← Back to Skills Marketplace
wu-uk

find-bugs

by wu-uk · GitHub ↗ · v0.1.0 · MIT-0
cross-platform ⚠ suspicious
71
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install fix-erlang-ssh-cve-find-bugs
Description
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit...
README (SKILL.md)

Find Bugs

Review changes on this branch for bugs, security vulnerabilities, and code quality issues.

Phase 1: Complete Input Gathering

  1. Get the FULL diff: git diff master...HEAD
  2. If output is truncated, read each changed file individually until you have seen every changed line
  3. List all files modified in this branch before proceeding

Phase 2: Attack Surface Mapping

For each changed file, identify and list:

  • All user inputs (request params, headers, body, URL components)
  • All database queries
  • All authentication/authorization checks
  • All session/state operations
  • All external calls
  • All cryptographic operations

Phase 3: Security Checklist (check EVERY item for EVERY file)

  • Injection: SQL, command, template, header injection
  • XSS: All outputs in templates properly escaped?
  • Authentication: Auth checks on all protected operations?
  • Authorization/IDOR: Access control verified, not just auth?
  • CSRF: State-changing operations protected?
  • Race conditions: TOCTOU in any read-then-write patterns?
  • Session: Fixation, expiration, secure flags?
  • Cryptography: Secure random, proper algorithms, no secrets in logs?
  • Information disclosure: Error messages, logs, timing attacks?
  • DoS: Unbounded operations, missing rate limits, resource exhaustion?
  • Business logic: Edge cases, state machine violations, numeric overflow?

Phase 4: Verification

For each potential issue:

  • Check if it's already handled elsewhere in the changed code
  • Search for existing tests covering the scenario
  • Read surrounding context to verify the issue is real

Phase 5: Pre-Conclusion Audit

Before finalizing, you MUST:

  1. List every file you reviewed and confirm you read it completely
  2. List every checklist item and note whether you found issues or confirmed it's clean
  3. List any areas you could NOT fully verify and why
  4. Only then provide your final findings

Output Format

Prioritize: security vulnerabilities > bugs > code quality

Skip: stylistic/formatting issues

For each issue:

  • File:Line - Brief description
  • Severity: Critical/High/Medium/Low
  • Problem: What's wrong
  • Evidence: Why this is real (not already fixed, no existing test, etc.)
  • Fix: Concrete suggestion
  • References: OWASP, RFCs, or other standards if applicable

If you find nothing significant, say so - don't invent issues.

Do not make changes - just report findings. I'll decide what to address.

Usage Guidance
This skill looks like a reasonable local code-review checklist, but fix the metadata mismatch before trusting it: declare 'git' as a required binary (or update instructions to handle missing git). Be aware the instructions will read every changed file in the branch — repositories often contain sensitive data (API keys, private certs, large logs). Only run this skill on repositories you trust and avoid running it in environments where reading the repo could expose secrets to the agent's outputs. Also consider updating the SKILL.md to (1) handle repos where the default branch is 'main' or another name, (2) allow the user to confirm the base branch or provide it explicitly, and (3) clarify how to handle very large diffs (paging, limits) to avoid inadvertent data exfiltration. If you want higher assurance, request the author to add explicit required-binaries metadata and a short note describing that the skill reads local files only and does not transmit data externally.
Capability Analysis
Type: OpenClaw Skill Name: fix-erlang-ssh-cve-find-bugs Version: 0.1.0 The skill bundle provides a structured framework for an AI agent to perform security audits and bug hunting on local git branches. It uses standard git commands (git diff) and follows established security review practices (OWASP-aligned checklist) without any evidence of malicious intent, data exfiltration, or unauthorized execution.
Capability Assessment
Purpose & Capability
The skill's stated purpose (review local branch changes) matches the SKILL.md instructions, which require running git commands and reading repository files. However, the registry metadata lists no required binaries while the instructions explicitly call 'git diff' and rely on git being available. That mismatch is incoherent: a code-review skill legitimately needs git or an equivalent VCS tool declared.
Instruction Scope
SKILL.md gives a detailed, concrete review procedure (get full diff, read every changed file, map attack surface, run a checklist, verify, and report). It does not instruct contacting external endpoints or accessing unrelated system files. Two points to note: (1) it assumes the base branch is named 'master' (many repos use 'main' or other names), and (2) it explicitly tells the agent to read every changed file — which is expected for a repo review but could surface secrets or sensitive data if present in the repo. The instructions are otherwise appropriately scoped to code-review tasks.
Install Mechanism
There is no install spec and no code files; this is instruction-only, which is low risk for install-time arbitrary code. Nothing is written to disk by the skill itself.
Credentials
The skill declares no environment variables, no credentials, and no config paths. The SKILL.md also does not request secrets or external credentials. This is proportionate for a local code-review helper.
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request persistent/high-privilege settings. Autonomous invocation is allowed (platform default) but that alone is not flagged. The skill does not request to modify other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install fix-erlang-ssh-cve-find-bugs
  3. After installation, invoke the skill by name or use /fix-erlang-ssh-cve-find-bugs
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Bulk publish from all-task-skills-dedup
Metadata
Slug fix-erlang-ssh-cve-find-bugs
Version 0.1.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is find-bugs?

Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit... It is an AI Agent Skill for Claude Code / OpenClaw, with 71 downloads so far.

How do I install find-bugs?

Run "/install fix-erlang-ssh-cve-find-bugs" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is find-bugs free?

Yes, find-bugs is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does find-bugs support?

find-bugs is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created find-bugs?

It is built and maintained by wu-uk (@wu-uk); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments