← Back to Skills Marketplace
solomonneas

Bug Hunt

by Solomon Neas · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
49
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install bug-hunt
Description
Use when asked to find bugs, hunt for correctness issues, sweep a codebase for defects, or verify a repo behaves as intended. Not for style or architecture r...
README (SKILL.md)

bug-hunt

A correctness sweep that only reports bugs it failed to refute. Finders generate candidates; verifiers try to kill them; survivors make the report. The single biggest failure mode of agent bug-hunting is plausible-but-wrong findings, so verification is not optional.

Read-only. Finding bugs and fixing them are separate engagements.

Lenses

Sweep with each lens. With parallel subagents available, one finder per lens; otherwise sequential passes.

Lens Hunting for
Logic Inverted conditions, off-by-one, wrong operator, unreachable branches, broken invariants
Error handling Swallowed exceptions, missing error paths, errors that corrupt state before propagating, misleading messages
Edge cases Empty/nil/zero inputs, unicode, huge inputs, boundary values, first/last iteration
Concurrency Races, missing locks, shared mutable state, TOCTOU, async ordering assumptions
API misuse Contract violations against libraries and the project's own interfaces, ignored return values, resource leaks, lifecycle errors

Focus finders on code that is reachable and load-bearing: entry points, hot paths, recently changed files (git log --since is a good prior). A bug in dead code is info, not a finding.

Verification (mandatory)

Every candidate gets an adversarial pass before it may appear in the report. The verifier's job is to REFUTE the finding, default skeptical:

  1. Read the actual code path end to end, including callers and guards the finder may have missed.
  2. Trace a concrete input that triggers the bug. No trigger, no bug.
  3. Check whether a test, type system, or runtime check already prevents it.
  4. Verdict: confirmed (with the triggering scenario), refuted (drop silently), or unverifiable (report downgraded one severity, marked (unverified)).

When tests can be run safely (no external dependencies, sandboxed), a failing reproduction test is the gold standard for confirmation and should be included in the finding as a sketch, not committed.

Report contract

Same spine as line-check so findings compose. Severity: critical (data loss, corruption, security-adjacent) / high (wrong results on common inputs, crashes) / medium (wrong on edge cases) / low (latent, needs unlikely conditions) / info. Effort is the fix cost: S / M / L.

# bug-hunt report: \x3Crepo> (\x3Cdate>)

## Verdict
Paragraph: overall correctness posture, the scariest confirmed bug.

## Scorecard
| Lens | Score (0-5) | Summary |

## Findings
### [SEVERITY] Short imperative title
- **Lens:** which lens found it
- **Where:** file:line
- **What:** the defect, concretely
- **Trigger:** the concrete input or sequence that hits it
- **Why it matters:** consequence
- **Fix:** specific action
- **Effort:** S / M / L

## Backlog
Numbered, leverage-sorted: `N. [SEVERITY/EFFORT] title (lens)`

## Not checked
Lenses or areas skipped and why; candidates that were refuted (count only).

Common mistakes

  • Reporting finder output without verification. Half of plausible candidates die under a skeptical read.
  • "This could be a problem if..." findings with no trigger. A bug without a triggering input is a hypothesis.
  • Treating style issues as bugs. Wrong formatting never corrupted data.
  • Stopping at the first confirmed bug in a file. Bugs cluster; finish the file.
Usage Guidance
Install only if you want an agent to perform read-only bug-hunting over a repository. It may inspect broad areas of the codebase and suggest safe test runs, but the artifact does not ask to modify files, use credentials, or send data elsewhere.
Capability Assessment
Purpose & Capability
The stated purpose is defect finding, and the instructions are limited to reviewing code paths, checking tests or guards, and producing a structured bug report.
Instruction Scope
The skill explicitly says bug finding and fixing are separate, requires verification before reporting, and only suggests running tests when safe and sandboxed.
Install Mechanism
The artifact contains a single non-executable SKILL.md file with matching metadata; no scripts, package installs, hooks, or runtime payloads are present.
Credentials
Reading repository code and recent git history is proportionate for a user-requested correctness sweep; no unrelated data access, network use, or credential handling is requested.
Persistence & Privilege
No persistence, privilege escalation, background workers, credential/session use, file mutation, or external data transfer is instructed.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install bug-hunt
  3. After installation, invoke the skill by name or use /bug-hunt
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release – bug-hunt 1.0.0 - Provides a structured, adversarial methodology for defect finding in codebases. - Uses multiple "lenses" (logic, error handling, edge cases, concurrency, API misuse) to guide comprehensive bug sweeps. - Mandates that every potential bug is verified before reporting; only confirmed or unrefuted issues reach the report. - Delivers findings in a standardized markdown spine, including severity, effort, and reproduction details. - Clearly outlines common mistakes and enforces a strict separation between bug finding and fixing.
Metadata
Slug bug-hunt
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Bug Hunt?

Use when asked to find bugs, hunt for correctness issues, sweep a codebase for defects, or verify a repo behaves as intended. Not for style or architecture r... It is an AI Agent Skill for Claude Code / OpenClaw, with 49 downloads so far.

How do I install Bug Hunt?

Run "/install bug-hunt" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Bug Hunt free?

Yes, Bug Hunt is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Bug Hunt support?

Bug Hunt is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Bug Hunt?

It is built and maintained by Solomon Neas (@solomonneas); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments