MCPxelMCPxel
Co-Pilot
Updated a month ago

fix-review

Ttrailofbits
1.8k
trailofbits/skills/plugins/fix-review
82
Agent Score

💡 Summary

This plugin verifies code changes against security audit findings to ensure fixes are effective and do not introduce new bugs.

🎯 Target Audience

Security auditorsSoftware developersQuality assurance engineersDevOps teamsProject managers

🤖 AI Roast:Powerful, but the setup might scare off the impatient.

Security AnalysisMedium Risk

Risk: Medium. Review: shell/CLI command execution; outbound network access (SSRF, data egress); filesystem read/write scope and path traversal. Run with least privilege and audit before enabling in production.

Differential Testing Plugin

Verify that code changes address security audit findings without introducing bugs.

Overview

This plugin provides tools for reviewing fix branches against security audit reports. It analyzes commit ranges to:

  1. Verify finding remediation - Check that each audit finding has been properly addressed
  2. Detect bug introduction - Identify potential bugs or security regressions in the fix commits
  3. Generate verification reports - Create detailed reports documenting finding status and concerns

Components

Skill: fix-review

Domain knowledge for differential analysis and finding verification.

Triggers on:

  • "verify these commits fix the audit findings"
  • "check if TOB-XXX was addressed"
  • "review the fix branch"
  • "validate remediation commits"

Command: /fix-review

Explicit invocation for fix verification.

/fix-review <source-commit> <target-commit(s)> [--report <path-or-url>]

Examples:

# Basic usage: compare two commits
/fix-review abc123 def456

# With audit report
/fix-review main fix-branch --report ./audit-report.pdf

# Multiple target commits
/fix-review v1.0.0 commit1 commit2 --report https://example.com/report.md

# Google Drive report
/fix-review baseline fixes --report https://drive.google.com/file/d/XXX/view

Features

Report Format Support

  • PDF - Read directly (Claude native support)
  • Markdown - Read directly
  • JSON - Parsed as structured data
  • HTML - Text extraction

Finding Format Support

  • Trail of Bits - TOB-CLIENT-N format with header tables
  • Generic - Numbered findings, severity sections
  • JSON - Structured findings array

Google Drive Integration

If a Google Drive URL is provided and direct access fails:

  1. Checks for gdrive CLI tool
  2. If available, downloads the file automatically
  3. If not, provides instructions for manual download

Output

Generates FIX_REVIEW_REPORT.md containing:

  • Executive summary
  • Finding status table (FIXED, PARTIALLY_FIXED, NOT_ADDRESSED, CANNOT_DETERMINE)
  • Bug introduction concerns
  • Per-commit analysis
  • Recommendations

Also provides a conversation summary with key findings.

Bug Detection

Analyzes commits for security anti-patterns:

| Pattern | Risk | |---------|------| | Validation removed | Input bypass | | Access control weakened | Privilege escalation | | Error handling reduced | Silent failures | | External call reordering | Reentrancy | | Integer operations changed | Overflow/underflow |

Integration

Works alongside other Trail of Bits skills:

  • differential-review - For initial security review of changes
  • issue-writer - To format findings into formal reports
  • audit-context-building - For deep context on complex fixes

Installation

This plugin is part of the Trail of Bits skills marketplace. Enable it in Claude Code settings.

Prerequisites

  • Git repository with commit history
  • Optional: gdrive CLI for Google Drive integration 
    brew install gdrive  # macOS
gdrive about         # Configure authentication

License

CC-BY-SA-4.0

5-Dim Analysis
Clarity9/10
Novelty7/10
Utility8/10
Completeness9/10
Maintainability8/10
Pros & Cons

Pros

  • Thorough verification of security fixes
  • Generates detailed reports
  • Supports multiple finding formats
  • Integrates with other tools

Cons

  • Requires Git commit history
  • Complex setup for Google Drive integration
  • May have a learning curve for new users
  • Dependency on external tools like gdrive

Related Skills

constant-time-analysis

A
toolCode Lib
88/ 100

“It's a Swiss Army knife for finding timing leaks, but you'll need a PhD in compiler toolchains to set up all the language backends.”

View Analysis

prowler

A
toolCode Lib
86/ 100

“It's a Swiss Army knife for cloud security, but you'll need a PhD in YAML to configure all its moving parts.”

View Analysis

ethereum-wingman

A
toolCo-Pilot
84/ 100

“Powerful, but the setup might scare off the impatient.”

View Analysis

Disclaimer: This content is sourced from GitHub open source projects for display and rating purposes only.

Copyright belongs to the original author trailofbits.