{"id":"f00b9f8d-8613-4dda-b495-712d35e344ed","shortId":"RfXGju","kind":"skill","title":"variant-analysis","tagline":"Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.","description":"# Variant Analysis\n\nYou are a variant analysis expert. Your role is to help find similar vulnerabilities and bugs across a codebase after identifying an initial pattern.\n\n## When to Use\nUse this skill when:\n- A vulnerability has been found and you need to search for similar instances\n- Building or refining CodeQL/Semgrep queries for security patterns\n- Performing systematic code audits after an initial issue discovery\n- Hunting for bug variants across a codebase\n- Analyzing how a single root cause manifests in different code paths\n\n## When NOT to Use\n\nDo NOT use this skill for:\n- Initial vulnerability discovery (use audit-context-building or domain-specific audits instead)\n- General code review without a known pattern to search for\n- Writing fix recommendations (use issue-writer instead)\n- Understanding unfamiliar code (use audit-context-building for deep comprehension first)\n\n## The Five-Step Process\n\n### Step 1: Understand the Original Issue\n\nBefore searching, deeply understand the known bug:\n- **What is the root cause?** Not the symptom, but WHY it's vulnerable\n- **What conditions are required?** Control flow, data flow, state\n- **What makes it exploitable?** User control, missing validation, etc.\n\n### Step 2: Create an Exact Match\n\nStart with a pattern that matches ONLY the known instance:\n```bash\nrg -n \"exact_vulnerable_code_here\"\n```\nVerify: Does it match exactly ONE location (the original)?\n\n### Step 3: Identify Abstraction Points\n\n| Element | Keep Specific | Can Abstract |\n|---------|---------------|--------------|\n| Function name | If unique to bug | If pattern applies to family |\n| Variable names | Never | Always use metavariables |\n| Literal values | If value matters | If any value triggers bug |\n| Arguments | If position matters | Use `...` wildcards |\n\n### Step 4: Iteratively Generalize\n\n**Change ONE element at a time:**\n1. Run the pattern\n2. Review ALL new matches\n3. Classify: true positive or false positive?\n4. If FP rate acceptable, generalize next element\n5. If FP rate too high, revert and try different abstraction\n\n**Stop when false positive rate exceeds ~50%**\n\n### Step 5: Analyze and Triage Results\n\nFor each match, document:\n- **Location**: File, line, function\n- **Confidence**: High/Medium/Low\n- **Exploitability**: Reachable? Controllable inputs?\n- **Priority**: Based on impact and exploitability\n\nFor deeper strategic guidance, see METHODOLOGY.md.\n\n## Tool Selection\n\n| Scenario | Tool | Why |\n|----------|------|-----|\n| Quick surface search | ripgrep | Fast, zero setup |\n| Simple pattern matching | Semgrep | Easy syntax, no build needed |\n| Data flow tracking | Semgrep taint / CodeQL | Follows values across functions |\n| Cross-function analysis | CodeQL | Best interprocedural analysis |\n| Non-building code | Semgrep | Works on incomplete code |\n\n## Key Principles\n\n1. **Root cause first**: Understand WHY before searching for WHERE\n2. **Start specific**: First pattern should match exactly the known bug\n3. **One change at a time**: Generalize incrementally, verify after each change\n4. **Know when to stop**: 50%+ FP rate means you've gone too generic\n5. **Search everywhere**: Always search the ENTIRE codebase, not just the module where the bug was found\n6. **Expand vulnerability classes**: One root cause often has multiple manifestations\n\n## Critical Pitfalls to Avoid\n\nThese common mistakes cause analysts to miss real vulnerabilities:\n\n### 1. Narrow Search Scope\n\nSearching only the module where the original bug was found misses variants in other locations.\n\n**Example:** Bug found in `api/handlers/` → only searching that directory → missing variant in `utils/auth.py`\n\n**Mitigation:** Always run searches against the entire codebase root directory.\n\n### 2. Pattern Too Specific\n\nUsing only the exact attribute/function from the original bug misses variants using related constructs.