ClawHub

Outtake Bounty Network

ReviewAudited by ClawScan on May 1, 2026.

Overview

This is a straightforward guide for submitting malicious-domain bounty reports to Outtake, but it uses an API key and payout/profile data that should be handled carefully.

Install this only if you intend to participate in Outtake’s bounty program. Protect the API key, confirm the payout wallet, and review each domain and evidence note before submission so private data or unverified reports are not sent accidentally.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

A mistaken or over-eager agent could send URLs, evidence notes, or discovery methods to Outtake before the user has reviewed them.

Why it was flagged

The skill uses curl to submit URLs and evidence to an external API. This is central to the bounty purpose and the endpoint is disclosed, but users should notice that the agent can create external submissions under their account.

Skill content
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/submit ... -d '{"url": "https://suspicious-site.com", "evidence_type": "phishing", "evidence_notes": ...}'
Recommendation

Use the skill only for confirmed malicious domains, review evidence notes before submission, and avoid including private or unrelated information.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Anyone or any agent with the API key could act as the Outtake account, view submission/profile details, and potentially update payout-related profile data.

Why it was flagged

The API key authenticates account actions, including profile access and a documented payout-wallet update endpoint. This is purpose-aligned for a bounty program but sensitive because the key controls account and payout-related operations.

Skill content
**Authentication:** All endpoints require a Bearer token: `Authorization: Bearer $OUTTAKE_API_KEY` ... `PUT /me` ... `"wallet_address": "0x..."`
Recommendation

Store OUTTAKE_API_KEY securely, limit access to agents you trust, rotate it if exposed, and require explicit user confirmation before changing wallet or profile details.