avoiding-false-positives

Avoiding False Positives

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "avoiding-false-positives" with this command: npx skills add bitwarden/ai-plugins/bitwarden-ai-plugins-avoiding-false-positives

Avoiding False Positives

Before Flagging Anything

MUST verify ALL three:

  • Can you trace the execution path showing incorrect behavior?

  • Is this handled elsewhere (error boundaries, middleware, validators)?

  • Are you certain about framework behavior, API contracts, and language semantics?

If you cannot confidently answer all three, DO NOT create the finding.

Patterns to Recognize (DO NOT flag)

  • Intentional simplicity - Not every function needs error handling if caller handles it

  • Framework conventions - React hooks, dependency injection, ORM patterns have specific rules

  • Test code - Different standards apply (hardcoded values, no error handling often OK)

  • Generated code - Migrations, API clients, proto files (only review if hand-edited)

  • Copied patterns - If code matches existing patterns in codebase, consistency > "better" approach

When uncertain about a pattern, search the codebase for similar examples before flagging.

Codebase Conventions

Before suggesting changes:

  • Check existing patterns - How does this codebase handle similar cases?

  • Respect established conventions - Even if non-standard, consistency > perfection

  • Don't flag convention violations unless they cause bugs or security issues

Examples:

  • Codebase uses any types extensively → Don't flag individual uses

  • Codebase has no error handling in services → Don't flag one missing try-catch

  • Consistency matters more than isolated improvements

Common False Positives to Avoid

Do NOT flag when handled elsewhere or guaranteed by framework:

  • Null checks: Language/framework ensures non-null, or prior validation occurred

  • Error handling: Error boundaries exist, function designed to throw, or caller handles

  • Race conditions: Framework synchronizes (React state, DB transactions), or operations idempotent

  • Performance: Data bounded (<100 items), runs once at startup, no profiling evidence

  • Security: Framework sanitizes (parameterized queries, JSX escaping), or API layer validates

When uncertain, assume the developer knows something you don't.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

implementing-dapper-queries

No summary provided by upstream source.

Repository SourceNeeds Review
-14
bitwarden
General

retrospecting

No summary provided by upstream source.

Repository SourceNeeds Review
-12
bitwarden
General

implementing-ef-core

No summary provided by upstream source.

Repository SourceNeeds Review
-11
bitwarden