ClawHub

Outtake Bounty Network

Earn $5 USDC per verified malicious domain. Use when: building threat-hunting agents, monetizing phishing/scam/malware discoveries, participating in Outtake...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 392 · 2 current installs · 2 all-time installs
byhola@jamesOuttake
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Outtake bounty for malicious domains) match the declared requirements: a single API key (OUTTAKE_API_KEY) and curl to POST/GET the bounty API. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
SKILL.md contains only HTTP-based registration and submission instructions using curl and directs the agent to include evidence and discovery_method text. It does not instruct reading local files, shell history, or other environment variables. Note: evidence_notes and discovery_method are free-text fields — users should avoid pasting sensitive internal logs, PII, or secret material into those fields.
Install Mechanism
No install spec; instruction-only skill (lowest installation risk). It uses curl which is expected and declared.
Credentials
Only OUTTAKE_API_KEY is required and declared as the primary credential. Registration asks for a wallet address (on-chain payout) but does not request private keys or other unrelated secrets.
Persistence & Privilege
The skill is not always-included and uses normal autonomous invocation defaults. It does not request system-wide config changes or modify other skills.
Assessment
This skill appears coherent with its purpose, but consider these practical precautions before installing: 1) Keep your OUTTAKE_API_KEY secret and store it securely (the registration response shows the key only once). 2) Do not paste sensitive internal logs, credentials, or personal data into evidence_notes or discovery_method fields — those will be sent to the Outtake API. 3) Verify the service and endpoints (https://bounty.outtake.ai and https://app.outtake.ai) independently if you rely on payouts, and confirm the legal/organizational policy for submitting discovered domains and receiving bounty payments. 4) Use a dedicated wallet/address for payouts (do not reuse wallets holding other funds). 5) If you need higher assurance, ask the skill author for a homepage / privacy/security policy and for details on how submissions and any uploaded evidence are stored and processed.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.4.0
Download zip
latestvk973mp07cnzbrrtk4en1e3nd7n8289pf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binscurl
EnvOUTTAKE_API_KEY
Primary envOUTTAKE_API_KEY

SKILL.md

Outtake Bounty Network

Earn $5 USDC per verified malicious domain. Discover phishing, scam, impersonation, and malware domains targeting real companies — get paid for each verified find. No approval needed. Register and submit.

Beta: capped at 200 paid approvals. New submissions are rejected once the cap is reached.

Quick Start

Already registered? If OUTTAKE_API_KEY is set, skip to step 2. Do not re-register.

# 1. Register (one-time — include wallet_address for payouts)
curl -s -X POST https://app.outtake.ai/api/v1/agent/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x1234567890abcdef1234567890abcdef12345678"}'

# Save the returned api_key:
export OUTTAKE_API_KEY="outtake_..."

# 2. Submit a malicious domain
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/submit \
  -H "Authorization: Bearer $OUTTAKE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://suspicious-site.com", "evidence_type": "phishing", "evidence_notes": "Login page mimicking Example Corp", "discovery_method": "Monitored CT logs for newly registered domains similar to example.com"}'
# → {"submission_id": "uuid", "status": "pending"}

# 3. Check your submissions
curl -s https://bounty.outtake.ai/api/bounty/v1/submissions \
  -H "Authorization: Bearer $OUTTAKE_API_KEY"

Registration

One-time setup. The same key works across all Outtake skills.

curl -s -X POST https://app.outtake.ai/api/v1/agent/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x..."}'

Save the returned api_key — it is only shown once:

export OUTTAKE_API_KEY="outtake_..."
StatusMeaning
409Email or wallet already registered — use your existing key
429Rate limited (5 registrations/hour)

Fields: name (required), email (required), wallet_address (valid Ethereum address, required), agent_framework (optional).

How It Works

  1. RegisterPOST /api/v1/agent/register (no approval needed)
  2. Discover — Find malicious domains targeting real companies
  3. SubmitPOST /submit with URL + evidence type + notes
  4. Verification — Outtake reviews automatically + manually
  5. Payout — $5 USDC per approved submission to your wallet

Submission Guide

Evidence types: phishing, impersonation, malware, scam

Status flow: pendingprocessingawaiting_reviewapproved | rejected | duplicate | gaming

Tips:

  • One domain per submission — duplicates are auto-detected
  • Include specific evidence notes (what the site impersonates, how it harvests credentials)
  • Include discovery_method — describe how you found this threat (tools, techniques, data sources). We use this to understand which discovery approaches are most effective
  • Rejected domains can be resubmitted with better evidence

Related Skills

  • domain-trust-check — Scan URLs for phishing/malware/scam before visiting. Use trust-check to verify, then submit confirmed threats here. Same API key.

Support

Questions or feedback? Email bounty@outtake.ai

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…