[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-77729":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":23,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":42,"readmeContent":43,"aiSummary":44,"trendingCount":16,"starSnapshotCount":16,"syncStatus":45,"lastSyncTime":46,"discoverSource":47},77729,"Claude-BugHunter","elementalsouls\u002FClaude-BugHunter","elementalsouls","A Claude Code skill bundle for bug hunting and external red-team work — 71 skills, 15 slash commands, 681 disclosed-report patterns curated across 24 core vulnerability classes, plus enterprise identity + infrastructure attack matrices.","",null,"Python",1869,273,13,1,0,178,278,1775,534,20.31,"Other",false,"main",[26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41],"ai-security","anthropic","application-security","bug-bounty","bugbounty","bugcrowd","claude","claude-code","claude-skills","ethical-hacking","hackerone","offensive-security","pentesting","red-team","security-tools","web-security","2026-06-12 02:03:44","![claude-bughunter banner](assets\u002Fbanner.svg)\n\n# claude-bughunter\n\n> A self-contained Claude skill bundle for bug hunting and external red-team work · **51 skills** · 15 slash commands · **574+ disclosed-report patterns** across 24 vulnerability classes · enterprise identity + infrastructure attack matrices · engagement-folder scaffolding · Burp MCP integration · battle-tested across authorized red-team and bug-hunting engagements, plus public training platforms (DVWA, OWASP Juice Shop, Hacker101, testphp.vulnweb.com).\n\nBuilt by **[ElementalSoul](https:\u002F\u002Fgithub.com\u002Felementalsouls)** — Bug Hunting & GenAI Security Research.\n\n---\n\n## What is this?\n\n`claude-bughunter` is a drop-in skill bundle for the [Claude Code skills system](https:\u002F\u002Fdocs.claude.com\u002Fen\u002Fdocs\u002Fclaude-code\u002Fskills). Install once and Claude Code stops being a chatbot and starts behaving like a senior bug-hunting researcher or red-team operator: it knows the techniques, the chain templates, the VRT mappings, the platform CVE chains, and the hygiene — and it stays in scope.\n\nFour layers stack:\n\n- **`bug-bounty` + `bb-methodology` + `redteam-mindset`** — *how to think.* 5-phase non-linear hunting workflow, critical-thinking framework, developer-psychology heuristics, anomaly detection patterns, and the red-team operator-discipline corrections (when scope is \"external red team\" not \"bug hunting \u002F WAPT\").\n- **24 `hunt-*` skills + `security-arsenal`** — *what to look for in webapps.* Per-class detection patterns, payloads, bypass tables, and chain templates curated from 574+ disclosed HackerOne reports.\n- **Enterprise platform attack chains** — *what to look for on the perimeter.* `m365-entra-attack`, `okta-attack`, `cloud-iam-deep`, `vmware-vcenter-attack`, `enterprise-vpn-attack`, `hunt-sharepoint`, `hunt-aspnet`, `hunt-ntlm-info`, `apk-redteam-pipeline`, `supply-chain-attack-recon` — current 2024-2026 CVE chains, AADSTS error references, version-fingerprint matrices, and post-credential escalation paths.\n- **`triage-validation` + `bugcrowd-reporting` + `evidence-hygiene` + `redteam-report-template` + `mid-engagement-ir-detection`** — *how to ship it.* 7-Question Gate, VRT category fallback, severity-request paragraphs, OOS rebuttals, cookie\u002FPII redaction, client-facing red-team deliverable format, and SOC-patch \u002F mid-engagement-attacker detection methodology.