Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/authorization-txorigin

Name: authorization-txorigin
Author: apegurus

skills/vulnerability-patterns/authorization-txorigin/SKILL.md

npx skillsauth add apegurus/solidity-argus authorization-txorigin

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Authorization Through tx.origin

Preconditions

Contract uses tx.origin for authorization or access control checks (e.g., require(tx.origin == owner))
A legitimate owner/admin may interact with untrusted external contracts

Vulnerable Pattern

contract Wallet {
    address public owner;

    function transferTo(address to, uint256 amount) external {
        // tx.origin is the EOA that initiated the entire tx chain
        // If owner calls MaliciousContract, which calls Wallet.transferTo,
        // tx.origin is still the owner — check passes
        require(tx.origin == owner, "not owner");
        payable(to).transfer(amount);
    }
}

contract Attacker {
    Wallet wallet;
    // Owner calls this (e.g., via a phishing link)
    fallback() external {
        // tx.origin == owner because owner initiated the tx
        wallet.transferTo(address(this), address(wallet).balance);
    }
}

Detection Heuristics

Search for all instances of tx.origin in the codebase
If tx.origin is used in a require, if, or comparison for authorization purposes, flag it
Check if tx.origin is compared against privileged addresses (owner, admin, etc.)
Note: tx.origin == msg.sender used to verify EOA status is a different pattern (see asserting-contract-from-code-size) — still flag it but for different reasons (breaks with account abstraction)

False Positives

tx.origin used only for logging or analytics, not for authorization
tx.origin used in combination with msg.sender checks where msg.sender is the primary authorization mechanism

Remediation

Replace tx.origin with msg.sender for all authorization checks
msg.sender reflects the immediate caller, not the transaction originator

function transferTo(address to, uint256 amount) external {
    require(msg.sender == owner, "not owner"); // Immediate caller check
    payable(to).transfer(amount);
}

apegurus/authorization-txorigin

skills/vulnerability-patterns/authorization-txorigin/SKILL.md

Contract uses tx.origin for authorization or access control checks (e.g., require(tx.origin == owner))

testing

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus authorization-txorigin

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:26 AM223.3s1 file scanned

SKILL.md

name:: authorization-txorigin
description:: tx.origin usage in authorization logic is phishing-prone
pattern_category:: access-control
- regex:: tx\.origin
severity:: High
confidence:: High
swc:: SWC-115

Authorization Through tx.origin

Preconditions

Contract uses tx.origin for authorization or access control checks (e.g., require(tx.origin == owner))
A legitimate owner/admin may interact with untrusted external contracts

Vulnerable Pattern

contract Wallet {
    address public owner;

    function transferTo(address to, uint256 amount) external {
        // tx.origin is the EOA that initiated the entire tx chain
        // If owner calls MaliciousContract, which calls Wallet.transferTo,
        // tx.origin is still the owner — check passes
        require(tx.origin == owner, "not owner");
        payable(to).transfer(amount);
    }
}

contract Attacker {
    Wallet wallet;
    // Owner calls this (e.g., via a phishing link)
    fallback() external {
        // tx.origin == owner because owner initiated the tx
        wallet.transferTo(address(this), address(wallet).balance);
    }
}

Detection Heuristics

Search for all instances of tx.origin in the codebase
If tx.origin is used in a require, if, or comparison for authorization purposes, flag it
Check if tx.origin is compared against privileged addresses (owner, admin, etc.)
Note: tx.origin == msg.sender used to verify EOA status is a different pattern (see asserting-contract-from-code-size) — still flag it but for different reasons (breaks with account abstraction)

False Positives

tx.origin used only for logging or analytics, not for authorization
tx.origin used in combination with msg.sender checks where msg.sender is the primary authorization mechanism

Remediation

Replace tx.origin with msg.sender for all authorization checks
msg.sender reflects the immediate caller, not the transaction originator

function transferTo(address to, uint256 amount) external {
    require(msg.sender == owner, "not owner"); // Immediate caller check
    payable(to).transfer(amount);
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/authorization-txorigin ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT