← Back to Skills Marketplace
496
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install bounty-hunter-pro
Description
Autonomous bug bounty hunting with scope safety. Scans targets for subdomains, secrets, vulnerabilities. Uses Certificate Transparency logs, JS analysis, ent...
README (SKILL.md)
Bounty Hunter Pro
Purpose
Autonomous vulnerability scanning for authorized bug bounty programs.
⚠️ CRITICAL: Scope Safety
NEVER scan targets outside [AUTHORIZED_TARGETS]
Before any scan:
- Verify target is in authorized list
- Log the scope check
- Only proceed if authorized
Components
1. nightwatch.py — Scanner
- Certificate Transparency (crt.sh) for subdomains
- JS file analysis for secrets
- Multi-threaded (10 workers default)
- Outputs to
findings_incremental.json
2. analyze_daemon.py — Analyzer
- Watches
findings_incremental.json - Entropy filtering to reduce false positives
- Two-stage LLM analysis:
- Fast: qwen2.5-coder:1.5b
- Deep: glm-5:cloud
- Outputs to
live_analysis.md
3. watchdog.py — Alerter
- Monitors for CRITICAL findings
- Sends alerts via OpenClaw message bus
Setup
# Install tools
cd ~/workspace/bounty_hunting/tools
unzip subfinder.zip
unzip httpx.zip
unzip nuclei.zip
# Configure authorized targets
echo "example.com" > ~/workspace/bounty_hunting/authorized_targets.txt
echo "*.example.com" >> ~/workspace/bounty_hunting/authorized_targets.txt
Usage Prompt
Run bounty hunt on [TARGET]. Target must be in authorized list.
1. Verify [TARGET] is authorized
2. Run subdomain enumeration
3. Scan each subdomain for:
- Exposed secrets in JS
- Misconfigurations
- Known vulnerabilities
4. Analyze findings with LLM
5. Generate report to ~/workspace/reports/security/[TARGET]/
Directory Structure
~/workspace/bounty_hunting/
├── authorized_targets.txt # ONLY these can be scanned
├── nightwatch.py # Main scanner
├── analyze_daemon.py # LLM analyzer
├── watchdog.py # Alert system
├── findings_incremental.json # Raw findings
├── live_analysis.md # Analyzed results
└── tools/
├── subfinder
├── httpx
└── nuclei
Output Format
Reports saved to: ~/workspace/reports/security/[TARGET]/YYYY-MM-DD.md
# Security Scan — [TARGET] — [DATE]
## Scope
- Authorized: [TARGET]
- Subdomains found: X
- Endpoints scanned: Y
## 🔴 CRITICAL
1. Finding — Severity — Location — Recommendation
## 🟠 HIGH
1. Finding — Severity — Location — Recommendation
## 🟡 MEDIUM
1. Finding — Severity — Location — Recommendation
## 🟢 INFO
1. Finding — Severity — Location — Recommendation
## Next Steps
1. [Recommended action]
Safety Guards
# ALWAYS check before scanning
def is_authorized(target):
with open("authorized_targets.txt") as f:
authorized = [line.strip() for line in f]
return any(target.endswith(auth) or target == auth for auth in authorized)
# FAIL SAFE
if not is_authorized(target):
raise ValueError(f"UNAUTHORIZED: {target} not in authorized_targets.txt")
Cron Schedule
# Daily scan at 2am (low-traffic time)
0 2 * * * cd ~/workspace/bounty_hunting && python nightwatch.py
Known Limitations
- CPU-only (no CUDA)
- Rate limiting may slow scans
- Some false positives in entropy detection
Usage Guidance
Do not run or schedule this skill as-is. Before installing or executing: 1) Verify and fix the authorization logic — ensure wildcard rules (e.g., *.example.com) are parsed correctly and the code reads the same authorized_targets file path used in setup. 2) Require explicit, documented sources and integrity checks (URLs + checksums) for subfinder/httpx/nuclei binaries rather than unzipping unspecified zip files. 3) Clarify LLM usage: decide whether models run locally or in the cloud; if cloud, add explicit required environment variables (API keys) and document where data (findings/JS code) will be sent. 4) Inspect watchdog/alerter code and OpenClaw message-bus endpoints and authentication to ensure alerts cannot exfiltrate sensitive data. 5) Only add the cron job after the above are resolved and after confirming you have explicit legal authorization to scan the listed targets. If you want, share the actual nightwatch.py / analyze_daemon.py / watchdog.py sources so I can re-evaluate the safety guard, I/O, and external calls more precisely.
