ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bounty Hunter Pro

v1.0.0

Autonomous bug bounty hunting with scope safety. Scans targets for subdomains, secrets, vulnerabilities. Uses Certificate Transparency logs, JS analysis, ent...

0· 493·2 current·2 all-time
by@lugave11

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lugave11/bounty-hunter-pro.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Bounty Hunter Pro" (lugave11/bounty-hunter-pro) from ClawHub.
Skill page: https://clawhub.ai/lugave11/bounty-hunter-pro
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install bounty-hunter-pro

ClawHub CLI

Package manager switcher

npx clawhub@latest install bounty-hunter-pro
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (autonomous bug-hunting) aligns with the listed scanner/analyzer/alerter components and file layout. However, the SKILL.md references cloud LLMs (qwen2.5-coder, glm-5:cloud) and an OpenClaw message bus for alerts without declaring any credentials, endpoints, or requirements; that mismatch is unexpected for a self-contained scanner.
!
Instruction Scope
Instructions tell the agent to run network scans, parse JS for secrets, write findings to home-directory paths, and send alerts externally. Those actions are appropriate for a scanner, but the safety guard/code has an implementation gap: setup writes authorized patterns like "*.example.com" to ~/workspace/bounty_hunting/authorized_targets.txt while the provided is_authorized() checks the relative file "authorized_targets.txt" and uses literal endswith() matching — wildcard patterns ("*.example.com") won't match subdomains as intended. This creates a real risk the 'ALWAYS respects authorized targets' promise is broken. The SKILL.md also lacks details on where the tool zip files come from and how watchdog alerts are authenticated.
!
Install Mechanism
The skill is instruction-only (no install spec), so nothing is installed automatically — lower platform install risk. But the setup shows unzipping subfinder.zip, httpx.zip, nuclei.zip with no source URLs or hashes; that leaves an implicit step of downloading binaries from unspecified locations, which is high-risk if users follow instructions uncritically. The skill should declare trusted sources or package manager installs.
!
Credentials
No environment variables or credentials are declared, yet the analyzer references cloud-hosted LLMs and the alerter references the OpenClaw message bus — both ordinarily require API keys/authentication. The absence of declared credential requirements is an incoherence: either the skill expects local models (not stated) or it will silently require/attempt cloud credentials (not declared), which can lead to accidental data exfiltration or failed runs.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The SKILL.md suggests installing a user crontab entry to run nightly scans — that’s a user-actuated persistence suggestion rather than a forced platform-level privilege. Recommend not adding the cron until code/authorization checks are verified. No self-enabling/alteraion of other skills is present.
What to consider before installing
Do not run or schedule this skill as-is. Before installing or executing: 1) Verify and fix the authorization logic — ensure wildcard rules (e.g., *.example.com) are parsed correctly and the code reads the same authorized_targets file path used in setup. 2) Require explicit, documented sources and integrity checks (URLs + checksums) for subfinder/httpx/nuclei binaries rather than unzipping unspecified zip files. 3) Clarify LLM usage: decide whether models run locally or in the cloud; if cloud, add explicit required environment variables (API keys) and document where data (findings/JS code) will be sent. 4) Inspect watchdog/alerter code and OpenClaw message-bus endpoints and authentication to ensure alerts cannot exfiltrate sensitive data. 5) Only add the cron job after the above are resolved and after confirming you have explicit legal authorization to scan the listed targets. If you want, share the actual nightwatch.py / analyze_daemon.py / watchdog.py sources so I can re-evaluate the safety guard, I/O, and external calls more precisely.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bvbn4n1x3j88fknc6ee4p91828t26
493downloads
0stars
1versions
Updated 14h ago
v1.0.0
MIT-0
@lugave11
latest
Download

Bounty Hunter Pro

Purpose

Autonomous vulnerability scanning for authorized bug bounty programs.

⚠️ CRITICAL: Scope Safety

NEVER scan targets outside [AUTHORIZED_TARGETS]

Before any scan:

  1. Verify target is in authorized list
  2. Log the scope check
  3. Only proceed if authorized

Components

1. nightwatch.py — Scanner

  • Certificate Transparency (crt.sh) for subdomains
  • JS file analysis for secrets
  • Multi-threaded (10 workers default)
  • Outputs to findings_incremental.json

2. analyze_daemon.py — Analyzer

  • Watches findings_incremental.json
  • Entropy filtering to reduce false positives
  • Two-stage LLM analysis:
    • Fast: qwen2.5-coder:1.5b
    • Deep: glm-5:cloud
  • Outputs to live_analysis.md

3. watchdog.py — Alerter

  • Monitors for CRITICAL findings
  • Sends alerts via OpenClaw message bus

Setup

# Install tools
cd ~/workspace/bounty_hunting/tools
unzip subfinder.zip
unzip httpx.zip
unzip nuclei.zip

# Configure authorized targets
echo "example.com" > ~/workspace/bounty_hunting/authorized_targets.txt
echo "*.example.com" >> ~/workspace/bounty_hunting/authorized_targets.txt

Usage Prompt

Run bounty hunt on [TARGET]. Target must be in authorized list.

1. Verify [TARGET] is authorized
2. Run subdomain enumeration
3. Scan each subdomain for:
   - Exposed secrets in JS
   - Misconfigurations
   - Known vulnerabilities
4. Analyze findings with LLM
5. Generate report to ~/workspace/reports/security/[TARGET]/

Directory Structure

~/workspace/bounty_hunting/
├── authorized_targets.txt    # ONLY these can be scanned
├── nightwatch.py            # Main scanner
├── analyze_daemon.py        # LLM analyzer
├── watchdog.py              # Alert system
├── findings_incremental.json # Raw findings
├── live_analysis.md         # Analyzed results
└── tools/
    ├── subfinder
    ├── httpx
    └── nuclei

Output Format

Reports saved to: ~/workspace/reports/security/[TARGET]/YYYY-MM-DD.md

# Security Scan — [TARGET] — [DATE]

## Scope
- Authorized: [TARGET]
- Subdomains found: X
- Endpoints scanned: Y

## 🔴 CRITICAL
1. Finding — Severity — Location — Recommendation

## 🟠 HIGH
1. Finding — Severity — Location — Recommendation

## 🟡 MEDIUM
1. Finding — Severity — Location — Recommendation

## 🟢 INFO
1. Finding — Severity — Location — Recommendation

## Next Steps
1. [Recommended action]

Safety Guards

# ALWAYS check before scanning
def is_authorized(target):
    with open("authorized_targets.txt") as f:
        authorized = [line.strip() for line in f]
    return any(target.endswith(auth) or target == auth for auth in authorized)

# FAIL SAFE
if not is_authorized(target):
    raise ValueError(f"UNAUTHORIZED: {target} not in authorized_targets.txt")

Cron Schedule

# Daily scan at 2am (low-traffic time)
0 2 * * * cd ~/workspace/bounty_hunting && python nightwatch.py

Known Limitations

  • CPU-only (no CUDA)
  • Rate limiting may slow scans
  • Some false positives in entropy detection

Comments

Loading comments...