Menü
Use this skill when scanning source code for bugs, anti-patterns, code smells, or quality issues in a WrongStack project. Triggers: user says "bug", "bug hunt", "scan for issues", "find problems", "anti-pattern", "code smell", "static analysis".
| name | bug-hunter |
| description | Use this skill when scanning source code for bugs, anti-patterns, code smells, or quality issues in a WrongStack project. Triggers: user says "bug", "bug hunt", "scan for issues", "find problems", "anti-pattern", "code smell", "static analysis". |
| version | 1.1.0 |
Scans code for bugs and code smells. Outputs a prioritized hit list with file:line references.
Grep/read across target files to surface bugs, anti-patterns, and quality issues. Classifies by severity (critical/high/medium/low) and reports with file:line + fix suggestion.
file:line in every finding — no line reference = can't be fixed.node_modules — waste of time, false positives.1. Scope: Accept file/dir globs or explicit paths
2. Scan: grep/read across target files
3. Classify: Categorize by type and severity
4. Rank: Sort: critical > high > medium > low
5. Report: Markdown with fix suggestions
| Level | Meaning | Action |
|---|---|---|
| Critical | Security breach, data loss, crash | Fix immediately |
| High | Logic bug, race condition, memory leak | Fix before release |
| Medium | Error handling gap, type unsafety | Fix soon |
| Low | Style, minor code smell | Consider fixing |
// ✅ FIXED — use textContent instead of innerHTML
element.textContent = userInput;
// ✅ FIXED — parameterized query
db.query("SELECT * FROM users WHERE id = $1", [userId]);
// ✅ FIXED — proper await with catch
await fetchData().catch(err => console.error(err));
// ✅ FIXED — execFile with args array
execFile('echo', [userInput], { signal: AbortSignal.timeout(5000) });
// ❌ CRITICAL — hardcoded API key
const apiKey = "sk-abc123xyz789...";
// ❌ HIGH — innerHTML XSS
element.innerHTML = userInput;
// ❌ HIGH — unhandled promise (then without catch)
fetchData().then(processData);
// ❌ HIGH — shell injection
exec(`echo ${userInput}`);
// ❌ HIGH — unsafe any
const data: any = response.json();
| Pattern | Regex hint | Severity |
|---|---|---|
| Uncaught promise | \.then\( without .catch | high |
| Event listener leak | on( without off/removeListener | high |
| Hardcoded secret | [A-Za-z0-9/+=]{40} in config or code | critical |
| unsafe any | : any\b or as any | medium |
| innerHTML assignment | innerHTML\s*= | high |
| Missing await | await not used on async call | high |
| Unhandled rejection | process.on('unhandledRejection' | medium |
| SQL concatenation | "SELECT * FROM " + table | critical |
| Shell injection | exec(\cmd ${input}`)` | critical |
node_modules — waste of time, false positives## Bug Hunt Report — <scope>
### Critical (must fix)
1. [SHELL-INJ] `tools/shell.ts:42` — template literal in exec()
`exec(\`echo ${userInput}\`)` → use execFile with args array
2. [SECRET] `lib/config.ts:8` — API key hardcoded
### High
3. [MEMORY] `tools/pool.ts:89` — event listener never removed
4. [TYPE] `core/agent.ts:103` — unsafe `any` cast
### Summary
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 4 |
| Medium | 7 |
| Low | 3 |
Total: 16 findings in 12 files
security-scanner — for hardcoded secrets and injection vectorsrefactor-planner — for fixing findings across multiple filestypescript-strict — for type-safety related findingsUse this skill when choosing, installing, or recommending packages, libraries, frameworks, or tooling — any decision that involves a version number or a technology name. This skill enforces latest-version verification, blocks dead/obsolete choices, and intervenes when the LLM hallucinates version numbers or suggests 5+ year-old technology. Triggers: user says "install", "package", "dependency", "upgrade", "latest version", "add package", "npm install", "pnpm add", "what version", "which library", "tech stack", "choose framework".
Use this skill when a task would benefit from parallel execution across multiple AI agents, or when orchestrating leader/worker patterns in WrongStack. Triggers: user says "fan out", "parallel", "delegate", "subagent", "fleet", "coordinator".
Use this skill when designing, reviewing, or refactoring REST APIs in WrongStack. Triggers: user says "API", "endpoint", "REST", "request", "response", "JSON", "HTTP", "status code", "pagination", "query params", "request body".
Use this skill when analyzing WrongStack session logs, event streams, or system traces to surface patterns, anomalies, or operational insights. Triggers: user says "audit", "session analysis", "log analysis", "usage patterns".
Use this skill when building, containerizing, or deploying WrongStack with Docker. Triggers: user says "docker", "container", "dockerfile", "image", "docker-compose", "deploy", "containerize", "registry", "multi-stage", "distroless".
Use this skill when proposing, reviewing, or troubleshooting git commits, branches, pull requests, or merge strategies in a WrongStack project session. Triggers: user mentions "commit", "branch", "PR", "merge", "rebase", "stash", "diff".