\n\nAll triggered automatically by topic — describe what you're testing in plain English and the relevant skill loads. No invocation by name.\n\n> **51 skills · 15 commands · 574+ disclosed reports curated · 6-phase workflow · exercised against public training platforms (DVWA, OWASP Juice Shop, Hacker101, testphp.vulnweb.com) and calibrated through authorized real-world engagements.**\n\n---\n\n## Scope — what this bundle is for, and what it isn't\n\nThis bundle covers the **external attack surface** — anything reachable from the internet without first compromising an internal endpoint.\n\n### In scope\n\n- **Bug bounty hunting** — web apps, APIs, SaaS, GraphQL, OAuth, JWT, file upload, IDOR, SSRF, RCE chains\n- **Web application pentesting** — full hunt-* coverage of OWASP-mapped bug classes + discipline rules\n- **External red-team engagements** — initial-access against internet-facing enterprise estate: M365 \u002F Entra ID, Okta-as-IdP, SharePoint on-prem (ToolShell + legacy SOAP), VMware vCenter \u002F Workspace ONE, SSL VPN appliances (Cisco \u002F Fortinet \u002F Citrix \u002F Palo Alto \u002F Pulse \u002F SonicWall \u002F F5), Android APK red-team, supply-chain recon\n- **Cloud misconfig + post-credential escalation** — public S3, IMDS chains, STS AssumeRole, cross-account confused-deputy\n- **Recon + OSINT** — subdomain enum, identity-fabric mapping, certificate transparency, JS analysis, secret scanning\n- **Reporting** — H1, Bugcrowd (VRT-aware), Intigriti, Immunefi, plus client-facing red-team deliverable format\n\n### Out of scope (deliberate — not gaps, design decisions)\n\n- **Internal Active Directory attacks** — BloodHound, Kerberoasting, ASREProast, DCSync, Pass-the-Hash, AD CS abuse, ntlmrelayx, Responder, PetitPotam, etc. Different operational risk profile; needs different tooling and judgment. **Future bundle, not this one.**\n- **C2 frameworks** — Cobalt Strike, Sliver, Mythic, Havoc, BRC4 tradecraft. Out of scope for external-only engagement model.\n- **Post-exploit \u002F persistence \u002F lateral** — Mimikatz\u002Fcomsvcs LSASS dumping, golden\u002Fsilver tickets, named-pipe impersonation, persistence (registry, scheduled tasks, WMI events, COM hijacking), token theft. These start after the perimeter has already broken — different bundle territory.\n- **Evasion** — AMSI bypass, ETW patching, AV\u002FEDR bypass. Tied to C2 tradecraft above.\n- **iOS pentesting \u002F hardware \u002F RF \u002F ICS** — out of scope by design.\n- **Binary exploitation \u002F kernel pwn \u002F browser internals** — different skill universe.\n\nIf you're running an internal red team that includes domain-takeover chains via Kerberos or lateral movement, **this bundle won't help you in those phases** — and we'd rather say that up front than have you find out mid-engagement. The external surface handoff to internal-RT tooling (Impacket, NetExec, CrackMapExec, Rubeus, Certify, BloodHound) is intentionally outside our scope. **Coverage for internal AD and post-exploit may come in a future update.**\n\n---\n\n## Capability Map\n\nThe 51 skills group into 7 capability domains. Each box below is a real skill on disk. Skills auto-load when their description keywords match what you're describing to Claude.