\n\n**Example:** Bug uses `isAuthenticated` check → only searching for that exact term → missing bugs using related properties like `isActive`, `isAdmin`, `isVerified`\n\n**Mitigation:** Enumerate ALL semantically related attributes/functions for the bug class.\n\n### 3. Single Vulnerability Class\n\nFocusing on only one manifestation of the root cause misses other ways the same logic error appears.\n\n**Example:** Original bug is \"return allow when condition is false\" → only searching that pattern → missing:\n- Null equality bypasses (`null == null` evaluates to true)\n- Documentation/code mismatches (function does opposite of what docs claim)\n- Inverted conditional logic (wrong branch taken)\n\n**Mitigation:** List all possible manifestations of the root cause before searching.\n\n### 4. Missing Edge Cases\n\nTesting patterns only with \"normal\" scenarios misses vulnerabilities triggered by edge cases.\n\n**Example:** Testing auth checks only with valid users → missing bypass when `userId = null` matches `resourceOwnerId = null`\n\n**Mitigation:** Test with: unauthenticated users, null/undefined values, empty collections, and boundary conditions.\n\n## Resources\n\nReady-to-use templates in `resources/`:\n\n**CodeQL** (`resources/codeql/`):\n- `python.ql`, `javascript.ql`, `java.ql`, `go.ql`, `cpp.ql`\n\n**Semgrep** (`resources/semgrep/`):\n- `python.yaml`, `javascript.yaml`, `java.yaml`, `go.yaml`, `cpp.yaml`\n\n**Report**: `resources/variant-report-template.md`\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["variant","analysis","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-variant-analysis","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/variant-analysis","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34404 github stars · SKILL.md body (5,637 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:51:55.338Z","embedding":null,"createdAt":"2026-04-18T21:47:03.175Z","updatedAt":"2026-04-22T00:51:55.338Z","lastSeenAt":"2026-04-22T00:51:55.338Z","tsv":"'1':178,306,430,518 '2':222,310,440,560 '3':254,315,451,608 '4':297,322,463,678 '5':330,349,477 '50':347,468 '6':494 'abstract':256,262,340 'accept':326 'across':9,55,104,409 'allow':634 'alway':277,480,551 'analysi':3,15,38,43,414,418 'analyst':513 'analyz':24,107,350 'api/handlers':541 'appear':628 'appli':271 'argument':290 'ask':779 'attribute/function':568 'attributes/functions':603 'audit':31,94,133,140,165 'audit-context-build':132,164 'auth':696 'avoid':508 'base':14,369 'bash':237 'best':416 'boundari':720,787 'branch':665 'bug':8,19,54,102,189,268,289,450,491,529,538,572,579,590,606,631 'build':21,83,135,167,399,421 'bypass':646,703 'case':681,693 'caus':112,194,432,500,512,620,675 'chang':300,453,462 'check':582,697 'claim':660 'clarif':781 'class':497,607,611 'classifi':316 'clear':754 'code':30,93,116,143,162,242,422,427 'codebas':10,57,106,484,557 'codeql':406,415,730 'codeql/semgrep':22,86 'collect':718 'common':510 'comprehens':170 'condit':204,636,662,721 'confid':362 'construct':577 'context':134,166 'control':207,217,366 'cpp.ql':736 'cpp.yaml':743 'creat':223 'criteria':790 'critic':505 'cross':412 'cross-funct':411 'data':209,401 'deep':169 'deeper':375 'deepli':185 'describ':758 'differ':115,339 'directori':545,559 'discoveri':99,130 'doc':659 'document':357 'documentation/code':652 'domain':138 'domain-specif':137 'easi':396 'edg':680,692 'element':258,302,329 'empti':717 'entir':483,556 'enumer':599 'environ':770 'environment-specif':769 'equal':645 'error':627 'etc':220 'evalu':649 'everywher':479 'exact':225,240,248,447,567,587 'exampl':537,578,629,694 'exceed':346 'expand':495 'expert':44,775 'exploit':215,364,373 'fals':320,343,638 'famili':273 'fast':389 'file':359 'find':4,33,50 'first':171,433,443 'five':174 'five-step':173 'fix':153 'flow':208,210,402 'focus':612 'follow':407 'found':74,493,531,539 'fp':324,332,469 'function':263,361,410,413,654 'general':142,299,327,457 'generic':476 'go.ql':735 'go.yaml':742 'gone':474 'guidanc':377 'help':49 'high':335 'high/medium/low':363 'hunt':18,100 'identifi':59,255 'impact':371 'incomplet':426 