Bug Hunter — Adversarial Bug Finding

Trust Score 84/100

Run an adversarial, sequential-first pipeline (Recon → Hunter → Skeptic → Referee) to find, verify, and optionally auto-fix runtime bugs and security issues acr

triggers:bug huntbug-hunterscan projectsecurity reviewpr security reviewauto-fix

GitHub SKILL.md

What it does

Bug Hunter provides a multi-phase adversarial pipeline for finding and validating bugs in codebases. It maps the project (Recon), runs deep scanning passes (Hunter), challenges findings (Skeptic), and confirms real issues (Referee). When enabled, it can create safe branch-based fixes with checkpointed commits and verification. The skill supports multiple modes (single-file, small, parallel-hybrid, extended, scaled, large-codebase loop) and is built to handle both small PR reviews and large monorepos with resume state.

When to use it

Use Bug Hunter for security audits, regression checks, code reviews focused on runtime behavior, or whenever you need an automated adversarial scan. Trigger phrases include requests to scan a project, review a PR, run a security review, or automatically fix eligible issues. It is suitable for CI gating, pre-merge checks, and scheduled security sweeps.

What's included

Scripts: orchestration and triage scripts are referenced in the skill (triage, run orchestration, dep-scan, render-report) though not bundled in the SKILL.md body.
References: none bundled in the fetched SKILL.md.
Instructions: comprehensive operational guidance on modes, flags, triage, orchestration backends, experiment-loop integration, and JSON/markdown reporting conventions.

Compatible agents

Designed for multi-agent pipelines and CLI-style agent backends (Claude Code, Codex/CLI agents, Cursor, local-sequential agents). Works in automated CI or interactive review contexts.

Audit Summary

Bug-hunter is a comprehensive adversarial bug-hunting pipeline with 19 scripts implementing a Recon→Hunter→Skeptic→Referee flow with fix and experiment loops. Scripts are well-structured Node.js modules with schema validation, state management, and lock handling. The .cjs scripts couldn't be run standalone by the auditor (they require module imports and CLI arguments), and the single .sh script failed because the test-fixture directory doesn't exist in the audit sandbox. Security is solid: shell commands use spawnSync with argv arrays, a shellQuote helper exists, and the one bash -c usage is explicitly documented as user-controlled. Network calls only go to context7.com API (documentation lookup). Minor concern: prepublish-guard.cjs uses execSync with template literal interpolation for version strings (low risk — only interpolates package.json version).

Watch Out

18 of 19 scripts are .cjs Node.js modules that require module imports and proper CLI arguments — they can't be run in isolation easily
experiment-loop.cjs intentionally uses bash -c for user-provided benchmark commands (documented, acceptable)
prepublish-guard.cjs uses execSync with template literal version interpolation (low risk)
context7-api.cjs and doc-lookup.cjs make HTTPS calls to context7.com (documentation API, expected)
Scripts reference each other via require() — they form a cohesive system, not standalone tools

Missing Dependencies

node (for .cjs scripts)

Notes

High-quality skill with impressive scope. 19 scripts covering state management, code indexing, dependency scanning, triage, PR scoping, fix locking, experiment loops, report rendering, schema validation, and more. Well-documented SKILL.md with clear phases, flags, and workflows. The only shell injection vector (bash -c in experiment-loop) is explicitly documented as user-controlled. No hardcoded credentials, no exfiltration, no auto-update, no destructive rm commands. The .cjs scripts are architecturally sound with proper error handling and input validation.

Information

Repository: bug-hunter
Stars: 120
Installs: 0

Trust Score

Overall84

Security82

Code Quality83

Architecture88

Usefulness91

Related Skills

TradeOS

Natural-language driven CEX trading and portfolio management for agents: API key vaulting, multi-exchange orders, DCA, arbitrage scanning, alerts and security r

Spring Boot Migration

Guided, phased migration for existing Spring Boot apps to Boot 4 / Java 25 (including Modulith 2 and Testcontainers 2), with scanners and reference guides.

Java 25 & Spring Boot 4 Code Reviewer

Run focused, evidence-based code reviews for Java 25 and Spring Boot 4 projects — migration risks, architecture boundaries, null-safety (JSpecify), security, an

ArcKit — French Public Procurement (fr-marche-public)

Generates French public procurement (Dossier de Consultation des Entreprises) drafts aligned with the Code de la Commande Publique, UGAP frameworks, and DINUM d

Speak Security Basics

Security best practices for integrating Speak: API key management, audio data privacy, student data protection, and COPPA/FERPA compliance for production deploy

Replit — Advanced Troubleshooting

Step-by-step diagnostics and debugging techniques for deep Replit issues: Nix build failures, container crash loops, memory leaks, and platform vs app isolation

Vercel Common Errors

Diagnose and fix common Vercel build, serverless runtime, and edge/routing errors with step-by-step checks and fixes.

Vitepress Config Creator

Generates and validates VitePress configuration for documentation sites, following best-practices for docs automation.

Back to Skills