Capability Analysis
Type: OpenClaw Skill
Name: bounty-hunter-pro
Version: 1.0.0
The skill bundle describes an autonomous security scanner with high-risk capabilities, including automated network scanning and the execution of external binaries (subfinder, nuclei). A critical logic vulnerability exists in the scope-checking function within SKILL.md, where 'target.endswith(auth)' allows unauthorized scanning of any domain that shares a suffix with an authorized target (e.g., 'evil-example.com' would be permitted if 'example.com' is authorized). Furthermore, the workflow involves sending potentially sensitive vulnerability data and discovered secrets to external LLM cloud providers (glm-5:cloud) for analysis, posing a data exposure risk.
Capability Assessment
Purpose & Capability
The name/description (autonomous bug-hunting) aligns with the listed scanner/analyzer/alerter components and file layout. However, the SKILL.md references cloud LLMs (qwen2.5-coder, glm-5:cloud) and an OpenClaw message bus for alerts without declaring any credentials, endpoints, or requirements; that mismatch is unexpected for a self-contained scanner.
Instruction Scope
Instructions tell the agent to run network scans, parse JS for secrets, write findings to home-directory paths, and send alerts externally. Those actions are appropriate for a scanner, but the safety guard/code has an implementation gap: setup writes authorized patterns like "*.example.com" to ~/workspace/bounty_hunting/authorized_targets.txt while the provided is_authorized() checks the relative file "authorized_targets.txt" and uses literal endswith() matching — wildcard patterns ("*.example.com") won't match subdomains as intended. This creates a real risk the 'ALWAYS respects authorized targets' promise is broken. The SKILL.md also lacks details on where the tool zip files come from and how watchdog alerts are authenticated.
Install Mechanism
The skill is instruction-only (no install spec), so nothing is installed automatically — lower platform install risk. But the setup shows unzipping subfinder.zip, httpx.zip, nuclei.zip with no source URLs or hashes; that leaves an implicit step of downloading binaries from unspecified locations, which is high-risk if users follow instructions uncritically. The skill should declare trusted sources or package manager installs.
Credentials
No environment variables or credentials are declared, yet the analyzer references cloud-hosted LLMs and the alerter references the OpenClaw message bus — both ordinarily require API keys/authentication. The absence of declared credential requirements is an incoherence: either the skill expects local models (not stated) or it will silently require/attempt cloud credentials (not declared), which can lead to accidental data exfiltration or failed runs.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The SKILL.md suggests installing a user crontab entry to run nightly scans — that’s a user-actuated persistence suggestion rather than a forced platform-level privilege. Recommend not adding the cron until code/authorization checks are verified. No self-enabling/alteraion of other skills is present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install bounty-hunter-pro - After installation, invoke the skill by name or use
/bounty-hunter-pro - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of Bounty Hunter Pro, an autonomous bug bounty hunting tool with strict scope safety.
- Scans authorized targets for subdomains, exposed secrets in JavaScript, misconfigurations, and known vulnerabilities.
- Uses Certificate Transparency logs, entropy-based secret detection, and LLM-powered two-stage vulnerability analysis for results filtering and prioritization.
- Includes automated alerting for critical findings and structured report generation.
- Enforces authorization checks before scanning any target to ensure compliance with program scope.
Metadata
Frequently Asked Questions
What is Bounty Hunter Pro?
Autonomous bug bounty hunting with scope safety. Scans targets for subdomains, secrets, vulnerabilities. Uses Certificate Transparency logs, JS analysis, ent... It is an AI Agent Skill for Claude Code / OpenClaw, with 496 downloads so far.
How do I install Bounty Hunter Pro?
Run "/install bounty-hunter-pro" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Bounty Hunter Pro free?
Yes, Bounty Hunter Pro is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Bounty Hunter Pro support?
Bounty Hunter Pro is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Bounty Hunter Pro?
It is built and maintained by Lugave11 (@lugave11); the current version is v1.0.0.
More Skills