'increment':458 'initi':35,61,97,128 'input':367,784 'instanc':82,236 'instead':141,159 'interprocedur':417 'invert':661 'isact':595 'isadmin':596 'isauthent':581 'issu':36,98,157,182 'issue-writ':156 'isverifi':597 'iter':298 'java.ql':734 'java.yaml':741 'javascript.ql':733 'javascript.yaml':740 'keep':259 'key':428 'know':464 'known':147,188,235,449 'like':594 'limit':746 'line':360 'list':668 'liter':280 'locat':250,358,536 'logic':626,663 'make':213 'manifest':113,504,616,671 'match':226,232,247,314,356,394,446,707,755 'matter':284,293 'mean':471 'metavari':279 'methodology.md':379 'mismatch':653 'miss':218,515,532,546,573,589,621,643,679,688,702,792 'mistak':511 'mitig':550,598,667,710 'modul':488,525 'multipl':503 'n':239 'name':264,275 'narrow':519 'need':77,400 'never':276 'new':313 'next':328 'non':420 'non-build':419 'normal':686 'null':644,647,648,706,709 'null/undefined':715 'often':501 'one':249,301,452,498,615 'opposit':656 'origin':181,252,528,571,630 'output':764 'path':117 'pattern':13,62,90,148,230,270,309,393,444,561,642,683 'pattern-bas':12 'perform':28,91 'permiss':785 'pitfal':506 'point':257 'posit':292,318,321,344 'possibl':670 'principl':429 'prioriti':368 'process':176 'properti':593 'python.ql':732 'python.yaml':739 'queri':23,87 'quick':385 'rate':325,333,345,470 'reachabl':365 'readi':724 'ready-to-us':723 'real':516 'recommend':154 'refin':85 'relat':576,592,602 'report':744 'requir':206,783 'resourc':722,729 'resourceownerid':708 'resources/codeql':731 'resources/semgrep':738 'resources/variant-report-template.md':745 'result':353 'return':633 'revert':336 'review':144,311,776 'rg':238 'ripgrep':388 'role':46 'root':111,193,431,499,558,619,674 'run':307,552 'safeti':786 'scenario':382,687 'scope':521,757 'search':79,150,184,387,437,478,481,520,522,543,553,584,640,677 'secur':25,89 'see':378 'select':381 'semant':601 'semgrep':395,404,423,737 'setup':391 'similar':5,51,81 'simpl':392 'singl':110,609 'skill':68,126,749 'skill-variant-analysis' 'source-sickn33' 'specif':139,260,442,563,771 'start':227,441 'state':211 'step':175,177,221,253,296,348 'stop':341,467,777 'strateg':376 'substitut':767 'success':789 'surfac':386 'symptom':197 'syntax':397 'systemat':29,92 'taint':405 'taken':666 'task':753 'templat':727 'term':588 'test':682,695,711,773 'time':305,456 'tool':380,383 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'track':403 'treat':762 'tri':338 'triag':352 'trigger':288,690 'true':317,651 'unauthent':713 'understand':160,179,186,434 'unfamiliar':161 'uniqu':266 'use':11,16,65,66,121,124,131,155,163,278,294,564,575,580,591,726,747 'user':216,701,714 'userid':705 'utils/auth.py':549 'valid':219,700,772 'valu':281,283,287,408,716 'variabl':274 'variant':2,20,37,42,103,533,547,574 'variant-analysi':1 've':473 'verifi':244,459 'vulner':6,26,52,71,129,202,241,496,517,610,689 'way':623 'wildcard':295 'without':145 'work':424 'write':152 'writer':158 'wrong':664 'zero':390","prices":[{"id":"2d6ce767-2a9b-4b51-8bf2-dbac00808dd6","listingId":"f00b9f8d-8613-4dda-b495-712d35e344ed","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:47:03.175Z"}],"sources":[{"listingId":"f00b9f8d-8613-4dda-b495-712d35e344ed","source":"github","sourceId":"sickn33/antigravity-awesome-skills/variant-analysis","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/variant-analysis","isPrimary":false,"firstSeenAt":"2026-04-18T21:47:03.175Z","lastSeenAt":"2026-04-22T00:51:55.338Z"}],"details":{"listingId":"f00b9f8d-8613-4dda-b495-712d35e344ed","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"variant-analysis","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34404,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-21T16:43:40Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"926775f2b8cb5bc33b1404d679bc7c01649bd12c","skill_md_path":"skills/variant-analysis/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/variant-analysis"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"variant-analysis","description":"Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/variant-analysis"},"updatedAt":"2026-04-22T00:51:55.338Z"}}