[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-2102":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":33,"readmeContent":34,"aiSummary":35,"trendingCount":15,"starSnapshotCount":15,"syncStatus":36,"lastSyncTime":37,"discoverSource":38},2102,"Bug-Bounty-Agents","matty69v\u002FBug-Bounty-Agents","matty69v","AI-Powered Agents for Bub-Bounty Pentesting and Red-Teaming purposes","https:\u002F\u002Fm-sec.tech",null,"Shell",312,61,3,0,9,18,129,27,5.38,"MIT License",false,"main",true,[26,27,28,29,30,31,32],"bounty-hunters","bug","bug-bounty","bugbounty","bugbounty-tools","pentest-tool","pentesting","2026-06-12 02:00:37","\u003Cdiv align=\"center\">\n\n# Bug-Bounty-Agents\n\n**A curated arsenal of specialized AI agent prompts for bug bounty hunting,\npenetration testing, and offensive security workflows.**\n\n*Drop-in personas for Claude Code, Copilot Chat, Cursor, and any agent-capable LLM -\nno frameworks, no dependencies, just disciplined prompts.*\n\n\u003Cbr \u002F>\n\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-black?style=for-the-badge)](LICENSE)\n[![Agents](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fagents-43-black?style=for-the-badge)](AGENTS.md)\n[![Platform](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fplatform-Claude%20%C2%B7%20Copilot%20%C2%B7%20Cursor%20%C2%B7%20ChatGPT-black?style=for-the-badge)](#per-tool-setup)\n[![CI](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FCI-passing-black?style=for-the-badge)](.github\u002Fworkflows\u002Flint.yml)\n\n\u003Csub>**43** agents  ·  **6** engagement phases  ·  **4** supported clients  ·  **0** dependencies\u003C\u002Fsub>\n\n\u003Cbr \u002F>\n\n[**Quick Start**](#quick-start)  ·  [**Catalog**](#agent-catalog)  ·  [**Setup**](#per-tool-setup)  ·  [**Workflows**](#workflows)  ·  [**Examples**](examples\u002F)  ·  [**Contributing**](CONTRIBUTING.md)  ·  [**Disclaimer**](#disclaimer)\n\n\u003C\u002Fdiv>\n\n---\n\n## Overview\n\nEach `.md` file in this repository defines a focused, production-ready agent\npersona - recon, web hunting, exploit chaining, reporting, and more - that\nyou can drop into **Claude Code**, **GitHub Copilot Chat**, **Cursor**, or\nany agent-capable LLM client.\n\nNo frameworks. No dependencies. Just disciplined prompts that turn a generic\nLLM into a specialist, with strict scope enforcement built in.\n\n> **These are prompts, not scanners.** They make an LLM act like a\n> specialist; they do not bring their own tooling. You still drive the\n> engagement.\n\n---\n\n## Table of Contents\n\n1. [Quick Start](#quick-start)\n2. [Agent Catalog](#agent-catalog)\n3. [Prerequisites](#prerequisites)\n4. [Per-Tool Setup](#per-tool-setup)\n   - [One-line installer](#one-line-installer)\n   - [Claude Code](#claude-code-manual)\n   - [GitHub Copilot Chat](#github-copilot-chat-vs-code-manual)\n   - [Cursor](#cursor-manual)\n   - [ChatGPT \u002F Gemini \u002F Generic](#chatgpt--gemini--generic)\n5. [Using an Agent](#using-an-agent)\n6. [Workflows](#workflows)\n7. [Examples](#examples)\n8. [Burp Suite MCP Integration](#burp-suite-mcp-integration)\n9. [Updating](#updating)\n10. [Project Files](#project-files)\n11. [Contributing](#contributing)\n12. [Security](#security)\n13. [Disclaimer](#disclaimer)\n\n---\n\n## Quick Start\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fmatty69v\u002FBug-Bounty-Agents.git\ncd Bug-Bounty-Agents\n.\u002Finstall.sh                     # auto-detects your client(s)\n```\n\nOr pick a specific target:\n\n```bash\n.\u002Finstall.sh --target claude         # Claude Code (global)\n.\u002Finstall.sh --target claude-local   # Claude Code (this project)\n.