{ "schemaVersion": "1.0", "item": { "slug": "bug-audit", "name": "Bug Audit", "source": "tencent", "type": "skill", "category": "数据分析", "sourceUrl": "https://clawhub.ai/abczsl520/bug-audit", "canonicalUrl": "https://clawhub.ai/abczsl520/bug-audit", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/bug-audit", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=bug-audit", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md", "references/modules.md", "references/pitfalls.md", "references/redblue.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/bug-audit" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/bug-audit", "agentPageUrl": "https://openagent3.xyz/skills/bug-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/bug-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/bug-audit/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Bug Audit — Dissect, Then Verify", "body": "Do NOT run a generic checklist. Instead: read the code, extract every auditable entity, then exhaustively question each one." }, { "title": "Phase 1: Dissect (10-15 min)", "body": "Read all project files. Build 7 tables. These tables ARE the audit — everything found here gets verified in Phase 2." }, { "title": "Table 1: API Endpoints", "body": "For every route in server-side code:\n\n| # | Method | Path | Auth? | Params validated? | Precondition | Returns | Attack vector |\n\nFor each endpoint, ask:\n\nCan I call this without authentication?\nCan I pass 0, negative, NaN, huge numbers, arrays, objects?\nCan I skip a prerequisite API and call this directly?\nWhat happens if I call this 100 times per second?\nDoes the response leak sensitive data (openid, internal IDs, full user objects)?" }, { "title": "Table 2: State Machines", "body": "For every boolean/enum state variable (isGameOver, battleState, Game.running, phase, mode...):\n\n| # | Variable | Set by | Read by | Init value | Reset when? | Can it leak across lifecycles? |\n\nFor each variable, ask:\n\nIf the game/session ends, does this get reset?\nIf I start a new round immediately, will stale state from the previous round affect it?\nAre there race conditions between setters?" }, { "title": "Table 3: Timers", "body": "For every setTimeout/setInterval:\n\n| # | Type | Delay | Created in | Cleared in | What if lifecycle ends before it fires? |\n\nFor each timer, ask:\n\nIs the handle stored for cleanup?\nIf the game ends / user disconnects / page navigates, does this still fire?\nIf it fires after cleanup, does it reference destroyed objects?" }, { "title": "Table 4: Numeric Values", "body": "For every user-influenceable number (cost, score, damage, lootValue, kills, quantity...):\n\n| # | Name | Source (client/server/config) | Validated? | Min | Max | What if 0? | What if negative? |\n\nFor each value, ask:\n\nIs the server-side cap realistic? (kills cap 200 but max enemies is 50?)\nCan the client send a value the server trusts without verification?\nFloat precision issues? (accumulated math → 290402.0000000001)" }, { "title": "Table 5: Data Flows (Critical!)", "body": "For every pair of related APIs (buy→use, start→complete, pay→deliver, login→action):\n\n| # | Step 1 API | Step 2 API | Token/link between them? | Can skip Step 1? | Can replay Step 1? |\n\nThis is where the biggest bugs hide. For each flow, ask:\n\nCan I call Step 2 without ever calling Step 1? (raid-result without buy)\nCan I call Step 1 once but Step 2 many times? (buy once, submit results 10 times)\nIs there a one-time token linking them? If not, this is a critical vulnerability.\nCan I call Step 1 with cost=0 then Step 2 with high reward?" }, { "title": "Table 6: Resource Ledger", "body": "For every in-game resource (coins, gems, items, XP, energy...):\n\n| # | Resource | All INFLOWS (APIs/events that add) | All OUTFLOWS (APIs/events that subtract) | Daily limits? | Can any inflow be infinite? |\n\nFor each resource, ask:\n\nIs there any inflow without a corresponding cost? (free coins from quest with no cooldown)\nCan any outflow go negative? (sell item → coins, but what if coins overflow?)\nAre items in safe-box excluded from ALL outflows? (trade, sell, merge, fuse, gift)\nIs there a loop? (buy item A → sell for more than cost → repeat)" }, { "title": "Table 7: Concurrency Hotspots (TOCTOU)", "body": "For every operation that reads-then-writes shared state (balance check→deduct, stock check→reserve, coupon check→redeem):\n\n| # | Operation | Read step | Write step | Atomic? | What if 2 requests hit simultaneously? |\n\nThis catches race conditions that single-request testing misses. For each operation, ask:\n\nIs the read-then-write atomic? (SQL UPDATE x=x-1 WHERE x>=1 is atomic; SELECT then UPDATE is NOT)\nCan two concurrent requests both pass the check and both execute the write? (double-spend)\nIs there a mutex/lock/transaction? If using SQLite, is WAL mode enabled for concurrent reads?