\n\n```mermaid\ngraph TB\n classDef recon fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705\n classDef hunt fill:#FFB591,stroke:#DA7756,stroke-width:2px,color:#080705\n classDef platform fill:#FF8B14,stroke:#DA7756,stroke-width:2px,color:#fff\n classDef redteam fill:#DA7756,stroke:#23201C,stroke-width:2px,color:#fff\n classDef workflow fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705\n classDef report fill:#FFB591,stroke:#DA7756,stroke-width:2px,color:#080705\n classDef cli fill:#23201C,stroke:#DA7756,stroke-width:2px,color:#FFE4D1\n\n subgraph SCOPE [\" \"]\n direction LR\n S1[\"Engagement scaffold\u003Cbr\u002F>hunt <target>\u003Cbr\u002F>bug-bounty · bb-methodology\"]:::workflow\n end\n\n subgraph RECON [\"Recon & Intelligence (3)\"]\n direction TB\n R1[\"offensive-osint\u003Cbr\u002F>15-ref probe arsenal\"]:::recon\n R2[\"web2-recon\u003Cbr\u002F>subdomain + endpoint enum\"]:::recon\n R3[\"osint-methodology\u003Cbr\u002F>5-stage pipeline\"]:::recon\n end\n\n subgraph HUNT [\"Hunt — Web App (27 hunt-* skills)\"]\n direction TB\n H1[\"Injection\u003Cbr\u002F>hunt-sqli · hunt-xss · hunt-ssti · hunt-rce\"]:::hunt\n H2[\"Authorization\u003Cbr\u002F>hunt-idor · hunt-auth-bypass · hunt-csrf\"]:::hunt\n H3[\"Server-Side\u003Cbr\u002F>hunt-ssrf · hunt-xxe · hunt-http-smuggling · hunt-cache-poison\"]:::hunt\n H4[\"Identity\u003Cbr\u002F>hunt-jwt · hunt-saml · hunt-oauth · hunt-mfa-bypass · hunt-ato\"]:::hunt\n H5[\"API & Modern\u003Cbr\u002F>hunt-graphql · hunt-api-misconfig · hunt-file-upload\"]:::hunt\n H6[\"Business & Race\u003Cbr\u002F>hunt-business-logic · hunt-race-conditions · hunt-llm-ai · hunt-pii-leak\"]:::hunt\n end\n\n subgraph PLATFORM [\"Enterprise Platform Attack (7)\"]\n direction TB\n P1[\"Identity Fabric\u003Cbr\u002F>m365-entra-attack · okta-attack\"]:::platform\n P2[\"Cloud & Virt\u003Cbr\u002F>cloud-iam-deep · vmware-vcenter-attack\"]:::platform\n P3[\"Perimeter Appliances\u003Cbr\u002F>enterprise-vpn-attack\"]:::platform\n P4[\"SharePoint Ecosystem\u003Cbr\u002F>hunt-sharepoint · hunt-aspnet · hunt-ntlm-info\"]:::platform\n P5[\"Mobile & Supply Chain\u003Cbr\u002F>apk-redteam-pipeline · supply-chain-attack-recon\"]:::platform\n end\n\n subgraph REDTEAM [\"Red Team Tradecraft (2)\"]\n direction TB\n RT1[\"redteam-mindset\u003Cbr\u002F>DO NOT STOP directive\u003Cbr\u002F>operator discipline\"]:::redteam\n RT2[\"mid-engagement-ir-detection\u003Cbr\u002F>SOC-patch & attacker-activity\u003Cbr\u002F>baseline-shift detection\"]:::redteam\n end\n\n subgraph WORKFLOW [\"Validation & Discipline\"]\n direction TB\n V1[\"triage-validation\u003Cbr\u002F>7-Question Gate\u003Cbr\u002F>PASS \u002F DOWNGRADE \u002F KILL \u002F CHAIN\"]:::workflow\n end\n\n subgraph REPORT [\"Capture & Report (3)\"]\n direction TB\n E1[\"evidence-hygiene\u003Cbr\u002F>cookie redaction · PII black-bar\"]:::report\n E2[\"report-writing\u003Cbr\u002F>H1 · Intigriti · Immunefi templates\"]:::report\n E3[\"bugcrowd-reporting · redteam-report-template\u003Cbr\u002F>VRT mapping · DOCX deliverable\"]:::report\n end\n\n subgraph CLI [\"Slash Commands & CLI (15 + 1)\"]\n direction LR\n C1[\"Slash: \u002Frecon \u002Fhunt \u002Ftriage \u002Freport \u002Fvalidate \u002Fchain \u002Fautopilot \u002Fscope \u002Fsurface \u002Fpickup \u002Fintel \u002Fremember \u002Fmemory-gc \u002Ftoken-scan \u002Fweb3-audit\"]:::cli\n C2[\"cbh CLI: recon · classify · triage · report\"]:::cli\n end\n\n SCOPE --> RECON\n RECON --> HUNT\n RECON --> PLATFORM\n HUNT --> WORKFLOW\n PLATFORM --> WORKFLOW\n REDTEAM -.applies throughout.