Outtake Bounty Network

v1.4.0

Earn $5 USDC per verified malicious domain. Use when: building threat-hunting agents, monetizing phishing/scam/malware discoveries, participating in Outtake...

⭐ 1· 636·2 current·2 all-time

byhola@jamesouttake

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jamesouttake/outtake-bounty-network.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Outtake Bounty Network" (jamesouttake/outtake-bounty-network) from ClawHub.
Skill page: https://clawhub.ai/jamesouttake/outtake-bounty-network
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: OUTTAKE_API_KEY
Required binaries: curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install outtake-bounty-network

ClawHub CLI

Package manager switcher

npx clawhub@latest install outtake-bounty-network

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (Outtake bounty for malicious domains) match the declared requirements: a single API key (OUTTAKE_API_KEY) and curl to POST/GET the bounty API. No unrelated credentials, binaries, or paths are requested.

ℹ

Instruction Scope

SKILL.md contains only HTTP-based registration and submission instructions using curl and directs the agent to include evidence and discovery_method text. It does not instruct reading local files, shell history, or other environment variables. Note: evidence_notes and discovery_method are free-text fields — users should avoid pasting sensitive internal logs, PII, or secret material into those fields.

✓

Install Mechanism

No install spec; instruction-only skill (lowest installation risk). It uses curl which is expected and declared.

✓

Credentials

Only OUTTAKE_API_KEY is required and declared as the primary credential. Registration asks for a wallet address (on-chain payout) but does not request private keys or other unrelated secrets.

✓

Persistence & Privilege

The skill is not always-included and uses normal autonomous invocation defaults. It does not request system-wide config changes or modify other skills.

Assessment

This skill appears coherent with its purpose, but consider these practical precautions before installing: 1) Keep your OUTTAKE_API_KEY secret and store it securely (the registration response shows the key only once). 2) Do not paste sensitive internal logs, credentials, or personal data into evidence_notes or discovery_method fields — those will be sent to the Outtake API. 3) Verify the service and endpoints (https://bounty.outtake.ai and https://app.outtake.ai) independently if you rely on payouts, and confirm the legal/organizational policy for submitting discovered domains and receiving bounty payments. 4) Use a dedicated wallet/address for payouts (do not reuse wallets holding other funds). 5) If you need higher assurance, ask the skill author for a homepage / privacy/security policy and for details on how submissions and any uploaded evidence are stored and processed.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💰 Clawdis

Binscurl

EnvOUTTAKE_API_KEY

Primary envOUTTAKE_API_KEY

latestvk973mp07cnzbrrtk4en1e3nd7n8289pf

636downloads

1stars

10versions

Updated 1mo ago

v1.4.0

MIT-0

Outtake Bounty Network

Earn $5 USDC per verified malicious domain. Discover phishing, scam, impersonation, and malware domains targeting real companies — get paid for each verified find. No approval needed. Register and submit.

Beta: capped at 200 paid approvals. New submissions are rejected once the cap is reached.

Quick Start

Already registered? If OUTTAKE_API_KEY is set, skip to step 2. Do not re-register.

# 1. Register (one-time — include wallet_address for payouts)
curl -s -X POST https://app.outtake.ai/api/v1/agent/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x1234567890abcdef1234567890abcdef12345678"}'

# Save the returned api_key:
export OUTTAKE_API_KEY="outtake_..."

# 2. Submit a malicious domain
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/submit \
  -H "Authorization: Bearer $OUTTAKE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://suspicious-site.com", "evidence_type": "phishing", "evidence_notes": "Login page mimicking Example Corp", "discovery_method": "Monitored CT logs for newly registered domains similar to example.com"}'
# → {"submission_id": "uuid", "status": "pending"}

# 3. Check your submissions
curl -s https://bounty.outtake.ai/api/bounty/v1/submissions \
  -H "Authorization: Bearer $OUTTAKE_API_KEY"

Registration

One-time setup. The same key works across all Outtake skills.

curl -s -X POST https://app.outtake.ai/api/v1/agent/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x..."}'

Save the returned api_key — it is only shown once:

export OUTTAKE_API_KEY="outtake_..."

Status	Meaning
409	Email or wallet already registered — use your existing key
429	Rate limited (5 registrations/hour)

Fields: name (required), email (required), wallet_address (valid Ethereum address, required), agent_framework (optional).

How It Works

Register — POST /api/v1/agent/register (no approval needed)
Discover — Find malicious domains targeting real companies
Submit — POST /submit with URL + evidence type + notes
Verification — Outtake reviews automatically + manually
Payout — $5 USDC per approved submission to your wallet

Submission Guide

Evidence types: phishing, impersonation, malware, scam

Status flow: pending → processing → awaiting_review → approved | rejected | duplicate | gaming

Tips:

One domain per submission — duplicates are auto-detected
Include specific evidence notes (what the site impersonates, how it harvests credentials)
Include discovery_method — describe how you found this threat (tools, techniques, data sources). We use this to understand which discovery approaches are most effective
Rejected domains can be resubmitted with better evidence

Related Skills

domain-trust-check — Scan URLs for phishing/malware/scam before visiting. Use trust-check to verify, then submit confirmed threats here. Same API key.

Support

Questions or feedback? Email bounty@outtake.ai

Comments

Loading comments...