Cosmos Vulnerability Scanner
Spawns parallel Cosmos SDK / CosmWasm scanners for chain-halt and fund-loss bugs across 54 documented patterns.
Test report
- Verdict
- Tested · Works
- Score
- Tested
- Jul 14, 2026
- Environment
- Claude Code 2.x (agent harness)
- Upstream re-checked
- Jul 18, 2026 · 840a45d
Fed it a synthetic Cosmos rewards module with a map-iteration bug and an unvalidated msg_server payout; the skill's own pattern docs caught both plus a third bug a generic review missed (panic-on-error in EndBlock), each tagged with the exact fund-loss-vs-chain-halt severity class from the reference file. The claimed pattern counts (25 core / 16 IBC / 10 EVM / 3 CosmWasm) check out exactly against the scanner-role table in the SKILL.md itself.
Scored on four weighted criteria — install, triggering, output vs. baseline, docs. How scoring works
- Installs cleanly 5/5
- Triggers reliably 5/5
- Output vs. baseline 8/10
- Docs & honesty 5/5
What Cosmos Vulnerability Scanner does
Runs a structured multi-agent security scan of Cosmos SDK modules and CosmWasm contracts, checking code against 54 documented vulnerability patterns (non-determinism, ABCI panics, signer mismatches, IBC, EVM, CosmWasm) and writing one markdown finding per bug to an output directory. Triggers when auditing custom x/ modules, reviewing IBC integrations, or doing pre-launch chain security review, and explicitly declines pure-Solidity or non-consensus-critical work.
How to install Cosmos Vulnerability Scanner
git clone https://github.com/trailofbits/skills
cd skills
mkdir -p ~/.claude/skills
cp -r plugins/building-secure-contracts/skills/cosmos-vulnerability-scanner ~/.claude/skills/cosmos-vulnerability-scanner
Skills live in ~/.claude/skills/ (global) or .claude/skills/
(per-project). Restart Claude Code after installing.
Commands — how to trigger Cosmos Vulnerability Scanner
-
/cosmos-vulnerability-scannerSpawns parallel Cosmos SDK / CosmWasm scanners for chain-halt and fund-loss bugs across 54 documented patterns.
It also activates on plain-language prompts like these:
-
Audit my Cosmos SDK module for vulnerabilities -
Scan this ABCI handler for chain-halt panics -
Check my Cosmos module for unauthenticated payouts
Frequently asked questions
- Is the Cosmos Vulnerability Scanner skill free?
- Yes. The skill itself is free from trailofbits/skills. SkillProof publishes the install command and an independent test verdict at no cost.
- Does Cosmos Vulnerability Scanner work with Claude Code?
- We tested it with Claude Code 2.x (agent harness) on Jul 14, 2026. Verdict: Tested · Works. Fed it a synthetic Cosmos rewards module with a map-iteration bug and an unvalidated msg_server payout; the skill's own pattern docs caught both plus a third bug a generic review missed (panic-on-error in EndBlock), each tagged with the exact fund-loss-vs-chain-halt severity class from the reference file. The claimed pattern counts (25 core / 16 IBC / 10 EVM / 3 CosmWasm) check out exactly against the scanner-role table in the SKILL.md itself.
- What is the Cosmos Vulnerability Scanner SkillProof Score?
- 9.2/10 — installs cleanly 5/5, triggers reliably 5/5, output vs. baseline 8/10, docs & honesty 5/5.
- How do I install Cosmos Vulnerability Scanner?
- Copy the install command from this page, run it in your terminal, and restart Claude Code. Skills live in ~/.claude/skills/ (global) or .claude/skills/ inside a project.
- Can I use Cosmos Vulnerability Scanner with Cursor, Copilot, Gemini CLI, Codex or other AI tools?
- The SKILL.md format is native to Claude (Claude Code, Desktop, claude.ai). The instructions inside adapt to other assistants: Cursor rules, GitHub Copilot instructions, Windsurf rules, Custom GPTs, AGENTS.md for OpenAI Codex, and GEMINI.md for Google Gemini CLI — our conversion guides cover each, and the free converter on the tools page does the wrapping for you.