-> HUNT\n REDTEAM -.applies throughout.-> PLATFORM\n WORKFLOW --> REPORT\n CLI -.routes into.-> RECON\n CLI -.routes into.-> HUNT\n CLI -.routes into.-> WORKFLOW\n CLI -.routes into.-> REPORT\n```\n\n**How to read the map:**\n- **Boxes** are skills (auto-load by keyword) or skill clusters\n- **Solid arrows** = standard engagement progression (scope → recon → hunt → validate → report)\n- **Dotted arrows** = layered concerns (red-team mindset overlays the hunt phase; the CLI\u002Fslash layer routes into every phase)\n- **Numbers in parens** = how many skills are in that group\n\nIf you're new and want to see what attacks the bundle teaches: focus on the **Hunt** (web) and **Platform Attack** (enterprise perimeter) groups. If you're already a hunter and want to know what's new vs your own workflow: look at **Red Team Tradecraft** and **Validation & Discipline** — those are the operator-discipline layer that most checklists skip.\n\n---\n\n## Engagement Flow\n\nEvery engagement follows the same 6-phase loop. Skills auto-load at each phase. The Validate gate has 4 possible outcomes — only **PASS** or **DOWNGRADE** continue forward to a report; **KILL** and **CHAIN REQUIRED** return you to Hunt with a verdict that prevents wasted reporting effort.\n\n```mermaid\nflowchart TD\n classDef phase fill:#FFB591,stroke:#DA7756,stroke-width:3px,color:#080705\n classDef gate fill:#FF8B14,stroke:#23201C,stroke-width:2px,color:#fff\n classDef decision fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705\n classDef terminal fill:#23201C,stroke:#DA7756,stroke-width:2px,color:#FFE4D1\n classDef discipline fill:#DA7756,stroke:#23201C,stroke-width:2px,color:#fff\n\n Start([\"🎯 Engagement starts\"]):::terminal --> Mode\n\n Mode{\"Engagement mode?\u003Cbr\u002F>\u003Ci>bb-methodology Part 0\u003C\u002Fi>\"}:::decision\n Mode -->|\"Bug Bounty\"| Scope\n Mode -->|\"Red Team\"| RTSetup\n Mode -->|\"Pentest\"| Scope\n\n RTSetup[\"Load red-team layer\u003Cbr\u002F>\u003Cb>redteam-mindset\u003C\u002Fb>\u003Cbr\u002F>DO NOT STOP directive\u003Cbr\u002F>\u003Cb>mid-engagement-ir-detection\u003C\u002Fb>\"]:::discipline\n RTSetup --> Scope\n\n Scope[\"\u003Cb>1. SCOPE\u003C\u002Fb>\u003Cbr\u002F>hunt <target> → scaffold folder\u003Cbr\u002F>Parse program rules\u003Cbr\u002F>Fill scope.md\u003Cbr\u002F>\u003Ci>skills: bug-bounty, bb-methodology\u003C\u002Fi>\"]:::phase\n Scope --> Recon\n\n Recon[\"\u003Cb>2. RECON\u003C\u002Fb>\u003Cbr\u002F>Subdomain enum · endpoint mapping\u003Cbr\u002F>JS bundle harvest · identity fabric\u003Cbr\u002F>\u003Ci>skills: offensive-osint, web2-recon\u003C\u002Fi>\u003Cbr\u002F>commands: \u002Frecon · cbh recon <target>\"]:::phase\n Recon --> Hunt\n\n Hunt[\"\u003Cb>3. HUNT\u003C\u002Fb>\u003Cbr\u002F>Test bug-class hypotheses\u003Cbr\u002F>Apply payloads from Pattern Libraries\u003Cbr\u002F>\u003Ci>27 hunt-* skills auto-load by keyword\u003C\u002Fi>\u003Cbr\u002F>commands: \u002Fhunt · \u002Fchain\"]:::phase\n Hunt --> Found{\"Lead\u003Cbr\u002F>found?\"}:::decision\n Found -->|\"no\"| Hunt\n Found -->|\"yes\"| Validate\n\n Validate[\"\u003Cb>4. VALIDATE\u003C\u002Fb>\u003Cbr\u002F>Run the 7-Question Gate\u003Cbr\u002F>Q1: real HTTP request?\u003Cbr\u002F>Q2: accepted-impact list?\u003Cbr\u002F>Q3: in scope?\u003Cbr\u002F>Q4: no admin-only assumption?\u003Cbr\u002F>Q5: not already known?\u003Cbr\u002F>Q6: concrete impact, not 'technically possible'?\u003Cbr\u002F>Q7: not on never-submit list?