\nFor multi-step flows: can request A be between steps while request B starts the same flow?" }, { "title": "Phase 2: Verify (main audit)", "body": "Go through every row in every table. For each row, determine:\n\n🔴 Critical: exploitable security hole, data loss, crash\n🟡 Medium: logic error, inconsistency, performance issue\n🟢 Minor: code quality, edge case, UX issue\n✅ OK: verified correct\n\nOutput format:\n\nBug N: [🔴/🟡/🟢] Brief description\n- Row: Table X, #Y\n- Cause: ...\n- Fix: ...\n- File: ...\n\nDo NOT stop when you run out of \"inspiration\". You stop when every row in every table has been verified ✅ or flagged 🔴/🟡/🟢. This is exhaustive, not heuristic." }, { "title": "Phase 3: Red Team / Blue Team", "body": "After verifying all tables, switch to adversarial mode. Read references/redblue.md for the full playbook." }, { "title": "Structure", "body": "The playbook has 4 parts:\n\nUniversal Chains (5) — apply to ALL projects: Auth Bypass, Injection, Rate Abuse, Data Leakage, Concurrency/Race Conditions\nType-Specific Chains — pick sections matching the project:\n\n🎮 Game: Skip-Pay-Collect, Economic Loop, State Manipulation, Anti-Cheat Bypass\n📊 Data Tool: Data Access Control, Data Integrity, Scheduled Task Abuse\n🔌 API Service: Key/Token Abuse, Upstream Dependency, Response Manipulation\n🤖 Bot: Message Injection, Bot State Abuse\n🔧 WeChat: OAuth & Identity, WebView Compatibility, H5 Hybrid\n📈 Platform: Cross-Service Trust, Multi-Tenant Isolation\n\n\nBlue Team Defense — for each finding, verify 4 layers: Prevention → Detection → Containment → Recovery\nExecution Guide — step-by-step for the auditor" }, { "title": "How to Run", "body": "From Phase 1 dissection, identify project type(s) — a project can match multiple types\nRun ALL 5 Universal Chains\nRun type-specific chains matching the project\nFor each 🔴 finding: verify all 4 Blue Team layers\nFor each 🟡 finding: verify Layer 1 (Prevention) at minimum" }, { "title": "Phase 4: Supplement", "body": "After red/blue team, run generic checks as a final safety net. Read references/modules.md and pick sections matching the project:\n\n🔒 Security (S1-S3): CORS, XSS, SQLi, brute force — if project has users\n🔐 Crypto (C1): Hardcoded secrets, weak hashing, plaintext storage, insecure random — all projects\n📊 Data (D1-D3): Timezone, atomic ops, float precision — if project has DB\n⚡ Performance (P1-P2): Memory leaks, hot paths — if project is large/realtime\n🎮 Game (G1-G4): State guards, rendering, config — if project is a game\n🔧 WeChat (W1-W3): ES6 compat, CDN, debugging — if runs in WeChat WebView\n🔌 API (A1-A3): Interface standards, rate limiting — if project is an API service\n🤖 Bot (B1): Timeout, dedup, sensitive words — if project is a bot\n🚀 Deploy (R1-R2): PM2, nginx, SSL, SDK overwrite — all projects\n🧪 Error Handling (E1-E2): Network errors, server errors, graceful degradation — all projects\n📱 UX Robustness (U1-U2): Error states, edge case UX — all projects with UI\n📦 Supply Chain (SC1): npm audit, dependency vulnerabilities, lockfile integrity — all Node.js projects\n📝 Logging (L1): Security event logging, audit trail completeness — all projects with users" }, { "title": "Phase 5: Regression + Verify", "body": "Check that fixes didn't introduce new bugs\nAfter modular split: verify cross-file variable/function reachability\nLive smoke test: homepage 200, key APIs return JSON, login works, core feature functional" }, { "title": "Phase 6: Archive", "body": "Update project docs with: date, tables built, bugs found/fixed, key pitfalls for next audit." }, { "title": "Key Principles", "body": "Tables first, checking second. Building the tables IS the hard work. Once you have them, verification is mechanical.\nExhaustive, not heuristic. Don't stop when you \"feel done.\" Stop when every row is verified.\nThink like an attacker. For every API: \"How would I exploit this?\" For every value: \"What if I send garbage?\"\nData flows are where critical bugs hide. The link (or lack thereof) between related APIs is the #1 source of exploitable vulnerabilities.\nGeneric checklists are supplements, not the main event. They catch known patterns; the tables catch project-specific logic bugs." }, { "title": "Reference Files", "body": "references/modules.md — Generic audit modules (Security, Crypto, Data, Performance, Game, WeChat, API, Bot, Deploy, Error Handling, UX, Supply Chain, Logging) for Phase 4 supplementary checks.