← 返回 Skills 市场

Bounty Hunter Pro

Name: Bounty Hunter Pro
Author: lugave11

作者 Lugave11 · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

496

总下载

当前安装

版本数

在 OpenClaw 中安装

/install bounty-hunter-pro

功能描述

Autonomous bug bounty hunting with scope safety. Scans targets for subdomains, secrets, vulnerabilities. Uses Certificate Transparency logs, JS analysis, ent...

使用说明 (SKILL.md)

Bounty Hunter Pro

Purpose

Autonomous vulnerability scanning for authorized bug bounty programs.

⚠️ CRITICAL: Scope Safety

NEVER scan targets outside [AUTHORIZED_TARGETS]

Before any scan:

Verify target is in authorized list
Log the scope check
Only proceed if authorized

Components

1. nightwatch.py — Scanner

Certificate Transparency (crt.sh) for subdomains
JS file analysis for secrets
Multi-threaded (10 workers default)
Outputs to findings_incremental.json

2. analyze_daemon.py — Analyzer

Watches findings_incremental.json
Entropy filtering to reduce false positives
Two-stage LLM analysis:
- Fast: qwen2.5-coder:1.5b
- Deep: glm-5:cloud
Outputs to live_analysis.md

3. watchdog.py — Alerter

Monitors for CRITICAL findings
Sends alerts via OpenClaw message bus

Setup

# Install tools
cd ~/workspace/bounty_hunting/tools
unzip subfinder.zip
unzip httpx.zip
unzip nuclei.zip

# Configure authorized targets
echo "example.com" > ~/workspace/bounty_hunting/authorized_targets.txt
echo "*.example.com" >> ~/workspace/bounty_hunting/authorized_targets.txt

Usage Prompt

Run bounty hunt on [TARGET]. Target must be in authorized list.

1. Verify [TARGET] is authorized
2. Run subdomain enumeration
3. Scan each subdomain for:
   - Exposed secrets in JS
   - Misconfigurations
   - Known vulnerabilities
4. Analyze findings with LLM
5. Generate report to ~/workspace/reports/security/[TARGET]/

Directory Structure

~/workspace/bounty_hunting/
├── authorized_targets.txt    # ONLY these can be scanned
├── nightwatch.py            # Main scanner
├── analyze_daemon.py        # LLM analyzer
├── watchdog.py              # Alert system
├── findings_incremental.json # Raw findings
├── live_analysis.md         # Analyzed results
└── tools/
    ├── subfinder
    ├── httpx
    └── nuclei

Output Format

Reports saved to: ~/workspace/reports/security/[TARGET]/YYYY-MM-DD.md

# Security Scan — [TARGET] — [DATE]

## Scope
- Authorized: [TARGET]
- Subdomains found: X
- Endpoints scanned: Y

## 🔴 CRITICAL
1. Finding — Severity — Location — Recommendation

## 🟠 HIGH
1. Finding — Severity — Location — Recommendation

## 🟡 MEDIUM
1. Finding — Severity — Location — Recommendation

## 🟢 INFO
1. Finding — Severity — Location — Recommendation

## Next Steps
1. [Recommended action]

Safety Guards

# ALWAYS check before scanning
def is_authorized(target):
    with open("authorized_targets.txt") as f:
        authorized = [line.strip() for line in f]
    return any(target.endswith(auth) or target == auth for auth in authorized)

# FAIL SAFE
if not is_authorized(target):
    raise ValueError(f"UNAUTHORIZED: {target} not in authorized_targets.txt")

Cron Schedule

# Daily scan at 2am (low-traffic time)
0 2 * * * cd ~/workspace/bounty_hunting && python nightwatch.py

Known Limitations

CPU-only (no CUDA)
Rate limiting may slow scans
Some false positives in entropy detection

安全使用建议

Do not run or schedule this skill as-is. Before installing or executing: 1) Verify and fix the authorization logic — ensure wildcard rules (e.g., *.example.com) are parsed correctly and the code reads the same authorized_targets file path used in setup. 2) Require explicit, documented sources and integrity checks (URLs + checksums) for subfinder/httpx/nuclei binaries rather than unzipping unspecified zip files. 3) Clarify LLM usage: decide whether models run locally or in the cloud; if cloud, add explicit required environment variables (API keys) and document where data (findings/JS code) will be sent. 4) Inspect watchdog/alerter code and OpenClaw message-bus endpoints and authentication to ensure alerts cannot exfiltrate sensitive data. 5) Only add the cron job after the above are resolved and after confirming you have explicit legal authorization to scan the listed targets. If you want, share the actual nightwatch.py / analyze_daemon.py / watchdog.py sources so I can re-evaluate the safety guard, I/O, and external calls more precisely.

