Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

plamentsv/consensus-tx-identity-invariants

Name: consensus-tx-identity-invariants
Author: plamentsv

agents/skills/injectable/l1/consensus-tx-identity-invariants/SKILL.md

npx skillsauth add plamentsv/plamen consensus-tx-identity-invariants

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Injectable Skill: Consensus Tx Identity Invariants

L1 trigger: CONSENSUS flag AND (txid, tx_hash, nonce, sequence, signature, message_id detected across modules) Inject Into: depth-consensus-invariant, depth-state-trace Language: Go and Rust Finding prefix: [TXI-N]

1. Identity Definition

Determine what uniquely identifies a transaction in each layer:

explicit nonce / sequence
hash of body
hash of signed payload
envelope ID distinct from execution payload ID

Tag: [TX-ID:DEFINITION]

2. Replay Protection

For every submission path, ask what value changes to prevent replay and whether it is monotonic, chain-bound, and sender-bound. Flag replay surfaces on the same chain, across forks, or across layers.

Write the answer as a table:

| Tx Type | Replay-unique field | Sender-bound? | Chain-bound? | Expiry / bound | |---|---|---|---|---|

Tag: [TX-ID:REPLAY]

Mandatory enumeration:

List every signed transaction/message type, not only system transactions: user transactions, system transactions, commitments, block-level commitments, gossip messages, admin/config messages, and any wrapper/envelope format.
For each type, identify the replay guard: nonce, sequence, anchor, recent-block hash, expiry, chain ID, domain separator, or explicit consumed marker.
If no per-sender or per-message replay guard exists, emit a finding. Do not accept "outer EVM signature has chain_id" as sufficient unless the inner payload identity and all consensus effects are also covered by that exact signature domain.
Check same-chain replay, cross-fork replay, cross-layer replay, and re-inclusion after reorg separately.

3. ID / Signature Binding

Verify that the provided ID equals the hash of the signed content and that the signature covers the exact bytes later used for execution or persistence.

Questions:

Is the ID recomputed by the verifier, or trusted from peer input?
Does the signature sign the same bytes the ID is derived from?
If the ID and signature are derived from different byte domains, can the content change while one of them stays stable?

Mandatory binding table:

| Object | Claimed ID field | Recomputed from | Signature covers | Persistence key | Mismatch possible? | |---|---|---|---|---|---|

Apply it to blocks, transactions, commitments, and any included commitment list. If a block/tx/commitment ID is accepted from peer input without recomputing it from the signed bytes, emit a finding.

Tag: [TX-ID:BINDING]

4. Cross-Layer Consistency

Trace the transaction through admission, mempool, consensus inclusion, execution, and indexing. All layers must agree on nonce / chain identifier / sender identity / canonical ID.

If a wrapper transaction carries an inner transaction or message, verify the wrapper ID is tied to the inner payload identity instead of being an unrelated field.

Tag: [TX-ID:CROSS-LAYER]

plamentsv/consensus-tx-identity-invariants

agents/skills/injectable/l1/consensus-tx-identity-invariants/SKILL.md

L1 trigger - audits replay protection, transaction identity binding, and cross-layer uniqueness.

225 stars

testing

Updated May 14, 2026

$ install --global

skillsauth

npx skillsauth add plamentsv/plamen consensus-tx-identity-invariants

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 14, 2026, 5:35 AM167.1s1 file scanned

SKILL.md

name:: consensus-tx-identity-invariants
description:: L1 trigger - audits replay protection, transaction identity binding, and cross-layer uniqueness.

Injectable Skill: Consensus Tx Identity Invariants

L1 trigger: CONSENSUS flag AND (txid, tx_hash, nonce, sequence, signature, message_id detected across modules) Inject Into: depth-consensus-invariant, depth-state-trace Language: Go and Rust Finding prefix: [TXI-N]

1. Identity Definition

Determine what uniquely identifies a transaction in each layer:

explicit nonce / sequence
hash of body
hash of signed payload
envelope ID distinct from execution payload ID

Tag: [TX-ID:DEFINITION]

2. Replay Protection

For every submission path, ask what value changes to prevent replay and whether it is monotonic, chain-bound, and sender-bound. Flag replay surfaces on the same chain, across forks, or across layers.

Write the answer as a table:

| Tx Type | Replay-unique field | Sender-bound? | Chain-bound? | Expiry / bound | |---|---|---|---|---|

Tag: [TX-ID:REPLAY]

Mandatory enumeration:

List every signed transaction/message type, not only system transactions: user transactions, system transactions, commitments, block-level commitments, gossip messages, admin/config messages, and any wrapper/envelope format.
For each type, identify the replay guard: nonce, sequence, anchor, recent-block hash, expiry, chain ID, domain separator, or explicit consumed marker.
If no per-sender or per-message replay guard exists, emit a finding. Do not accept "outer EVM signature has chain_id" as sufficient unless the inner payload identity and all consensus effects are also covered by that exact signature domain.
Check same-chain replay, cross-fork replay, cross-layer replay, and re-inclusion after reorg separately.

3. ID / Signature Binding

Verify that the provided ID equals the hash of the signed content and that the signature covers the exact bytes later used for execution or persistence.

Questions:

Is the ID recomputed by the verifier, or trusted from peer input?
Does the signature sign the same bytes the ID is derived from?
If the ID and signature are derived from different byte domains, can the content change while one of them stays stable?

Mandatory binding table:

| Object | Claimed ID field | Recomputed from | Signature covers | Persistence key | Mismatch possible? | |---|---|---|---|---|---|

Apply it to blocks, transactions, commitments, and any included commitment list. If a block/tx/commitment ID is accepted from peer input without recomputing it from the signed bytes, emit a finding.

Tag: [TX-ID:BINDING]

4. Cross-Layer Consistency

Trace the transaction through admission, mempool, consensus inclusion, execution, and indexing. All layers must agree on nonce / chain identifier / sender identity / canonical ID.

If a wrapper transaction carries an inner transaction or message, verify the wrapper ID is tied to the inner payload identity instead of being an unrelated field.

Tag: [TX-ID:CROSS-LAYER]

Related Skills

plamentsv/audit-prep

development

VerifiedTrustedCommunity

Prepare Solidity projects for a security audit — test coverage, test quality, NatSpec docs, code hygiene, dependency health, best-practice enforcement, deployment readiness, and project documentation checks. Generates a scored Audit Readiness Report and optionally runs static analysis. Trigger on: "prepare for audit", "audit readiness", "pre-audit check", "audit prep", "NatSpec check", or any request to review a Solidity codebase before a security review.

225SKILL.mdUpdated May 14, 2026

plamentsv/plamen

development

VerifiedTrustedCommunity

Launch the Plamen deterministic Web3 security audit pipeline

225SKILL.mdUpdated May 14, 2026

plamentsv/plamen-wizard

development

VerifiedTrustedCommunity

Run the Plamen smart-contract audit wizard in Codex

225SKILL.mdUpdated May 14, 2026

plamentsv/plamen-wizard

plamentsv/plamen-l1

testing

VerifiedTrustedCommunity

Launch the Plamen deterministic L1 infrastructure audit pipeline

225SKILL.mdUpdated May 14, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/plamentsv/plamen.git

# Copy into Claude Code skills folder (global)
cp -r plamen/agents/skills/injectable/l1/consensus-tx-identity-invariants ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

plamentsv/plamen

225 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT