← Back to Skills Marketplace
620
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install angus-bounty-hunter
Description
Automated smart contract bug bounty hunting. Scans Immunefi/Code4rena targets with Slither static analysis, triages findings with local LLMs, and generates P...
README (SKILL.md)
Bounty Hunter
Automated smart contract vulnerability scanner for bug bounty programs. Uses free tools (Slither + local LLMs) for the heavy lifting, saves expensive models for PoC writing.
Requirements
slither-analyzer(pip): Static analysissolc-select(pip): Solidity compiler management- Node.js: For script execution
- Optional: Ollama with any code model for local triage
Quick Start
# Scan a repo
bash scripts/scan.sh \x3Cgithub-repo-url> [src-dir]
# Triage findings (uses local LLM if available, otherwise prints raw)
bash scripts/triage.sh \x3Cscan-output.json>
# Generate PoC template for a finding
bash scripts/poc-template.sh \x3Cfinding-id> \x3Ccontract-address>
Workflow
- Target Selection — Check Immunefi/Code4rena for active programs
- Clone & Scan —
scan.shclones the repo, installs solc, runs Slither - Triage —
triage.shfilters HIGH/MEDIUM findings, removes known false positives - Deep Dive — Only read code that Slither flagged (save your tokens)
- PoC — Use
poc-template.shto generate Foundry test scaffolding - Submit — Write up finding on Immunefi/Code4rena
Target Selection Criteria
Before scanning, check:
- Scope last updated within 30 days (fresh code = more bugs)
- Past payouts > $50K (they actually pay)
- GitHub repo in scope (not just deployed addresses)
- Solidity-based (Slither only works with Solidity)
Anti-Patterns
- Don't read entire codebases manually — let Slither scan first
- Don't spend > 1 hour on a target without a concrete lead
- Don't submit known issues (check past reports first)
- Don't ignore test coverage — untested code is where bugs hide
Usage Guidance
What to consider before installing/using:
- The tool is mostly a wrapper around Slither + local triage scripts, but it does not automate enumerating Immunefi/Code4rena programs — you must supply a repo URL. The SKILL.md mentions a PoC generator (poc-template.sh) that is not included.
- The scan script runs npm install and pip install inside target repositories. Those commands can run arbitrary code from the repo or its dependencies (npm lifecycle scripts, pip install hooks). Only run scans in isolated environments (ephemeral VM, container, sandbox) and avoid running on repos you don't trust.
- Verify or remove the npm/pip install steps if you want a safer, dependency-free analysis flow (or vendor/inspect requirements first).
- The triage step contacts a local Ollama endpoint (127.0.0.1). That is local only (not remote), but ensure your local LLM service is secure and not exposing data inadvertently.
- Check and possibly change default WORK_DIR (defaults to /tmp/bounty-scans) and OUTPUT_DIR to locations you control; review outputs before sharing.
- If you need true automation against Immunefi/Code4rena, expect to add authenticated API interactions or scraping logic — this bundle does not perform that.
If you want higher assurance, request a version that omits automatic package installs, includes the missing PoC script, and documents exact network calls and file writes; otherwise treat this as a useful but operationally risky helper and run it only in isolated sandboxes.
Capability Analysis
Type: OpenClaw Skill
Name: angus-bounty-hunter
Version: 1.0.0
The skill bundle is classified as suspicious due to multiple critical shell injection vulnerabilities in `scripts/scan.sh` and `scripts/triage.sh`. Unsanitized user inputs (`REPO_URL`, `SRC_DIR`, `JSON_FILE`) are directly interpolated into shell commands (`git clone`, `grep`, `solc-select`, `python -c`, `curl -d`), allowing for arbitrary command execution (RCE) and potential path traversal. For example, `scripts/scan.sh` is vulnerable to shell injection via `REPO_URL` and `SRC_DIR`, and `scripts/triage.sh` is vulnerable to Python code injection and shell injection via `curl -d` due to unsanitized `JSON_FILE` content. These are severe vulnerabilities that could be exploited by a malicious actor, but do not show clear evidence of intentional malicious behavior by the skill author.
Capability Assessment
Purpose & Capability
Description implies automated scanning of Immunefi/Code4rena targets; the included scripts do not query those services or automate target discovery — they require a user-supplied GitHub repo URL. SKILL.md references a poc-template.sh that is not present in the bundle. This mismatch between advertised automation and delivered tooling is an incoherence.
Instruction Scope
scan.sh clones arbitrary repos and runs npm install and pip3 install -r requirements.txt from within the target repo. Installing dependencies from untrusted repositories can execute arbitrary code (npm lifecycle scripts, pip install side effects). triage.sh only talks to a localhost LLM endpoint (127.0.0.1:11434), so there are no obvious remote exfiltration endpoints, but the scripts do run actions that could execute code from the target repository.
Install Mechanism
No install spec (instruction-only) and included scripts are plain shell/Python. Nothing is downloaded by the skill itself during install. Note that runtime behavior triggers package installs from scanned repositories (npm/pip), which is an operational risk but not an installer red flag.
Credentials
The skill does not request credentials or environment variables (only optional BOUNTY_WORKDIR and BOUNTY_OUTPUT). It uses local services (solc-select, slither, optional Ollama) consistent with its purpose; no unrelated secrets are required.
Persistence & Privilege
always is false and the skill does not attempt to persist or modify other skills or system-wide agent settings. It writes scan outputs to a working directory but does not claim elevated or permanent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install angus-bounty-hunter - After installation, invoke the skill by name or use
/angus-bounty-hunter - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Slither + local LLM smart contract bug bounty scanner
Metadata
Frequently Asked Questions
What is Angus Bounty Hunter?
Automated smart contract bug bounty hunting. Scans Immunefi/Code4rena targets with Slither static analysis, triages findings with local LLMs, and generates P... It is an AI Agent Skill for Claude Code / OpenClaw, with 620 downloads so far.
How do I install Angus Bounty Hunter?
Run "/install angus-bounty-hunter" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Angus Bounty Hunter free?
Yes, Angus Bounty Hunter is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Angus Bounty Hunter support?
Angus Bounty Hunter is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Angus Bounty Hunter?
It is built and maintained by Chipp11 (@chipp11); the current version is v1.0.0.
More Skills