find-bugs
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
Best use case
find-bugs is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
Teams using find-bugs should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/find-bugs/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How find-bugs Compares
| Feature / Agent | find-bugs | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Find Bugs Review changes on this branch for bugs, security vulnerabilities, and code quality issues. ## Phase 1: Complete Input Gathering 1. Get the FULL diff: `git diff master...HEAD` 2. If output is truncated, read each changed file individually until you have seen every changed line 3. List all files modified in this branch before proceeding ## Phase 2: Attack Surface Mapping For each changed file, identify and list: * All user inputs (request params, headers, body, URL components) * All database queries * All authentication/authorization checks * All session/state operations * All external calls * All cryptographic operations ## Phase 3: Security Checklist (check EVERY item for EVERY file) * [ ] **Injection**: SQL, command, template, header injection * [ ] **XSS**: All outputs in templates properly escaped? * [ ] **Authentication**: Auth checks on all protected operations? * [ ] **Authorization/IDOR**: Access control verified, not just auth? * [ ] **CSRF**: State-changing operations protected? * [ ] **Race conditions**: TOCTOU in any read-then-write patterns? * [ ] **Session**: Fixation, expiration, secure flags? * [ ] **Cryptography**: Secure random, proper algorithms, no secrets in logs? * [ ] **Information disclosure**: Error messages, logs, timing attacks? * [ ] **DoS**: Unbounded operations, missing rate limits, resource exhaustion? * [ ] **Business logic**: Edge cases, state machine violations, numeric overflow? ## Phase 4: Verification For each potential issue: * Check if it's already handled elsewhere in the changed code * Search for existing tests covering the scenario * Read surrounding context to verify the issue is real ## Phase 5: Pre-Conclusion Audit Before finalizing, you MUST: 1. List every file you reviewed and confirm you read it completely 2. List every checklist item and note whether you found issues or confirmed it's clean 3. List any areas you could NOT fully verify and why 4. Only then provide your final findings ## Output Format **Prioritize**: security vulnerabilities > bugs > code quality **Skip**: stylistic/formatting issues For each issue: * **File:Line** - Brief description * **Severity**: Critical/High/Medium/Low * **Problem**: What's wrong * **Evidence**: Why this is real (not already fixed, no existing test, etc.) * **Fix**: Concrete suggestion * **References**: OWASP, RFCs, or other standards if applicable If you find nothing significant, say so - don't invent issues. Do not make changes - just report findings. I'll decide what to address.
Related Skills
finding-security-misconfigurations
This skill enables Claude to identify potential security misconfigurations in various systems and configurations. It leverages the security-misconfiguration-finder plugin to analyze infrastructure-as-code, application configurations, and system settings, pinpointing common vulnerabilities and compliance issues. Use this skill when the user asks to "find security misconfigurations", "check for security vulnerabilities in my configuration", "audit security settings", or requests a security assessment of a specific system or file. This skill will assist in identifying and remediating potential security weaknesses.
path-traversal-finder
Path Traversal Finder - Auto-activating skill for Security Fundamentals. Triggers on: path traversal finder, path traversal finder Part of the Security Fundamentals skill category.
hardcoded-credential-finder
Hardcoded Credential Finder - Auto-activating skill for Security Fundamentals. Triggers on: hardcoded credential finder, hardcoded credential finder Part of the Security Fundamentals skill category.
finding-arbitrage-opportunities
Detect profitable arbitrage opportunities across CEX, DEX, and cross-chain markets in real-time. Use when scanning for price spreads, finding arbitrage paths, comparing exchange prices, or analyzing triangular arbitrage opportunities. Trigger with phrases like "find arbitrage", "scan for arb", "price spread", "exchange arbitrage", "triangular arb", "DEX price difference", or "cross-exchange opportunity".
recipe-find-large-files
Identify large Google Drive files consuming storage quota.
recipe-find-free-time
Query Google Calendar free/busy status for multiple users to find a meeting slot.
sponsor-finder
Find which of a GitHub repository's dependencies are sponsorable via GitHub Sponsors. Uses deps.dev API for dependency resolution across npm, PyPI, Cargo, Go, RubyGems, Maven, and NuGet. Checks npm funding metadata, FUNDING.yml files, and web search. Verifies every link. Shows direct and transitive dependencies with OSSF Scorecard health data. Invoke with /sponsor followed by a GitHub owner/repo (e.g. "/sponsor expressjs/express").
llm-icon-finder
Finding and accessing AI/LLM model brand icons from lobe-icons library. Use when users need icon URLs, want to download brand logos for AI models/providers/applications (Claude, GPT, Gemini, etc.), or request icons in SVG/PNG/WEBP formats.
claude-code-history-files-finder
Finds and recovers content from Claude Code session history files. This skill should be used when searching for deleted files, tracking changes across sessions, analyzing conversation history, or recovering code from previous Claude interactions. Triggers include mentions of "session history", "recover deleted", "find in history", "previous conversation", or ".claude/projects".
find-skills
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
finding-shelter
寻找庇护所 - 帮助Stella在盖亚星球度过第一个夜晚,寻找或建造安全的临时住所
ffind
Advanced file finder with type detection and filesystem extraction for analyzing firmware and extracting embedded filesystems. Use when you need to analyze firmware files, identify file types, or extract ext2/3/4 or F2FS filesystems.