ClawHub Security flagged this skill as suspicious. Review the scan results before using.
find-bugs
v0.1.0
Find bugs, security vulnerabilities, and code quality issues in local branch changes. Use when asked to review changes, find bugs, security review, or audit...
Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wu-uk/fix-erlang-ssh-cve-find-bugs.
Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "find-bugs" (wu-uk/fix-erlang-ssh-cve-find-bugs) from ClawHub.
Skill page: https://clawhub.ai/wu-uk/fix-erlang-ssh-cve-find-bugs
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.
Command Line
CLI Commands
Use the direct CLI path if you want to install manually and keep every step visible.
The skill's stated purpose (review local branch changes) matches the SKILL.md instructions, which require running git commands and reading repository files. However, the registry metadata lists no required binaries while the instructions explicitly call 'git diff' and rely on git being available. That mismatch is incoherent: a code-review skill legitimately needs git or an equivalent VCS tool declared.
ℹ
Instruction Scope
SKILL.md gives a detailed, concrete review procedure (get full diff, read every changed file, map attack surface, run a checklist, verify, and report). It does not instruct contacting external endpoints or accessing unrelated system files. Two points to note: (1) it assumes the base branch is named 'master' (many repos use 'main' or other names), and (2) it explicitly tells the agent to read every changed file — which is expected for a repo review but could surface secrets or sensitive data if present in the repo. The instructions are otherwise appropriately scoped to code-review tasks.
✓
Install Mechanism
There is no install spec and no code files; this is instruction-only, which is low risk for install-time arbitrary code. Nothing is written to disk by the skill itself.
✓
Credentials
The skill declares no environment variables, no credentials, and no config paths. The SKILL.md also does not request secrets or external credentials. This is proportionate for a local code-review helper.
✓
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request persistent/high-privilege settings. Autonomous invocation is allowed (platform default) but that alone is not flagged. The skill does not request to modify other skills or system-wide settings.
What to consider before installing
This skill looks like a reasonable local code-review checklist, but fix the metadata mismatch before trusting it: declare 'git' as a required binary (or update instructions to handle missing git). Be aware the instructions will read every changed file in the branch — repositories often contain sensitive data (API keys, private certs, large logs). Only run this skill on repositories you trust and avoid running it in environments where reading the repo could expose secrets to the agent's outputs. Also consider updating the SKILL.md to (1) handle repos where the default branch is 'main' or another name, (2) allow the user to confirm the base branch or provide it explicitly, and (3) clarify how to handle very large diffs (paging, limits) to avoid inadvertent data exfiltration. If you want higher assurance, request the author to add explicit required-binaries metadata and a short note describing that the skill reads local files only and does not transmit data externally.
Like a lobster shell, security has layers — review code before you run it.
latestvk972bq4qyhdvtk5fay1mw4tzcd84w8kh
64downloads
0stars
1versions
Updated 1w ago
v0.1.0
MIT-0
Find Bugs
Review changes on this branch for bugs, security vulnerabilities, and code quality issues.
Phase 1: Complete Input Gathering
Get the FULL diff: git diff master...HEAD
If output is truncated, read each changed file individually until you have seen every changed line
List all files modified in this branch before proceeding
Phase 2: Attack Surface Mapping
For each changed file, identify and list:
All user inputs (request params, headers, body, URL components)
All database queries
All authentication/authorization checks
All session/state operations
All external calls
All cryptographic operations
Phase 3: Security Checklist (check EVERY item for EVERY file)
