find-bugs
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
About this skill
This skill empowers an AI agent to perform a comprehensive code review of changes made on the current local branch. It systematically analyzes Git diffs to detect common software defects, potential security flaws (such as those arising from improper user input handling), and general code quality concerns. By automating this initial review phase, developers can receive immediate, actionable feedback on their code, leading to more robust, secure, and maintainable codebases before manual review or integration. The skill goes beyond simple static analysis by guiding the agent to specifically map 'attack surfaces' and identify all user inputs within the changed files for a more targeted security assessment.
Best use case
Pre-commit code review; identifying potential security vulnerabilities in newly introduced or modified code; enhancing code quality before merging a feature branch; automating initial code audit processes; providing immediate feedback to developers on their local changes.
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
A detailed report listing identified bugs, potential security vulnerabilities (e.g., specific injection points, insecure data handling, hardcoded secrets), and code quality issues within the local branch's changes. The report should ideally include file paths, line numbers, and a brief explanation of each finding, guiding the user towards remediation.
Practical example
Example input
Can you review my recent changes on this branch for any bugs or security issues? I'm about to open a pull request.
Example output
Review of `feature/new-user-auth` branch complete. I've identified the following potential issues: - **File**: `src/main/java/com/example/auth/UserService.java` (lines 78-82) - **Issue**: Potential SQL injection vulnerability in `findByUsername` method. The `username` parameter is directly concatenated into the SQL query without proper sanitization or prepared statements. Recommend using `PreparedStatement`. - **File**: `src/main/resources/application.properties` (line 15) - **Issue**: Hardcoded JWT secret found: `super_secret_key_123`. This should be stored securely, ideally in an environment variable or a secrets management service. - **File**: `src/test/java/com/example/auth/AuthServiceTest.java` (lines 30-35) - **Issue**: Missing test case for password reset functionality with invalid tokens. Ensure edge cases are covered. - **Code Quality**: `src/main/java/com/example/utils/SecurityUtil.java` (lines 40-45) - **Issue**: Duplicate code block for password hashing found. Consider refactoring into a shared, reusable utility method. Please review these findings and address them before merging. Let me know if you'd like a more detailed explanation of any point.
When to use this skill
- When a user asks for a code review of recent changes; when asked to 'find bugs', 'perform a security review', or 'audit code' on the current branch; prior to merging a feature branch into a main development line; during a security assessment of new or modified code segments.
When not to use this skill
- When the user wants to review the entire codebase, not just changes on the current branch; when the task involves automatically fixing bugs rather than identifying them; when the code is not locally accessible or is on a remote branch without a local diff; for real-time runtime analysis, debugging, or performance profiling.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/find-bugs/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How find-bugs Compares
| Feature / Agent | find-bugs | Standard Approach |
|---|---|---|
| Platform Support | Claude | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit code on the current branch.
Which AI agents support this skill?
This skill is designed for Claude.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Find Bugs Review changes on this branch for bugs, security vulnerabilities, and code quality issues. ## When to Use - You need a review focused on bugs, security issues, or risky code changes. - The task involves auditing the current branch diff rather than implementing new behavior. - You want a structured review process with checklist-driven verification against changed files. ## Phase 1: Complete Input Gathering 1. Get the FULL diff: `git diff $(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')...HEAD` 2. If output is truncated, read each changed file individually until you have seen every changed line 3. List all files modified in this branch before proceeding ## Phase 2: Attack Surface Mapping For each changed file, identify and list: * All user inputs (request params, headers, body, URL components) * All database queries * All authentication/authorization checks * All session/state operations * All external calls * All cryptographic operations ## Phase 3: Security Checklist (check EVERY item for EVERY file) * [ ] **Injection**: SQL, command, template, header injection * [ ] **XSS**: All outputs in templates properly escaped? * [ ] **Authentication**: Auth checks on all protected operations? * [ ] **Authorization/IDOR**: Access control verified, not just auth? * [ ] **CSRF**: State-changing operations protected? * [ ] **Race conditions**: TOCTOU in any read-then-write patterns? * [ ] **Session**: Fixation, expiration, secure flags? * [ ] **Cryptography**: Secure random, proper algorithms, no secrets in logs? * [ ] **Information disclosure**: Error messages, logs, timing attacks? * [ ] **DoS**: Unbounded operations, missing rate limits, resource exhaustion? * [ ] **Business logic**: Edge cases, state machine violations, numeric overflow? ## Phase 4: Verification For each potential issue: * Check if it's already handled elsewhere in the changed code * Search for existing tests covering the scenario * Read surrounding context to verify the issue is real ## Phase 5: Pre-Conclusion Audit Before finalizing, you MUST: 1. List every file you reviewed and confirm you read it completely 2. List every checklist item and note whether you found issues or confirmed it's clean 3. List any areas you could NOT fully verify and why 4. Only then provide your final findings ## Output Format **Prioritize**: security vulnerabilities > bugs > code quality **Skip**: stylistic/formatting issues For each issue: * **File:Line** - Brief description * **Severity**: Critical/High/Medium/Low * **Problem**: What's wrong * **Evidence**: Why this is real (not already fixed, no existing test, etc.) * **Fix**: Concrete suggestion * **References**: OWASP, RFCs, or other standards if applicable If you find nothing significant, say so - don't invent issues. Do not make changes - just report findings. I'll decide what to address.
Related Skills
error-debugging-multi-agent-review
Use when working with error debugging multi agent review
code-review-excellence
Transform code reviews from gatekeeping to knowledge sharing through constructive feedback, systematic analysis, and collaborative improvement.
nft-standards
Master ERC-721 and ERC-1155 NFT standards, metadata best practices, and advanced NFT features.
nextjs-app-router-patterns
Comprehensive patterns for Next.js 14+ App Router architecture, Server Components, and modern full-stack React development.
new-rails-project
Create a new Rails project
networkx
NetworkX is a Python package for creating, manipulating, and analyzing complex networks and graphs.
network-engineer
Expert network engineer specializing in modern cloud networking, security architectures, and performance optimization.
nestjs-expert
You are an expert in Nest.js with deep knowledge of enterprise-grade Node.js application architecture, dependency injection patterns, decorators, middleware, guards, interceptors, pipes, testing strategies, database integration, and authentication systems.
nerdzao-elite
Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation.
nerdzao-elite-gemini-high
Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade máxima e eficiência de tokens.
native-data-fetching
Use when implementing or debugging ANY network request, API call, or data fetching. Covers fetch API, React Query, SWR, error handling, caching, offline support, and Expo Router data loaders (useLoaderData).
n8n-workflow-patterns
Proven architectural patterns for building n8n workflows.