Security Bounty Hunter Skill

100 0 Updated: 2026-07-15 14:46:06

The Security Bounty Hunter skill is a professional module within the ECC (Agent Capability Optimization System), specifically designed for cybersecurity researchers and bug bounty hunters. This skill integrates vulnerability scanning, penetration testing assistance, security report generation, and more, supporting operation in mainstream AI coding environments such as Claude Code, Codex, Opencode, and Cursor. With this skill, users can efficiently discover security vulnerabilities in web applications, APIs, smart contracts, and other targets, and generate vulnerability reports that meet industry standards. The skill includes pre-configured detection scripts, reference documents, and intelligent agents to help users quickly get started with security testing workflows. It is suitable for security audits, bug bounty programs, compliance checks, and other scenarios, making it a powerful assistant for cybersecurity professionals.

Install
bunx skills add https://github.com/affaan-m/ECC --skill security-bounty-hunter
Skill Details readonly

1. Skill Overview

This skill is used for hands-on vulnerability discovery and bounty report preparation, distinct from broad general security best practice audits. Its core objective is to answer “Is this flaw eligible for a bounty payout?” rather than just “Is this theoretically insecure?”.
It prioritizes remotely reachable, user-controllable attack surfaces while filtering out low-signal or out-of-scope patterns that bounty platforms routinely reject due to insufficient impact or scope exclusion rules.

2. Core Capabilities

2.1 High-Impact Vulnerability Pattern Library

The skill targets consistent high-severity exploitable flaw classes:
Vulnerability Type CWE ID Typical Business Impact
SSRF via user-controlled URL input CWE-918 Internal network reconnaissance, cloud metadata credential theft
Authentication bypass in middleware / API guard logic CWE-287 Unauthorized access to user accounts and sensitive data
Remote code execution via deserialization or unvalidated file uploads CWE-502 Arbitrary server-side code execution
SQL injection exposed on public reachable endpoints CWE-89 Mass data exfiltration, auth bypass, persistent data corruption
Command injection within request handler logic CWE-78 Remote arbitrary code execution
Path traversal in file-serving endpoints CWE-22 Read/write access to arbitrary server-side files
Auto-triggerable self-contained XSS CWE-79 Session hijacking, full admin account takeover

2.2 Low-Signal / Out-of-Scope Pattern Exclusions

Unless explicitly marked eligible by the bounty program rules, these patterns are treated as low-impact or out-of-scope and discarded:
  • Local-only pickle.loads, torch.load, or equivalent deserialization with no remote reachable entrypoint
  • Raw eval() / exec() calls restricted exclusively to internal CLI tooling
  • Hardcoded static shell commands using shell=True with zero user-controlled input
  • Missing security headers only (CSP, HSTS, X-Frame-Options) with no secondary exploit chain
  • Generic rate-limiting deficiencies with no viable exploitation impact
  • Self-XSS requiring manual victim copy-paste interaction
  • CI/CD pipeline injection flaws isolated outside the customer-facing application attack surface
  • Demo, sample, or test-only code paths

2.3 Standard Vulnerability Discovery Workflow

  1. Validate bounty scope: Review program rules, SECURITY.md, disclosure policies, and explicit exclusion lists
  2. Locate real external entrypoints: HTTP route handlers, file upload endpoints, background job runners, webhooks, data parsers, third-party integration APIs
  3. Run static analysis triage scan:
semgrep --config=auto --severity=ERROR --severity=WARNING --json
 
Static tool output is only used as an initial filter, not conclusive proof of exploitability
 
4. Perform full end-to-end manual code path review; do not rely solely on static scan results
 
5. Prove user-controlled input flows reach high-risk sink functions
 
6. Build minimal viable PoC to confirm full exploitability and measure real impact
 
7. Pre-report duplicate check: Verify the flaw has not been previously tracked via published advisories, CVEs, or public issue tickets
 
8. Manual noise filtering:
  • Exclude test fixtures, demo code, vendor dependency code
  • Discard local-only non-network reachable paths
  • Retain only findings with clear external network / user-controlled input attack surfaces

2.4 Standard Vulnerability Report Template

All bounty submissions follow this fixed markdown structure:
markdown
## Description
[Explain the flaw and its critical business impact]

## Vulnerable Source Code
[Full file path, line range, concise relevant code snippet]

## Proof of Concept
[Minimal reproducible HTTP request or standalone exploit script]

## Impact
[Full breakdown of actions an unauthenticated/malicious attacker can perform]

## Affected Versions
[Tested release version, target commit hash, or live deployment environment]
 
Mandatory pre-submission validation checklist:
  1. Vulnerable code path is reachable from an external user / network boundary
  2. Critical input variables are fully controllable by untrusted external actors
  3. The downstream sink function enables meaningful security impact
  4. The attached PoC reproduces the flaw reliably end-to-end
  5. The defect has no matching public advisory, CVE, or tracked open issue
  6. The target component falls within the official bounty program scope

3. Primary Use Cases

  1. Bug bounty hunting on platforms including Huntr, HackerOne — Identify valid high-severity vulnerabilities eligible for monetary reward
  2. Formal security report drafting — Generate complete standardized audit artifacts with reproducible PoC and impact breakdown for bounty review teams
  3. Exploitability triage — Separate theoretical low-risk code smells from practically exploitable remote vulnerabilities to avoid wasted research effort
  4. Source code security audit — Combine static scanning and manual end-to-end path tracing to systematically map externally reachable critical flaws
  5. Pre-research scope validation — Confirm target eligibility against bounty program rules before deep dive research

4. Critical Guiding Principles

  1. Prioritize remotely reachable attack surfaces over local-only or purely theoretical risks
  2. Complete scope validation as the first step: Review program rules, SECURITY.md, and documented exclusion lists
  3. Static analysis tools are only for initial filtering; they cannot replace full manual end-to-end code path inspection
  4. Functional, minimal PoC proof is mandatory to confirm real exploitability
  5. Duplicate check before drafting reports: Confirm no matching public advisories or CVEs exist
  6. Automatically discard low-signal noise patterns: local deserialization, CLI-only eval, missing security headers, and other non-exploitable minor weaknesses

Summary

Security Bounty Hunter is a specialized hands-on skill for vulnerability research and bug bounty submission preparation within the OpenClaw tool suite. It focuses exclusively on high-severity, remotely exploitable flaws with user-controllable attack surfaces including SSRF, auth bypass, RCE, SQL injection, command injection, path traversal, and auto-triggered XSS. The workflow combines static analysis triage and full manual code path auditing to filter out low-signal out-of-scope patterns, delivers a standardized bounty report template, and enforces a pre-submission validation checklist to produce high-quality, payout-eligible vulnerability submissions. It is built for security researchers conducting bug bounty hunting, writing formal exploit reports, and performing targeted source code audits to identify real-world exploitable security defects.