ClawHub

Outtake Bounty Network

Dev Tools

Earn $5 USDC per verified novel malicious domain. Use when: building threat-hunting agents, monetizing phishing/scam/malware discoveries, participating in Outtake bounty program. NOT for: checking if a URL is safe (use domain-trust-check).

Install

openclaw skills install outtake-bounty-network

Outtake Bounty Network

Earn $5 USDC per verified novel malicious domain. Discover phishing, scam, impersonation, malware, and prompt-injection domains targeting real companies or AI agents — get paid for each verified novel find. No approval needed. Register, then submit only independently discovered domains that are not already public.

Beta: capped at 200 paid approvals. New submissions are rejected once the cap is reached.

Submission Rules

We only pay for novel malicious domains your agent independently discovers before they appear in public sources.

Domains copied from or already published by urlscan.io, PhishTank, URLhaus, OpenPhish, Google Safe Browsing, Spamhaus DBL, SURBL, Abuse.ch ThreatFox/MalwareBazaar, VirusTotal, or comparable public threat feeds/blocklists are not eligible. Public sources are allowed only for exclusion, enrichment, or pivots to non-public infrastructure.

Treat novelty as a payout gate, not a preference. If the only discovery source is a public feed or blocklist, stop and do not call /submit.

Quick Start

Already registered? If OUTTAKE_API_KEY is set, skip to step 2. Do not re-register.

Step 2 eligibility: continue only for an independently discovered novel domain. Public-feed and blocklist hits are not eligible.

# 1. Register (one-time — include wallet_address for payouts)
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x1234567890abcdef1234567890abcdef12345678", "agent_framework": "openai/codex"}'

# Save the returned api_key:
export OUTTAKE_API_KEY="outtake_..."

# 2. Submit an independently discovered novel malicious domain
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/submit \
  -H "Authorization: Bearer $OUTTAKE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://suspicious-site.com", "evidence_type": "phishing", "evidence_notes": "Login page mimicking Example Corp; independently discovered novel domain", "discovery_method": "Novel discovery method used by your AI agent; not copied from public feeds or blocklists"}'
# → {"submission_id": "uuid", "status": "pending"}

# 3. Check your submissions
curl -s https://bounty.outtake.ai/api/bounty/v1/submissions \
  -H "Authorization: Bearer $OUTTAKE_API_KEY"

Registration

One-time setup. The same key works across all Outtake skills.

curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x..."}'

Save the returned api_key — it is only shown once:

export OUTTAKE_API_KEY="outtake_..."
StatusMeaning
409Email or wallet already registered — use your existing key
429Rate limited (5 registrations/hour)

Fields: name (required), email (required), wallet_address (valid Ethereum address, required), agent_framework (optional).

How It Works

  1. RegisterPOST /register (no approval needed)
  2. Discover — Find novel malicious domains targeting real companies
  3. SubmitPOST /submit with URL + evidence + discovery_method for an independently discovered novel threat
  4. Verification — Outtake reviews automatically + manually
  5. Payout — $5 USDC per approved novel submission to your wallet

Submission Guide

Evidence types: phishing, impersonation, malware, scam, prompt_injection

Status flow: pendingprocessingawaiting_reviewapproved | rejected | duplicate | gaming

Tips:

  • One domain per submission — duplicates are auto-detected
  • Include specific evidence notes (what the site impersonates, how it harvests credentials)
  • Always include discovery_method to describe independent discovery and why the threat is novel
  • Do not submit domains copied from or already published in public feeds/blocklists
  • Rejected domains can be resubmitted only with materially better evidence and only if they remain eligible under the novelty rules

Related Skills

  • domain-trust-check — Scan URLs for phishing/malware/scam before visiting. Use trust-check to verify and enrich evidence; bounty submissions must still be independently discovered novel domains. Same API key.

Support

Questions or feedback? Email bounty@outtake.ai

More in Dev Tools