# Bug Hunter — Adversarial AI Code Review + Auto-Fix > Bug Hunter is an adversarial code review skill that runs Hunter/Skeptic/Referee agents, reports confirmed issues, and supports canary-style auto-fixes. ## Install Save the content below to `.claude/skills/` or append to your `CLAUDE.md`: ## Quick Use 1. Install (skill manager): ```bash npx skills add codexstar69/bug-hunter ``` 2. Or install the CLI: ```bash npm install -g @codexstar/bug-hunter bug-hunter install bug-hunter doctor ``` 3. Run (examples from README): ```bash /bug-hunter --scan-only src/ /bug-hunter --pr-security ``` ## Intro Bug Hunter is an adversarial code review skill that runs Hunter/Skeptic/Referee agents, reports confirmed issues, and supports canary-style auto-fixes. - **Best for:** teams that want fewer false positives in AI reviews and a safer auto-fix pipeline with verification steps - **Works with:** Node.js (README shows Node >=18 badge), AI coding agents that can read files and run shell commands, optional CLI install - **Setup time:** 10–20 minutes ## Practical Notes - README describes a multi-stage pipeline and claims triage runs in <2 seconds (zero AI tokens). - Badges show Node.js >=18 and 113 tests passing in the README header. ## How to Use Adversarial Review Effectively Adversarial review is most useful when you can reproduce findings. Suggested workflow: 1. Run `--scan-only` first to get a report and decide what’s worth fixing. 2. Use PR scope mode (`--pr`, `--pr-security`) so you don’t waste time on unrelated files. 3. If you enable auto-fix, keep it gated: start with `--dry-run` or `--plan-only` (both are documented in the README) and require human approval for each fix in high-risk repos. ## What “Good Output” Looks Like - A bug report includes evidence (where in code), impact, and a minimal reproduction or proof of concept. - For security findings, look for STRIDE/CWE references and CVSS scoring (the README claims these are produced). ### FAQ **Q: Is this only for security?** A: No. The README lists runtime behavioral bugs (logic, concurrency, error handling) as well as security scanning. **Q: Can it run without Node?** A: The README notes Node.js 18+ is recommended; use the method that matches your environment. **Q: How do I reduce risk with auto-fix?** A: Start with scan-only/plan-only/dry-run modes and require approvals before applying patches. ## Source & Thanks > Source: https://github.com/codexstar69/bug-hunter > License: MIT > GitHub stars: 368 · forks: 46 --- ## 快速使用 1. 安装(skill manager): ```bash npx skills add codexstar69/bug-hunter ``` 2. 或安装 CLI: ```bash npm install -g @codexstar/bug-hunter bug-hunter install bug-hunter doctor ``` 3. 运行(README 示例): ```bash /bug-hunter --scan-only src/ /bug-hunter --pr-security ``` ## 简介 Bug Hunter 是开源的对抗式代码审查技能:Hunter/Skeptic/Referee 三个 Agent 先找 bug 再互相反驳,输出更少误报的结论,并对确认问题做带金丝雀回滚策略的自动修复。 - **适合谁:** 希望降低 AI 审查误报,并且需要更安全的自动修复/验证流程的团队 - **可搭配:** Node.js(README 标注 Node >=18)、能读文件并执行命令的 AI 编码工具、可选 CLI 安装方式 - **准备时间:** 10–20 分钟 ## 实战建议 - README 描述多阶段流水线,并声称 triage <2 秒完成(0 AI tokens)。 - README 顶部徽章标注 Node.js >=18,且有 113 tests passing。 ## 如何把“对抗式审查”用到刀刃上 对抗式审查只有在“可复现、可验证”时才真正有价值。 建议流程: 1. 先用 `--scan-only` 拿报告,决定哪些问题值得修。 2. PR 场景优先用 `--pr` / `--pr-security`,把范围收敛到变更相关内容。 3. 需要自动修复时要加闸:README 提到 `--dry-run` / `--plan-only` 等预览/规划模式,高风险仓库务必人工逐条批准。 ## 什么算“好输出” - Bug 报告要有证据链(具体位置)、影响面、以及最小复现/PoC。 - 安全问题最好包含 STRIDE/CWE 参考与 CVSS 评分(README 声称会生成这些信息)。 ### FAQ **只做安全扫描吗?** 答:不是。README 列出运行时 bug(逻辑、并发、错误处理等)以及安全问题都在覆盖范围内。 **没有 Node 能用吗?** 答:README 说 Node.js 18+ 推荐;按你的环境选择对应安装/运行方式。 **怎么降低自动修复风险?** 答:先用 scan-only/plan-only/dry-run 预览,再在关键仓库强制人工批准。 ## 来源与感谢 > Source: https://github.com/codexstar69/bug-hunter > License: MIT > GitHub stars: 368 · forks: 46 --- Source: https://tokrepo.com/en/workflows/bug-hunter-adversarial-ai-code-review-auto-fix Author: Agent Toolkit