功能分析

Type: OpenClaw Skill Name: bounty-hunter-pro Version: 1.0.0 The skill bundle describes an autonomous security scanner with high-risk capabilities, including automated network scanning and the execution of external binaries (subfinder, nuclei). A critical logic vulnerability exists in the scope-checking function within SKILL.md, where 'target.endswith(auth)' allows unauthorized scanning of any domain that shares a suffix with an authorized target (e.g., 'evil-example.com' would be permitted if 'example.com' is authorized). Furthermore, the workflow involves sending potentially sensitive vulnerability data and discovered secrets to external LLM cloud providers (glm-5:cloud) for analysis, posing a data exposure risk.

能力评估

ℹ Purpose & Capability

The name/description (autonomous bug-hunting) aligns with the listed scanner/analyzer/alerter components and file layout. However, the SKILL.md references cloud LLMs (qwen2.5-coder, glm-5:cloud) and an OpenClaw message bus for alerts without declaring any credentials, endpoints, or requirements; that mismatch is unexpected for a self-contained scanner.

⚠ Instruction Scope

Instructions tell the agent to run network scans, parse JS for secrets, write findings to home-directory paths, and send alerts externally. Those actions are appropriate for a scanner, but the safety guard/code has an implementation gap: setup writes authorized patterns like "*.example.com" to ~/workspace/bounty_hunting/authorized_targets.txt while the provided is_authorized() checks the relative file "authorized_targets.txt" and uses literal endswith() matching — wildcard patterns ("*.example.com") won't match subdomains as intended. This creates a real risk the 'ALWAYS respects authorized targets' promise is broken. The SKILL.md also lacks details on where the tool zip files come from and how watchdog alerts are authenticated.

⚠ Install Mechanism

The skill is instruction-only (no install spec), so nothing is installed automatically — lower platform install risk. But the setup shows unzipping subfinder.zip, httpx.zip, nuclei.zip with no source URLs or hashes; that leaves an implicit step of downloading binaries from unspecified locations, which is high-risk if users follow instructions uncritically. The skill should declare trusted sources or package manager installs.

⚠ Credentials

No environment variables or credentials are declared, yet the analyzer references cloud-hosted LLMs and the alerter references the OpenClaw message bus — both ordinarily require API keys/authentication. The absence of declared credential requirements is an incoherence: either the skill expects local models (not stated) or it will silently require/attempt cloud credentials (not declared), which can lead to accidental data exfiltration or failed runs.

ℹ Persistence & Privilege

always:false and disable-model-invocation:false (normal). The SKILL.md suggests installing a user crontab entry to run nightly scans — that’s a user-actuated persistence suggestion rather than a forced platform-level privilege. Recommend not adding the cron until code/authorization checks are verified. No self-enabling/alteraion of other skills is present.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install bounty-hunter-pro
安装完成后，直接呼叫该 Skill 的名称或使用 /bounty-hunter-pro 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

- Initial release of Bounty Hunter Pro, an autonomous bug bounty hunting tool with strict scope safety. - Scans authorized targets for subdomains, exposed secrets in JavaScript, misconfigurations, and known vulnerabilities. - Uses Certificate Transparency logs, entropy-based secret detection, and LLM-powered two-stage vulnerability analysis for results filtering and prioritization. - Includes automated alerting for critical findings and structured report generation. - Enforces authorization checks before scanning any target to ensure compliance with program scope.

元数据

Slug bounty-hunter-pro

版本 1.0.0

许可证 —

累计安装 2

当前安装数 2

历史版本数 1

常见问题