\u002Finstall.sh --target copilot        # Copilot Chat (VS Code)\n.\u002Finstall.sh --target cursor         # Cursor (this project)\n.\u002Finstall.sh --target all            # everything detected\n.\u002Finstall.sh --dry-run --target claude\n.\u002Finstall.sh --uninstall --target claude\n```\n\n---\n\n## Agent Catalog\n\nAgents are grouped by phase of an offensive engagement. The full\nmachine-readable index lives in [AGENTS.md](AGENTS.md).\n\n### Reconnaissance & Intelligence\n\n| Agent | Purpose |\n|---|---|\n| [`recon-advisor`](recon-advisor.md) | Surface enumeration and asset discovery |\n| [`osint-collector`](osint-collector.md) | Open-source intelligence gathering |\n| [`subdomain-takeover`](subdomain-takeover.md) | Dangling DNS and subdomain takeover validation |\n| [`threat-modeler`](threat-modeler.md) | STRIDE \u002F attack-surface modeling |\n| [`engagement-planner`](engagement-planner.md) | Scope, rules of engagement, test plans |\n| [`attack-planner`](attack-planner.md) | Multi-stage attack path planning |\n\n### Web, API & Application\n\n| Agent | Purpose |\n|---|---|\n| [`web-hunter`](web-hunter.md) | Web application vulnerability hunting |\n| [`api-security`](api-security.md) | REST and GraphQL API testing |\n| [`graphql-hunter`](graphql-hunter.md) | Schema introspection, authz, complexity attacks |\n| [`bizlogic-hunter`](bizlogic-hunter.md) | Business logic flaws and abuse cases |\n| [`ssrf-hunter`](ssrf-hunter.md) | SSRF discovery, filter bypass, cloud-metadata abuse |\n| [`jwt-cracker`](jwt-cracker.md) | JWT \u002F OIDC token attacks (alg confusion, kid\u002Fjku, weak HMAC) |\n| [`vuln-scanner`](vuln-scanner.md) | Automated scanning orchestration and triage |\n\n### Infrastructure, Cloud & Network\n\n| Agent | Purpose |\n|---|---|\n| [`cloud-security`](cloud-security.md) | AWS \u002F GCP \u002F Azure misconfiguration hunting |\n| [`container-escape`](container-escape.md) | Docker \u002F Kubernetes pod-to-node-to-cluster breakout |\n| [`cicd-redteam`](cicd-redteam.md) | CI\u002FCD pipeline and supply-chain attacks |\n| [`ad-attacker`](ad-attacker.md) | Active Directory enumeration and abuse |\n| [`wireless-pentester`](wireless-pentester.md) | Wi-Fi, Bluetooth, and RF assessments |\n| [`mobile-pentester`](mobile-pentester.md) | iOS \u002F Android application testing |\n| [`hardware-hacker`](hardware-hacker.md) | Embedded, JTAG, firmware extraction |\n\n### Exploitation & Post-Ex\n\n| Agent | Purpose |\n|---|---|\n| [`exploit-chainer`](exploit-chainer.md) | Combine findings into impactful chains |\n| [`exploit-guide`](exploit-guide.md) | Step-by-step exploitation reference |\n| [`payload-crafter`](payload-crafter.md) | Custom payload generation and tuning |\n| [`binary-exploit`](binary-exploit.md) | Memory corruption, ROP, pwn |\n| [`crypto-analyst`](crypto-analyst.md) | Crypto primitive and protocol analysis |\n| [`credential-tester`](credential-tester.md) | Password spraying, stuffing, brute force |\n| [`privesc-advisor`](privesc-advisor.md) | Linux \u002F Windows privilege escalation paths |\n| [`poc-validator`](poc-validator.md) | Verify, stabilize, and minimize PoCs |\n| [`red-team-operator`](red-team-operator.md) | C2, OPSEC, long-haul operations |\n\n### Specialized & Adversarial\n\n| Agent | Purpose |\n|---|---|\n| [`llm-redteam`](llm-redteam.md) | Prompt injection, tool abuse, RAG poisoning, agent loops |\n| [`phishing-operator`](phishing-operator.md) | Phishing infrastructure and campaign design |\n| [`social-engineer`](social-engineer.md) | Pretexting, vishing, human-layer attacks |\n| [`malware-analyst`](malware-analyst.md) | Static