\u003Cbr\u002F>\u003Ci>skill: triage-validation\u003C\u002Fi>\u003Cbr\u002F>command: \u002Ftriage\"]:::phase\n Validate --> Verdict{\"Gate verdict\"}:::gate\n\n Verdict -->|\"PASS\u003Cbr\u002F>(all 7 ✓)\"| Capture\n Verdict -->|\"DOWNGRADE\u003Cbr\u002F>(Q2 or Q5 fail)\"| Capture\n Verdict -->|\"CHAIN REQUIRED\u003Cbr\u002F>(needs another primitive)\"| Hunt\n Verdict -->|\"KILL\u003Cbr\u002F>(any other failure)\"| Hunt\n\n Capture[\"\u003Cb>5. CAPTURE\u003C\u002Fb>\u003Cbr\u002F>Cookie redaction · PII black-bar\u003Cbr\u002F>HAR sanitization · screenshot order\u003Cbr\u002F>\u003Ci>skill: evidence-hygiene\u003C\u002Fi>\"]:::phase\n Capture --> Report\n\n Report[\"\u003Cb>6. REPORT\u003C\u002Fb>\u003Cbr\u002F>Draft per platform template\u003Cbr\u002F>H1 \u002F Bugcrowd VRT \u002F Intigriti \u002F Immunefi\u003Cbr\u002F>or client-facing DOCX (red-team)\u003Cbr\u002F>\u003Ci>skills: report-writing, bugcrowd-reporting,\u003Cbr\u002F>redteam-report-template\u003C\u002Fi>\u003Cbr\u002F>command: \u002Freport\"]:::phase\n Report --> Submit([\"📨 Submit\"]):::terminal\n\n Submit --> Track[\"Append UUID to submissions.txt\u003Cbr\u002F>Cross-reference future chains\u003Cbr\u002F>command: \u002Fremember\"]\n Track --> Hunt\n```\n\n**Key properties of this flow:**\n\n- **Validate gate is non-optional.** Even if you're confident a finding is real, route it through `\u002Ftriage` first. The gate is what separates productive researchers from N\u002FA noise. Reported as the single most useful step by every researcher who used the bundle.\n- **KILL returns to Hunt, not to \"end of engagement.\"** A killed lead doesn't mean the engagement is over — it means *that specific lead* is dead. Keep hunting.\n- **CHAIN REQUIRED is a real verdict.** Many high-severity findings only land as Critical when chained with another primitive (e.g., user-enum + no-rate-limit + weak password policy = ATO). The verdict tells you \"go find the other half before reporting.\"\n- **Track loops back.** Once you submit, the engagement isn't done. Open leads exist; chained reports cross-reference submission UUIDs. The `\u002Fremember` command persists this state across Claude Code sessions.\n- **Red-team mode adds a discipline layer.** When mode=Red Team, `redteam-mindset` and `mid-engagement-ir-detection` are loaded throughout — applying \"DO NOT STOP\" discipline at every step and watching for client-SOC mid-engagement patches.\n\n---\n\n## Two interfaces — pick what fits your engagement\n\nThe bundle exposes the same content through two interfaces. **Slash commands are the primary interface**; the `cbh` CLI is a secondary terminal-native runner. Both consume the same `skills\u002F` content; they differ in execution model.\n\n| | Slash commands (PRIMARY) | `cbh` CLI (SECONDARY) |\n|---|---|---|\n| Runs in | A Claude Code conversation | Any terminal with Python 3.9+ |\n| Execution | LLM-driven — reads full SKILL.md, applies judgment, can chain skills, can converse | Deterministic — Python stdlib, regex match, real `subfinder`\u002F`dig`\u002F`curl` calls |\n| Output | Conversational, contextual, varies per run | Files + structured stdout, identical across runs |\n| Best for | Hunting, chain construction, applying discipline rules with nuance, talking through findings | CI\u002FCD, scripted automation, bulk recon, deterministic verification, non-Claude environments |\n| Examples | `\u002Frecon target.com` `\u002Fhunt target.com` `\u002Ftriage` `\u002Freport` `\u002Fvalidate` `\u002Fchain` `\u002Fautopilot` `\u002Fscope` | `cbh recon target.com` (real network I\u002FO) · `cbh triage finding.md` (deterministic 7Q grep) · `cbh report finding.md --platform bugcrowd` |\n\n**Choose by use case:**\n\n- **Exploring a new target?