← 返回 Skills 市场
wu-uk

find-bugs

作者 wu-uk · GitHub ↗ · v0.1.0 · MIT-0
cross-platform ⚠ suspicious
71
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install fix-erlang-ssh-cve-find-bugs
功能描述
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit...
使用说明 (SKILL.md)

Find Bugs

Review changes on this branch for bugs, security vulnerabilities, and code quality issues.

Phase 1: Complete Input Gathering

  1. Get the FULL diff: git diff master...HEAD
  2. If output is truncated, read each changed file individually until you have seen every changed line
  3. List all files modified in this branch before proceeding

Phase 2: Attack Surface Mapping

For each changed file, identify and list:

  • All user inputs (request params, headers, body, URL components)
  • All database queries
  • All authentication/authorization checks
  • All session/state operations
  • All external calls
  • All cryptographic operations

Phase 3: Security Checklist (check EVERY item for EVERY file)

  • Injection: SQL, command, template, header injection
  • XSS: All outputs in templates properly escaped?
  • Authentication: Auth checks on all protected operations?
  • Authorization/IDOR: Access control verified, not just auth?
  • CSRF: State-changing operations protected?
  • Race conditions: TOCTOU in any read-then-write patterns?
  • Session: Fixation, expiration, secure flags?
  • Cryptography: Secure random, proper algorithms, no secrets in logs?
  • Information disclosure: Error messages, logs, timing attacks?
  • DoS: Unbounded operations, missing rate limits, resource exhaustion?
  • Business logic: Edge cases, state machine violations, numeric overflow?

Phase 4: Verification

For each potential issue:

  • Check if it's already handled elsewhere in the changed code
  • Search for existing tests covering the scenario
  • Read surrounding context to verify the issue is real

Phase 5: Pre-Conclusion Audit

Before finalizing, you MUST:

  1. List every file you reviewed and confirm you read it completely
  2. List every checklist item and note whether you found issues or confirmed it's clean
  3. List any areas you could NOT fully verify and why
  4. Only then provide your final findings

Output Format

Prioritize: security vulnerabilities > bugs > code quality

Skip: stylistic/formatting issues

For each issue:

  • File:Line - Brief description
  • Severity: Critical/High/Medium/Low
  • Problem: What's wrong
  • Evidence: Why this is real (not already fixed, no existing test, etc.)
  • Fix: Concrete suggestion
  • References: OWASP, RFCs, or other standards if applicable

If you find nothing significant, say so - don't invent issues.

Do not make changes - just report findings. I'll decide what to address.

安全使用建议
This skill looks like a reasonable local code-review checklist, but fix the metadata mismatch before trusting it: declare 'git' as a required binary (or update instructions to handle missing git). Be aware the instructions will read every changed file in the branch — repositories often contain sensitive data (API keys, private certs, large logs). Only run this skill on repositories you trust and avoid running it in environments where reading the repo could expose secrets to the agent's outputs. Also consider updating the SKILL.md to (1) handle repos where the default branch is 'main' or another name, (2) allow the user to confirm the base branch or provide it explicitly, and (3) clarify how to handle very large diffs (paging, limits) to avoid inadvertent data exfiltration. If you want higher assurance, request the author to add explicit required-binaries metadata and a short note describing that the skill reads local files only and does not transmit data externally.
功能分析
Type: OpenClaw Skill Name: fix-erlang-ssh-cve-find-bugs Version: 0.1.0 The skill bundle provides a structured framework for an AI agent to perform security audits and bug hunting on local git branches. It uses standard git commands (git diff) and follows established security review practices (OWASP-aligned checklist) without any evidence of malicious intent, data exfiltration, or unauthorized execution.
能力评估
Purpose & Capability
The skill's stated purpose (review local branch changes) matches the SKILL.md instructions, which require running git commands and reading repository files. However, the registry metadata lists no required binaries while the instructions explicitly call 'git diff' and rely on git being available. That mismatch is incoherent: a code-review skill legitimately needs git or an equivalent VCS tool declared.
Instruction Scope
SKILL.md gives a detailed, concrete review procedure (get full diff, read every changed file, map attack surface, run a checklist, verify, and report). It does not instruct contacting external endpoints or accessing unrelated system files. Two points to note: (1) it assumes the base branch is named 'master' (many repos use 'main' or other names), and (2) it explicitly tells the agent to read every changed file — which is expected for a repo review but could surface secrets or sensitive data if present in the repo. The instructions are otherwise appropriately scoped to code-review tasks.
Install Mechanism
There is no install spec and no code files; this is instruction-only, which is low risk for install-time arbitrary code. Nothing is written to disk by the skill itself.
Credentials
The skill declares no environment variables, no credentials, and no config paths. The SKILL.md also does not request secrets or external credentials. This is proportionate for a local code-review helper.
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request persistent/high-privilege settings. Autonomous invocation is allowed (platform default) but that alone is not flagged. The skill does not request to modify other skills or system-wide settings.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install fix-erlang-ssh-cve-find-bugs
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /fix-erlang-ssh-cve-find-bugs 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Bulk publish from all-task-skills-dedup
元数据
Slug fix-erlang-ssh-cve-find-bugs
版本 0.1.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

find-bugs 是什么?

Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 71 次。

如何安装 find-bugs?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install fix-erlang-ssh-cve-find-bugs」即可一键安装,无需额外配置。

find-bugs 是免费的吗?

是的,find-bugs 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

find-bugs 支持哪些平台?

find-bugs 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 find-bugs?

由 wu-uk(@wu-uk)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论