and dynamic malware analysis |\n| [`reverse-engineer`](reverse-engineer.md) | Binary RE, decompilation, patching |\n| [`forensics-analyst`](forensics-analyst.md) | DFIR, artifact analysis, timeline building |\n| [`ctf-solver`](ctf-solver.md) | CTF challenge solver across categories |\n\n### Defense, Reporting & Orchestration\n\n| Agent | Purpose |\n|---|---|\n| [`detection-engineer`](detection-engineer.md) | Detection and response engineering |\n| [`purple-team`](purple-team.md) | Detection-as-you-attack collaboration |\n| [`stig-analyst`](stig-analyst.md) | STIG \u002F CIS \u002F compliance hardening review |\n| [`report-generator`](report-generator.md) | Triage-ready bug bounty reports |\n| [`bug-bounty`](bug-bounty.md) | General-purpose bounty assistant |\n| [`swarm-orchestrator`](swarm-orchestrator.md) | Coordinate multiple agents in parallel |\n| [`_scope-guard`](_scope-guard.md) | Hard scope enforcement layered on any agent |\n\n---\n\n## Prerequisites\n\n- `git` and `bash` installed on your machine\n- An LLM client that supports custom system prompts or instruction files:\n  - [Claude Code](https:\u002F\u002Fclaude.com\u002Fclaude-code)\n  - [GitHub Copilot Chat](https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot) (VS Code)\n  - [Cursor](https:\u002F\u002Fcursor.sh\u002F)\n  - ChatGPT (Custom GPTs \u002F Projects), Gemini, or any chat UI accepting a system prompt\n\n---\n\n## Per-Tool Setup\n\n### One-line installer\n\n```bash\n.\u002Finstall.sh           # interactive - detects what you have\n.\u002Finstall.sh --help    # see all options\n```\n\nThe installer auto-detects `claude`, `code`, and `cursor` on your `PATH`,\ncopies agents to the correct directory for each, and renames files\nappropriately (e.g. `.chatmode.md` for Copilot). Use `--dry-run` to\npreview, `--uninstall` to remove.\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Claude Code\u003C\u002Fb> - manual install\u003C\u002Fsummary>\n\n\u003Cbr \u002F>\n\nClaude Code reads agent definitions from `~\u002F.claude\u002Fagents\u002F` (global) or\n`.claude\u002Fagents\u002F` (per-project).\n\n```bash\n# Global\nmkdir -p ~\u002F.claude\u002Fagents && cp *.md ~\u002F.claude\u002Fagents\u002F\n\n# Per-project\nmkdir -p .claude\u002Fagents && cp \u002Fpath\u002Fto\u002FBug-Bounty-Agents\u002F*.md .claude\u002Fagents\u002F\n```\n\n```text\n\u002Fagents\n> use the web-hunter agent to audit https:\u002F\u002Ftarget.example.com\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>GitHub Copilot Chat\u003C\u002Fb> (VS Code) - manual install\u003C\u002Fsummary>\n\n\u003Cbr \u002F>\n\nCopilot Chat supports custom **chat modes** via `.chatmode.md` files.\n\n```bash\n# macOS\nPROMPTS_DIR=\"$HOME\u002FLibrary\u002FApplication Support\u002FCode\u002FUser\u002Fprompts\"\n# Linux:   PROMPTS_DIR=\"$HOME\u002F.config\u002FCode\u002FUser\u002Fprompts\"\n# Windows: %APPDATA%\\Code\\User\\prompts\n\nmkdir -p \"$PROMPTS_DIR\"\nfor f in *.md; do\n  cp \"$f\" \"$PROMPTS_DIR\u002F$(basename \"$f\" .md).chatmode.md\"\ndone\n```\n\nReload VS Code, then select the mode from the Copilot Chat dropdown.\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Cursor\u003C\u002Fb> - manual install\u003C\u002Fsummary>\n\n\u003Cbr \u002F>\n\n```bash\ncd \u002Fyour\u002Fproject\nmkdir -p .cursor\u002Frules\ncp \u002Fpath\u002Fto\u002FBug-Bounty-Agents\u002F*.md .cursor\u002Frules\u002F\n```\n\nEach file becomes a selectable rule in Cursor's chat panel.