find-bugs

The find-bugs skill provides an expert-level, systematic workflow for auditing code changes before they are merged. Designed for AI coding agents such as Claude Code, Cursor, and Gemini CLI, this tool forces a rigorous examination of local branch diffs to identify high-risk security vulnerabilities, critical software bugs, and significant code quality issues. It is ideal for developers and security engineers who require a structured second pair of eyes to verify that new code does not introduce regressions or security holes in sensitive areas like authentication, authorization, or database operations.

• Performs a complete recursive scan of Git diffs between the current branch and the default branch to ensure no changed line is overlooked.

• Executes an attack surface mapping phase to identify sensitive inputs, database queries, authentication checks, session state transitions, and cryptographic operations.

• Implements a comprehensive, multi-point security checklist covering SQL injection, XSS, CSRF, race conditions (TOCTOU), information disclosure, and business logic flaws.

• Conducts a pre-conclusion audit requiring explicit confirmation of all reviewed files and verification status for every checklist item.

• Generates prioritized, actionable reports ranked by severity (Critical/High/Medium/Low) with clear Problem, Evidence, Fix, and Reference sections for each finding.

• Use this tool when you need to audit sensitive code changes or review PRs focused on security and reliability.

• The agent expects access to git history and the local file system; ensure the environment has necessary read permissions.

• Prioritizes security and functional bugs over stylistic or formatting preferences to maintain high signal-to-noise output.

• Does not perform automated code refactoring or patches; it provides analysis and recommendations for the developer to review and implement.

• If the diff output is truncated, the agent is instructed to read individual files until the full scope of changes is understood.

• Integrates with standard development workflows to verify the existence of tests or existing countermeasures before flagging a potential issue as a genuine vulnerability.