\nreferences/redblue.md — Red team attack chains (universal + 6 project types) and blue team defense verification playbook for Phase 3.\nreferences/pitfalls.md — Real-world pitfall lookup table from 200+ bugs, plus WeChat WebView remote debugging techniques." } ], "body": "Bug Audit — Dissect, Then Verify\n\nDo NOT run a generic checklist. Instead: read the code, extract every auditable entity, then exhaustively question each one.\n\nPhase 1: Dissect (10-15 min)\n\nRead all project files. Build 7 tables. These tables ARE the audit — everything found here gets verified in Phase 2.\n\nTable 1: API Endpoints\n\nFor every route in server-side code:\n\n| # | Method | Path | Auth? | Params validated? | Precondition | Returns | Attack vector |\n\n\nFor each endpoint, ask:\n\nCan I call this without authentication?\nCan I pass 0, negative, NaN, huge numbers, arrays, objects?\nCan I skip a prerequisite API and call this directly?\nWhat happens if I call this 100 times per second?\nDoes the response leak sensitive data (openid, internal IDs, full user objects)?\nTable 2: State Machines\n\nFor every boolean/enum state variable (isGameOver, battleState, Game.running, phase, mode...):\n\n| # | Variable | Set by | Read by | Init value | Reset when? | Can it leak across lifecycles? |\n\n\nFor each variable, ask:\n\nIf the game/session ends, does this get reset?\nIf I start a new round immediately, will stale state from the previous round affect it?\nAre there race conditions between setters?\nTable 3: Timers\n\nFor every setTimeout/setInterval:\n\n| # | Type | Delay | Created in | Cleared in | What if lifecycle ends before it fires? |\n\n\nFor each timer, ask:\n\nIs the handle stored for cleanup?\nIf the game ends / user disconnects / page navigates, does this still fire?\nIf it fires after cleanup, does it reference destroyed objects?\nTable 4: Numeric Values\n\nFor every user-influenceable number (cost, score, damage, lootValue, kills, quantity...):\n\n| # | Name | Source (client/server/config) | Validated? | Min | Max | What if 0? | What if negative? |\n\n\nFor each value, ask:\n\nIs the server-side cap realistic? (kills cap 200 but max enemies is 50?)\nCan the client send a value the server trusts without verification?\nFloat precision issues? (accumulated math → 290402.0000000001)\nTable 5: Data Flows (Critical!)\n\nFor every pair of related APIs (buy→use, start→complete, pay→deliver, login→action):\n\n| # | Step 1 API | Step 2 API | Token/link between them? | Can skip Step 1? | Can replay Step 1? |\n\n\nThis is where the biggest bugs hide. For each flow, ask:\n\nCan I call Step 2 without ever calling Step 1? (raid-result without buy)\nCan I call Step 1 once but Step 2 many times? (buy once, submit results 10 times)\nIs there a one-time token linking them? If not, this is a critical vulnerability.\nCan I call Step 1 with cost=0 then Step 2 with high reward?\nTable 6: Resource Ledger\n\nFor every in-game resource (coins, gems, items, XP, energy...):\n\n| # | Resource | All INFLOWS (APIs/events that add) | All OUTFLOWS (APIs/events that subtract) | Daily limits? | Can any inflow be infinite? |\n\n\nFor each resource, ask:\n\nIs there any inflow without a corresponding cost? (free coins from quest with no cooldown)\nCan any outflow go negative? (sell item → coins, but what if coins overflow?)\nAre items in safe-box excluded from ALL outflows? (trade, sell, merge, fuse, gift)\nIs there a loop? (buy item A → sell for more than cost → repeat)\nTable 7: Concurrency Hotspots (TOCTOU)\n\nFor every operation that reads-then-writes shared state (balance check→deduct, stock check→reserve, coupon check→redeem):\n\n| # | Operation | Read step | Write step | Atomic? | What if 2 requests hit simultaneously? |\n\n\nThis catches race conditions that single-request testing misses. For each operation, ask:\n\nIs the read-then-write atomic? (SQL UPDATE x=x-1 WHERE x>=1 is atomic; SELECT then UPDATE is NOT)\nCan two concurrent requests both pass the check and both execute the write? (double-spend)\nIs there a mutex/lock/transaction? If using SQLite, is WAL mode enabled for concurrent reads?\nFor multi-step flows: can request A be between steps while request B starts the same flow?\nPhase 2: Verify (main audit)\n\nGo through every row in every table. For each row, determine:\n\n🔴 Critical: exploitable security hole, data loss, crash\n🟡 Medium: logic error, inconsistency, performance issue\n🟢 Minor: code quality, edge case, UX issue\n✅ OK: verified correct\n\nOutput format:\n\nBug N: [🔴/🟡/🟢] Brief description\n- Row: Table X, #Y\n- Cause: ...