\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>ChatGPT \u002F Gemini \u002F Generic\u003C\u002Fb> - copy-paste\u003C\u002Fsummary>\n\n\u003Cbr \u002F>\n\nOpen the agent file, copy its full contents, and paste into:\n\n- **ChatGPT** - Custom GPT → Instructions, or Project → Instructions\n- **Gemini** - Gem instructions\n- **Open WebUI \u002F LM Studio** - System prompt field\n- **API clients** - `system` role message\n\n\u003C\u002Fdetails>\n\n---\n\n## Using an Agent\n\nOnce installed, give the agent a concrete target and scope:\n\n```text\nTarget: https:\u002F\u002Fstaging.acme.example.com\nScope:  *.acme.example.com (in scope), *.thirdparty.example.com (out)\nGoal:   Find auth bypass and IDOR on \u002Fapi\u002Fv2\u002Fusers endpoints.\n```\n\nWell-behaved agents will:\n\n- Ask clarifying questions before acting\n- Stay strictly within scope\n- Produce reproducible PoCs\n- Output triage-ready findings with severity and impact\n\n---\n\n## Workflows\n\nUse `swarm-orchestrator` or `attack-planner` to coordinate a full engagement:\n\n```mermaid\nflowchart LR\n    A[recon-advisor]:::phase --> B[web-hunter\u003Cbr\u002F>api-security]:::phase\n    B --> C[exploit-chainer]:::phase\n    C --> D[poc-validator]:::phase\n    D --> E[report-generator]:::phase\n\n    A -.- A1([enumerate attack surface]):::note\n    B -.- B1([find vulnerabilities]):::note\n    C -.- C1([escalate impact]):::note\n    D -.- D1([confirm & stabilize]):::note\n    E -.- E1([write the submission]):::note\n\n    classDef phase fill:#0d1117,stroke:#30363d,color:#e6edf3,stroke-width:1px;\n    classDef note  fill:#00000000,stroke:#00000000,color:#8b949e;\n```\n\nLayer `_scope-guard` on top of any agent to enforce hard scope boundaries\nduring long-running sessions. For purple-team work, run `red-team-operator`\nand `purple-team` side by side.\n\n---\n\n## Examples\n\nEnd-to-end engagement walkthroughs (sanitized) live in [`examples\u002F`](examples\u002F):\n\n- [`web-bug-bounty.md`](examples\u002Fweb-bug-bounty.md) - recon → web-hunter →\n  bizlogic → chain → validate → report, ending in a Critical-tier\n  HackerOne submission.\n\n---\n\n## Burp Suite MCP Integration\n\n[PortSwigger's MCP Server](https:\u002F\u002Fgithub.com\u002FPortSwigger\u002Fmcp-server) lets\nyour LLM client drive Burp Suite directly - issue requests through the\nproxy, query Repeater\u002FIntruder, read site maps, and pivot off live traffic\nwhile an agent in this repo provides the methodology.\n\n> **Pairing tip:** load `web-hunter`, `api-security`, `ssrf-hunter`, or\n> `bizlogic-hunter` alongside the Burp MCP so the agent can both *think*\n> like a specialist and *act* through Burp.\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>Setup walkthrough\u003C\u002Fb> - prerequisites, build, load, wire-up, smoke test\u003C\u002Fsummary>\n\n\u003Cbr \u002F>\n\n### Prerequisites\n\n- Burp Suite (Community or Professional) installed and running\n- Java available on `PATH` (`java --version`)\n- `jar` available on `PATH` (`jar --version`) - required to build\n- An MCP-capable client (Claude Desktop, Claude Code, Cursor, etc.)\n\n### Build the extension\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FPortSwigger\u002Fmcp-server.git\ncd mcp-server\n.\u002Fgradlew embedProxyJar\n# output: build\u002Flibs\u002Fburp-mcp-all.jar\n```\n\n### Load into Burp Suite\n\n1. Launch Burp Suite.\n2. Go to **Extensions → Add**.\n3. Set **Extension Type** to `Java`.\n4. Select `build\u002Flibs\u002Fburp-mcp-all.jar` and click **Next**.\n5. Open the new **MCP** tab and tick **Enabled**.\n   - Optional: enable *tools that can edit your config* if you trust the client.\n   - Default listener: `http:\u002F\u002F127.0.0.1:9876`.\n\n### Wire up your MCP client\n\n**Claude Desktop (auto):** in the Burp MCP tab, click the installer button -\nit writes the config for you. Restart Claude Desktop.