Multi-Platform Bounty Scanner

v1.0.0

Automatically scan and filter new bug and OSS bounty opportunities across 50+ platforms by tech stack, reward, and difficulty with daily automation support.

⭐ 0· 336·3 current·3 all-time

by@dagangtj

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for dagangtj/multi-bounty-scanner.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Multi-Platform Bounty Scanner" (dagangtj/multi-bounty-scanner) from ClawHub.
Skill page: https://clawhub.ai/dagangtj/multi-bounty-scanner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install multi-bounty-scanner

ClawHub CLI

Package manager switcher

npx clawhub@latest install multi-bounty-scanner

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The README/SKILL.md promise scanning of 50+ bounty platforms, Telegram notifications, and paid tiers, but scanner.js only implements a GitHub scanner (other platforms return empty/mocks). The project advertises broad network integrations that are not implemented, which is an incoherent claim-to-capability mismatch.

ℹ

Instruction Scope

Runtime instructions are mostly scoped to running the CLI, adding a cron job, and creating ~/.bounty-scanner/config.json. The scanner reads/writes only ~/.bounty-scanner/{config.json,seen.json} and invokes the GitHub CLI via execSync. There are no instructions to collect unrelated files or credentials, but the SKILL.md/README mention Telegram notifications (chatId) without any code that sends notifications or any declared env var for a Telegram token.

✓

Install Mechanism

No install spec (instruction-only) and the suggested manual install (chmod +x, npm link) is conventional. Nothing is downloaded from arbitrary URLs or installed with an untrusted installer. Risk is low from installation mechanics.

ℹ

Credentials

The code only relies on Node.js and the GitHub CLI (gh) and uses process.env.HOME to find config. No credentials or external tokens are required by the code. However, package.json lists 'gh' as a peerDependency (misuse — 'gh' is a CLI, not an npm package), and the documentation references Telegram notifications and paid tiers without declaring or using any notification tokens or credentials. Also, since the scanner shells out to 'gh', any GitHub authentication present in the user's environment (gh auth) will be used by the CLI — users should be aware.

✓

Persistence & Privilege

The skill is not always-enabled and can be invoked by the user. It writes persistent state under ~/.bounty-scanner/seen.json and config.json (local user home only). That is expected for a scanner that tracks what it has seen, but users should be aware it will create and modify files in their HOME directory.

What to consider before installing

This skill is coherent enough to run a local GitHub-based bounty scan, but it overpromises features that are not implemented. Before installing or enabling it: 1) Inspect scanner.js yourself — it only uses the GitHub CLI (gh) and reads/writes ~/.bounty-scanner/*. 2) Understand that 'gh' network activity will use whatever GitHub auth is configured for your account; there are no declared secrets required by the skill. 3) Do not expect the advertised 50+ platform support, Telegram notifications, or paid tiers to work — those are documented but not implemented. 4) If you plan to run it on a schedule, run it first interactively and review the files it writes (seen.json, config.json). 5) Prefer running in an isolated/sandboxed account or VM if you are uncertain about running third‑party code from an unknown source.

Like a lobster shell, security has layers — review code before you run it.

automationvk97az514er1ddjx4j3kws0wyw982bhwvbountyvk97az514er1ddjx4j3kws0wyw982bhwvgithubvk97az514er1ddjx4j3kws0wyw982bhwvlatestvk97az514er1ddjx4j3kws0wyw982bhwv

336downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

Multi-Platform Bounty Scanner

Overview

Automatically scan 50+ bug bounty and OSS bounty platforms for new opportunities. Save hours of manual searching.

When to use

Use this skill when:

You want to find new bounty opportunities across multiple platforms
You need to automate daily bounty scanning
You want to filter bounties by tech stack, reward, or difficulty
You're tired of manually checking 50+ websites

Installation

clawhub install multi-bounty-scanner

Or manually:

cd ~/.openclaw/workspace/skills/multi-bounty-scanner
chmod +x scanner.js
npm link

Usage

Basic scan

bounty-scan

Filter by tech stack

bounty-scan --tech javascript,python,rust

Filter by minimum reward

bounty-scan --min-reward 100

Export to JSON

bounty-scan --output bounties.json

OpenClaw integration

Add to cron for daily automated scanning:

openclaw cron add \
  --name "Daily Bounty Scan" \
  --every 24h \
  --session isolated \
  --message "Run: cd ~/.openclaw/workspace/skills/multi-bounty-scanner && node scanner.js"

Configuration

Create ~/.bounty-scanner/config.json:

{
  "filters": {
    "techStack": ["javascript", "python", "rust"],
    "minReward": 50,
    "platforms": ["github", "code4rena", "immunefi"]
  }
}

Supported Platforms

Currently implemented:

✅ GitHub (with bounty label)

Coming soon:

Code4rena
Immunefi
HackerOne
Bugcrowd
Intigriti
Algora.io
And 40+ more

Output

The scanner tracks seen bounties and only shows new ones. Results include:

Title
Platform
Reward amount
Tech stack
URL
Description

Requirements

Node.js 18+
GitHub CLI (gh) for GitHub scanning

Pricing

Free: GitHub scanning only
Pro ($5/month): All 50+ platforms (coming soon)

Support

Issues: https://github.com/your-repo/issues

License

MIT

Comments

Loading comments...