claimed pattern counts (25 core / 16 IBC / 10 EVM / 3 CosmWasm) check out exactly against the scanner-role table in the SKILL.md itself.
What is the Cosmos Vulnerability Scanner SkillProof Score?
9.2/10 — installs cleanly 5/5, triggers reliably 5/5, output vs. baseline 8/10, docs & honesty 5/5.
How do I install Cosmos Vulnerability Scanner?
Copy the install command from this page, run it in your terminal, and restart Claude Code. Skills live in ~/.claude/skills/ (global) or .claude/skills/ inside a project.
Can I use Cosmos Vulnerability Scanner with Cursor, Copilot, Gemini CLI, Codex or other AI tools?
The SKILL.md format is native to Claude (Claude Code, Desktop, claude.ai). The instructions inside adapt to other assistants: Cursor rules, GitHub Copilot instructions, Windsurf rules, Custom GPTs, AGENTS.md for OpenAI Codex, and GEMINI.md for Google Gemini CLI — our conversion guides cover each, and the free converter on the tools page does the wrapping for you.