\n\n**Claude Desktop (manual):** edit\n`~\u002FLibrary\u002FApplication Support\u002FClaude\u002Fclaude_desktop_config.json` (macOS) or\n`%APPDATA%\\Claude\\claude_desktop_config.json` (Windows):\n\n```json\n{\n  \"mcpServers\": {\n    \"burp\": {\n      \"command\": \"\u002Fpath\u002Fto\u002Fburp\u002Fjre\u002Fbin\u002Fjava\",\n      \"args\": [\n        \"-jar\",\n        \"\u002Fpath\u002Fto\u002Fmcp-proxy-all.jar\",\n        \"--sse-url\",\n        \"http:\u002F\u002F127.0.0.1:9876\"\n      ]\n    }\n  }\n}\n```\n\nUse the Burp MCP tab's installer to extract `mcp-proxy-all.jar` if you\ndon't already have it.\n\n**SSE-capable clients (Cursor, Claude Code, custom):** point them straight\nat the SSE endpoint - no proxy needed:\n\n```text\nhttp:\u002F\u002F127.0.0.1:9876\u002Fsse\n```\n\n### Smoke test\n\nWith Burp running, the extension loaded, and your client restarted, ask:\n\n```text\nUse the burp MCP to list the last 10 requests in the proxy history,\nthen pick anything that looks like an authenticated API call.\n```\n\nIf the client returns live traffic from your Burp session, you're wired up.\n\n\u003C\u002Fdetails>\n\n---\n\n## Updating\n\n```bash\ncd ~\u002Fpath\u002Fto\u002FBug-Bounty-Agents\ngit pull\n.\u002Finstall.sh         # re-runs install with the latest agents\n```\n\n---\n\n## Project Files\n\n| File | Purpose |\n|---|---|\n| [`README.md`](README.md) | This file |\n| [`AGENTS.md`](AGENTS.md) | Machine-readable index (phase, ATT&CK tactic, risk tier) |\n| [`CHANGELOG.md`](CHANGELOG.md) | Version history |\n| [`CONTRIBUTING.md`](CONTRIBUTING.md) | How to add or update agents |\n| [`SECURITY.md`](SECURITY.md) | How to report prompt-safety issues |\n| [`LICENSE`](LICENSE) | MIT |\n| [`install.sh`](install.sh) | Auto-detecting installer |\n| [`templates\u002FAGENT_TEMPLATE.md`](templates\u002FAGENT_TEMPLATE.md) | Boilerplate for new agents |\n| [`examples\u002F`](examples\u002F) | Sanitized engagement walkthroughs |\n| [`.github\u002F`](.github\u002F) | Issue \u002F PR templates and CI |\n\n---\n\n## Contributing\n\nPRs and issues are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the\ncontribution workflow, agent template, and style guide. Use the issue\ntemplates for bug reports and new-agent proposals.\n\n---\n\n## Security\n\nFound a prompt-safety or supply-chain issue? See [SECURITY.md](SECURITY.md)\nand report privately via GitHub Security Advisories.\n\n---\n\n## Disclaimer\n\n> These agents are intended for **authorized security testing only** -\n> bug bounty programs you are enrolled in, systems you own, or environments\n> where you have explicit written permission to test.\n>\n> Unauthorized testing is illegal in most jurisdictions. You alone are\n> responsible for how you use these prompts.\n\n---\n\n\u003Cdiv align=\"center\">\n\n\u003Csub>Built for hunters who prefer disciplined prompts over brittle frameworks.\u003C\u002Fsub>\n\n\u003Cbr \u002F>\n\n[**Star on GitHub**](https:\u002F\u002Fgithub.com\u002Fmatty69v\u002FBug-Bounty-Agents)  ·  [**Report an issue**](https:\u002F\u002Fgithub.com\u002Fmatty69v\u002FBug-Bounty-Agents\u002Fissues)  ·  [**Contribute**](CONTRIBUTING.md)\n\n\u003Csub>MIT licensed · Authorized testing only\u003C\u002Fsub>\n\n\u003C\u002Fdiv>\n","Bug-Bounty-Agents 是一个专为漏洞赏金狩猎、渗透测试和红队行动设计的AI驱动代理工具集。该项目提供了43个专门针对不同安全测试阶段（如侦察、Web漏洞挖掘、漏洞利用链构建和报告生成等）的代理角色，支持Claude Code、GitHub Copilot Chat、Cursor及任何具备代理能力的大语言模型客户端。其核心特点在于无需依赖任何框架或额外组件，仅通过精心编写的提示词即可将通用LLM转化为特定领域的专家。适用于希望增强现有工具集功能的安全研究人员、渗透测试者以及参与漏洞赏金项目的个人使用。",2,"2026-06-11 02:48:05","CREATED_QUERY"]