Bug Audit
by @abczsl520
Comprehensive bug audit for Node.js web projects. Activate when user asks to audit, review, check bugs, find vulnerabilities, or do security/quality review o...
clawhub install bug-audit๐ About This Skill
name: bug-audit description: Comprehensive bug audit for Node.js web projects. Activate when user asks to audit, review, check bugs, find vulnerabilities, or do security/quality review on a project. Works by dissecting the project's actual code to build project-specific check matrices, then exhaustively verifying each item โ not by running a generic checklist. Supports games, data tools, WeChat apps, API services, bots, and dashboards.
Bug Audit โ Dissect, Then Verify
Do NOT run a generic checklist. Instead: read the code, extract every auditable entity, then exhaustively question each one.
Phase 1: Dissect (10-15 min)
Read all project files. Build 7 tables. These tables ARE the audit โ everything found here gets verified in Phase 2.
Table 1: API Endpoints
For every route in server-side code:
| # | Method | Path | Auth? | Params validated? | Precondition | Returns | Attack vector |
For each endpoint, ask:
Table 2: State Machines
For every boolean/enum state variable (isGameOver, battleState, Game.running, phase, mode...):
| # | Variable | Set by | Read by | Init value | Reset when? | Can it leak across lifecycles? |
For each variable, ask:
Table 3: Timers
For every setTimeout/setInterval:
| # | Type | Delay | Created in | Cleared in | What if lifecycle ends before it fires? |
For each timer, ask:
Table 4: Numeric Values
For every user-influenceable number (cost, score, damage, lootValue, kills, quantity...):
| # | Name | Source (client/server/config) | Validated? | Min | Max | What if 0? | What if negative? |
For each value, ask:
Table 5: Data Flows (Critical!)
For every pair of related APIs (buyโuse, startโcomplete, payโdeliver, loginโaction):
| # | Step 1 API | Step 2 API | Token/link between them? | Can skip Step 1? | Can replay Step 1? |
This is where the biggest bugs hide. For each flow, ask:
Table 6: Resource Ledger
For every in-game resource (coins, gems, items, XP, energy...):
| # | Resource | All INFLOWS (APIs/events that add) | All OUTFLOWS (APIs/events that subtract) | Daily limits? | Can any inflow be infinite? |
For each resource, ask:
Table 7: Concurrency Hotspots (TOCTOU)
For every operation that reads-then-writes shared state (balance checkโdeduct, stock checkโreserve, coupon checkโredeem):
| # | Operation | Read step | Write step | Atomic? | What if 2 requests hit simultaneously? |
This catches race conditions that single-request testing misses. For each operation, ask:
UPDATE x=x-1 WHERE x>=1 is atomic; SELECT then UPDATE is NOT)Phase 2: Verify (main audit)
Go through every row in every table. For each row, determine:
Output format:
Bug N: [๐ด/๐ก/๐ข] Brief description
Row: Table X, #Y
Cause: ...
Fix: ...
File: ...
Do NOT stop when you run out of "inspiration". You stop when every row in every table has been verified โ or flagged ๐ด/๐ก/๐ข. This is exhaustive, not heuristic.
Phase 3: Red Team / Blue Team
After verifying all tables, switch to adversarial mode. Read references/redblue.md for the full playbook.
Structure
The playbook has 4 parts: 1. Universal Chains (5) โ apply to ALL projects: Auth Bypass, Injection, Rate Abuse, Data Leakage, Concurrency/Race Conditions 2. Type-Specific Chains โ pick sections matching the project: - ๐ฎ Game: Skip-Pay-Collect, Economic Loop, State Manipulation, Anti-Cheat Bypass - ๐ Data Tool: Data Access Control, Data Integrity, Scheduled Task Abuse - ๐ API Service: Key/Token Abuse, Upstream Dependency, Response Manipulation - ๐ค Bot: Message Injection, Bot State Abuse - ๐ง WeChat: OAuth & Identity, WebView Compatibility, H5 Hybrid - ๐ Platform: Cross-Service Trust, Multi-Tenant Isolation 3. Blue Team Defense โ for each finding, verify 4 layers: Prevention โ Detection โ Containment โ Recovery 4. Execution Guide โ step-by-step for the auditorHow to Run
1. From Phase 1 dissection, identify project type(s) โ a project can match multiple types 2. Run ALL 5 Universal Chains 3. Run type-specific chains matching the project 4. For each ๐ด finding: verify all 4 Blue Team layers 5. For each ๐ก finding: verify Layer 1 (Prevention) at minimumPhase 4: Supplement
After red/blue team, run generic checks as a final safety net. Read references/modules.md and pick sections matching the project:
Phase 5: Regression + Verify
Phase 6: Archive
Update project docs with: date, tables built, bugs found/fixed, key pitfalls for next audit.
Key Principles
1. Tables first, checking second. Building the tables IS the hard work. Once you have them, verification is mechanical. 2. Exhaustive, not heuristic. Don't stop when you "feel done." Stop when every row is verified. 3. Think like an attacker. For every API: "How would I exploit this?" For every value: "What if I send garbage?" 4. Data flows are where critical bugs hide. The link (or lack thereof) between related APIs is the #1 source of exploitable vulnerabilities. 5. Generic checklists are supplements, not the main event. They catch known patterns; the tables catch project-specific logic bugs.
Reference Files
references/modules.md โ Generic audit modules (Security, Crypto, Data, Performance, Game, WeChat, API, Bot, Deploy, Error Handling, UX, Supply Chain, Logging) for Phase 4 supplementary checks.references/redblue.md โ Red team attack chains (universal + 6 project types) and blue team defense verification playbook for Phase 3.references/pitfalls.md โ Real-world pitfall lookup table from 200+ bugs, plus WeChat WebView remote debugging techniques.