main skill saves findings

GrosQuildu · GrosQuildu · commit d197f7939c69 · 2026-03-19T09:46:20.000+01:00
diff --git a/plugins/building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md b/plugins/building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md
@@ -7,9 +7,9 @@ description: "Scans Cosmos SDK blockchain modules and CosmWasm contracts for con
 
 ## Purpose
 
-Scan Cosmos SDK modules and CosmWasm contracts for vulnerabilities that cause chain halts, consensus failures, or fund loss. Spawns parallel scanning agents — each specializing in a vulnerability category — that write findings as individual markdown files to an output directory.
+Scan Cosmos SDK modules and CosmWasm contracts for vulnerabilities that cause chain halts, consensus failures, or fund loss. Spawns parallel scanning agents — each specializing in a vulnerability category — that return findings to the main skill, which then writes them as individual markdown files to an output directory.
 
-**Output directory**: defaults to `.bughunt_cosmos/`. If the user specifies a different directory in their prompt, use that instead and pass it to all subagents.
+**Output directory**: defaults to `.bughunt_cosmos/`. If the user specifies a different directory in their prompt, use that instead.
 
 ## When to Use
 
@@ -40,10 +40,10 @@ Scan Cosmos SDK modules and CosmWasm contracts for vulnerabilities that cause ch
 
 **Entry**: Target codebase path provided by user. Codebase contains Go source (e.g., `x/` modules, `go.mod`) or Rust contracts with `cosmwasm_std`.
 
-Run a **synchronous subagent** (Agent tool, `subagent_type: general-purpose`) with the full contents of [DISCOVERY.md](resources/DISCOVERY.md) as its prompt. The agent must:
+Run a **synchronous subagent** (Agent tool) with the full contents of [DISCOVERY.md](resources/DISCOVERY.md) as its prompt. The agent must:
 
 1. Follow the Discovery workflow to explore the target codebase
-2. Write a `CLAUDE.md` at the target repo root with the technical inventory and threat model
+2. Return the full CLAUDE.md content (the technical inventory and threat model) in its response
 3. Return a structured summary with exactly these fields:
 
 ```
@@ -54,13 +54,13 @@ IBC_GO_VERSION: <version from go.mod, or "n/a">
 CUSTOM_MODULES: <comma-separated list of x/* modules>
 ```
 
-Save the returned values and the path to the written CLAUDE.md — these feed into Phase 2.
+After the subagent returns, **you** (the main skill) Write the CLAUDE.md to the target repo root. Save its path and the discovery values — these feed into Phase 2.
 
-**Exit**: CLAUDE.md written. PLATFORM, IBC_ENABLED, SDK_VERSION, IBC_GO_VERSION, and CUSTOM_MODULES captured.
+**Exit**: CLAUDE.md written by main skill. PLATFORM, IBC_ENABLED, SDK_VERSION, IBC_GO_VERSION, and CUSTOM_MODULES captured.
 
 ### Phase 2: Parallel Vulnerability Scan
 
-Spawn scanning agents **in a single message** for maximum parallelism. Use the Agent Prompt Template below, filling in the reference file for each agent.
+Spawn scanning agents **in a single message** for maximum parallelism. Use the Agent Prompt Template below, filling in the reference file for each agent. Subagents only need read access (Grep, Glob, Read) — they return findings in their response and the main skill writes the files.
 
 **Always spawn these 3 agents:**
 
@@ -78,11 +78,9 @@ Spawn scanning agents **in a single message** for maximum parallelism. Use the A
 | `ibc-scanner` | IBC_ENABLED is `true` | `IBC_VULNERABILITY_PATTERNS.md` |
 | `cosmwasm-scanner` | PLATFORM includes `wasm` | `COSMWASM_VULNERABILITY_PATTERNS.md` |
 
-All scanning agents use `subagent_type: general-purpose` (need Write for finding files).
-
 #### Agent Prompt Template
 
-Construct each agent's prompt by replacing `{REFERENCE_FILE_PATH}` with the full path to the reference file (under `{baseDir}/resources/`), `{CLAUDE_MD_PATH}` with the path to the CLAUDE.md written in Phase 1, and `{OUTPUT_DIR}` with the output directory (default `.bughunt_cosmos`):
+Construct each agent's prompt by replacing `{REFERENCE_FILE_PATH}` with the full path to the reference file (under `{baseDir}/resources/`) and `{CLAUDE_MD_PATH}` with the path to the CLAUDE.md written in Phase 1:
 
 ~~~
 Perform a very thorough security scan of a Cosmos SDK codebase for specific vulnerability patterns.
@@ -116,13 +114,16 @@ SEVERITY:
 - Medium (DoS): unbounded pagination, tx replay, missing validation, governance spam, rate limiting, circuit breaker bypass, storage key collisions
 - Low (logic): rounding errors, stub handlers, event override, module ordering
 
-OUTPUT — WRITING FINDINGS TO FILES:
-For each finding, Write a markdown file to `{OUTPUT_DIR}/` using this naming convention:
-  `{OUTPUT_DIR}/{SEVERITY}-s{SECTION_NUM}-{kebab-description}.md`
-Examples: `{OUTPUT_DIR}/CRITICAL-s05-signer-mismatch-x-dex.md`, `{OUTPUT_DIR}/HIGH-s01-map-iteration-x-rewards-endblock.md`
+OUTPUT — RETURN FORMAT:
+Do NOT write any files. Return ALL findings and the summary in your response.
+
+For each pattern, return one of:
+  §NUM PATTERN_NAME: Not applicable — [one-line reason]
+  §NUM PATTERN_NAME: FINDING (followed by the finding block below)
 
-Each finding file must follow this template:
+For each finding, include the full content using this template:
 
+FINDING_FILE: {SEVERITY}-s{SECTION_NUM}-{kebab-description}.md
 ## [SEVERITY] Title
 **Location**: `file:line`
 **Description**: What the bug is and why it matters
@@ -131,23 +132,24 @@ Each finding file must follow this template:
 **Recommendation**: How to fix
 **References**: [links to relevant advisories or building-secure-contracts]
 
-OUTPUT — RETURN VALUE:
-Return ONLY a summary table — one line per pattern. Do NOT include finding details in your response.
-Format:
-  §NUM PATTERN_NAME: {OUTPUT_DIR}/FILENAME.md
-  §NUM PATTERN_NAME: Not applicable — [one-line reason]
-If a pattern has multiple findings, use one line per finding.
-
 You MUST report on ALL patterns in the reference file — do not skip any.
 ~~~
 
 **Exit**: All scanning agents returned. Each reported on every pattern in their reference file.
 
-### Phase 3: Verify Completeness
+### Phase 3: Write Findings
+
+After all scanning agents return, write finding files to the output directory (default `.bughunt_cosmos/`):
+
+1. Parse each agent's response for `FINDING_FILE:` blocks
+2. For each finding, Write the content to `{OUTPUT_DIR}/{filename}` using the filename from `FINDING_FILE:`
+3. Create the output directory first if it doesn't exist
+
+### Phase 4: Verify Completeness
 
-After all scanning agents return, verify every pattern was assessed:
+After writing all findings, verify every pattern was assessed:
 
-1. Collect the summary tables returned by each agent
+1. Collect the summary lines (§NUM entries) returned by each agent
 2. Check pattern counts against expected totals:
    - `core-scanner`: 8 patterns (§1-9, excluding §8 legacy-only)
    - `state-scanner`: 13 patterns (§11-23)