\n- Fix: ...\n- File: ...\n\n\nDo NOT stop when you run out of \"inspiration\". You stop when every row in every table has been verified ✅ or flagged 🔴/🟡/🟢. This is exhaustive, not heuristic.\n\nPhase 3: Red Team / Blue Team\n\nAfter verifying all tables, switch to adversarial mode. Read references/redblue.md for the full playbook.\n\nStructure\n\nThe playbook has 4 parts:\n\nUniversal Chains (5) — apply to ALL projects: Auth Bypass, Injection, Rate Abuse, Data Leakage, Concurrency/Race Conditions\nType-Specific Chains — pick sections matching the project:\n🎮 Game: Skip-Pay-Collect, Economic Loop, State Manipulation, Anti-Cheat Bypass\n📊 Data Tool: Data Access Control, Data Integrity, Scheduled Task Abuse\n🔌 API Service: Key/Token Abuse, Upstream Dependency, Response Manipulation\n🤖 Bot: Message Injection, Bot State Abuse\n🔧 WeChat: OAuth & Identity, WebView Compatibility, H5 Hybrid\n📈 Platform: Cross-Service Trust, Multi-Tenant Isolation\nBlue Team Defense — for each finding, verify 4 layers: Prevention → Detection → Containment → Recovery\nExecution Guide — step-by-step for the auditor\nHow to Run\nFrom Phase 1 dissection, identify project type(s) — a project can match multiple types\nRun ALL 5 Universal Chains\nRun type-specific chains matching the project\nFor each 🔴 finding: verify all 4 Blue Team layers\nFor each 🟡 finding: verify Layer 1 (Prevention) at minimum\nPhase 4: Supplement\n\nAfter red/blue team, run generic checks as a final safety net. Read references/modules.md and pick sections matching the project:\n\n🔒 Security (S1-S3): CORS, XSS, SQLi, brute force — if project has users\n🔐 Crypto (C1): Hardcoded secrets, weak hashing, plaintext storage, insecure random — all projects\n📊 Data (D1-D3): Timezone, atomic ops, float precision — if project has DB\n⚡ Performance (P1-P2): Memory leaks, hot paths — if project is large/realtime\n🎮 Game (G1-G4): State guards, rendering, config — if project is a game\n🔧 WeChat (W1-W3): ES6 compat, CDN, debugging — if runs in WeChat WebView\n🔌 API (A1-A3): Interface standards, rate limiting — if project is an API service\n🤖 Bot (B1): Timeout, dedup, sensitive words — if project is a bot\n🚀 Deploy (R1-R2): PM2, nginx, SSL, SDK overwrite — all projects\n🧪 Error Handling (E1-E2): Network errors, server errors, graceful degradation — all projects\n📱 UX Robustness (U1-U2): Error states, edge case UX — all projects with UI\n📦 Supply Chain (SC1): npm audit, dependency vulnerabilities, lockfile integrity — all Node.js projects\n📝 Logging (L1): Security event logging, audit trail completeness — all projects with users\nPhase 5: Regression + Verify\nCheck that fixes didn't introduce new bugs\nAfter modular split: verify cross-file variable/function reachability\nLive smoke test: homepage 200, key APIs return JSON, login works, core feature functional\nPhase 6: Archive\n\nUpdate project docs with: date, tables built, bugs found/fixed, key pitfalls for next audit.\n\nKey Principles\nTables first, checking second. Building the tables IS the hard work. Once you have them, verification is mechanical.\nExhaustive, not heuristic. Don't stop when you \"feel done.\" Stop when every row is verified.\nThink like an attacker. For every API: \"How would I exploit this?\" For every value: \"What if I send garbage?\"\nData flows are where critical bugs hide. The link (or lack thereof) between related APIs is the #1 source of exploitable vulnerabilities.\nGeneric checklists are supplements, not the main event. They catch known patterns; the tables catch project-specific logic bugs.\nReference Files\nreferences/modules.md — Generic audit modules (Security, Crypto, Data, Performance, Game, WeChat, API, Bot, Deploy, Error Handling, UX, Supply Chain, Logging) for Phase 4 supplementary checks.\nreferences/redblue.md — Red team attack chains (universal + 6 project types) and blue team defense verification playbook for Phase 3.\nreferences/pitfalls.md — Real-world pitfall lookup table from 200+ bugs, plus WeChat WebView remote debugging techniques." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/abczsl520/bug-audit", "publisherUrl": "https://clawhub.ai/abczsl520/bug-audit", "owner": "abczsl520", "version": "1.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/bug-audit", "downloadUrl": "https://openagent3.xyz/downloads/bug-audit", "agentUrl": "https://openagent3.xyz/skills/bug-audit/agent", "manifestUrl": "https://openagent3.xyz/skills/bug-audit/agent.json", "briefUrl": "https://openagent3.xyz/skills/bug-audit/agent.md" } }