** Use Claude Code with slash commands. The LLM applies judgment that the deterministic CLI can't.\n- **Running scheduled recon? Verifying labs? CI gate?** Use `cbh`. It's reproducible and scriptable.\n- **You don't have Claude Code installed but want to read the skills\u002FPattern Libraries?** Use `cbh` plus `cat skills\u002F\u003Cname>\u002FSKILL.md`. The content stands on its own.\n\nSee [`docs\u002Fcbh-cli.md`](docs\u002Fcbh-cli.md) for the CLI reference. See the slash command list under **Slash Commands** later in this file for the conversational interface.\n\n---\n\n## Structure\n\n```\nClaude-BugHunter\u002F\n├── skills\u002F # 51 SKILL.md bundles\n│ ├── apk-redteam-pipeline\u002F # APK acquisition → jadx → secrets → Frida\n│ ├── bb-local-toolkit\u002F # full bug-bounty workflow pipeline router\n│ ├── bb-methodology\u002F # 5-phase non-linear hunting workflow (vendored)\n│ ├── bug-bounty\u002F # master orchestrator (vendored)\n│ ├── bugcrowd-reporting\u002F # VRT, OOS rebuttals, severity requests\n│ ├── cloud-iam-deep\u002F # AWS\u002FAzure\u002FGCP IAM priv-esc chains\n│ ├── enterprise-vpn-attack\u002F # Cisco\u002FFortinet\u002FCitrix\u002FPAN\u002FPulse SSL VPN\n│ ├── evidence-hygiene\u002F # cookie\u002FPII\u002FHAR redaction discipline\n│ ├── hunt-api-misconfig\u002F # mass assignment, JWT, prototype pollution, CORS\n│ ├── hunt-aspnet\u002F # ASP.NET ViewState, machineKey, WebForms\n│ ├── hunt-ato\u002F # 9 account-takeover paths + chains\n│ ├── hunt-auth-bypass\u002F # auth bypass — 4 disclosed reports\n│ ├── hunt-business-logic\u002F # business logic flaws — 7 disclosed reports\n│ ├── hunt-cache-poison\u002F # cache poisoning — 4 disclosed reports\n│ ├── hunt-cloud-misconfig\u002F # S3, Lambda, RDS, IAM-in-JS, metadata SSRF\n│ ├── hunt-csrf\u002F # CSRF — 10 disclosed reports\n│ ├── hunt-dispatch\u002F # \u002Fhunt mode router (redteam vs WAPT)\n│ ├── hunt-file-upload\u002F # webshell, SVG XSS, DOCX XXE, traversal\n│ ├── hunt-graphql\u002F # GraphQL — 3 disclosed reports\n│ ├── hunt-http-smuggling\u002F # CL.TE \u002F TE.CL request smuggling\n│ ├── hunt-idor\u002F # IDOR — 26 disclosed reports\n│ ├── hunt-llm-ai\u002F # prompt injection, ASCII smuggling, ASI01-10\n│ ├── hunt-mfa-bypass\u002F # 7 MFA\u002F2FA bypass patterns\n│ ├── hunt-misc\u002F # catch-all — 225 disclosed reports\n│ ├── hunt-ntlm-info\u002F # NTLM Type-2 AD topology disclosure\n│ ├── hunt-oauth\u002F # OAuth — 10 disclosed reports\n│ ├── hunt-race-condition\u002F # race conditions — 3 disclosed reports\n│ ├── hunt-rce\u002F # RCE — 67 disclosed reports\n│ ├── hunt-saml\u002F # SAML XSW1–XSW8 + SSO attacks\n│ ├── hunt-sharepoint\u002F # SharePoint on-prem (ToolShell, anon SOAP)\n│ ├── hunt-sqli\u002F # SQLi — 8 disclosed reports\n│ ├── hunt-ssrf\u002F # SSRF — 9 disclosed reports\n│ ├── hunt-ssti\u002F # SSTI: Jinja\u002FTwig\u002FFreeMarker\u002FERB\u002FSpring\n│ ├── hunt-subdomain\u002F # subdomain takeover — 11 disclosed reports\n│ ├── hunt-xss\u002F # XSS — 174 disclosed reports\n│ ├── hunt-xxe\u002F # XXE — 4 disclosed reports\n│ ├── m365-entra-attack\u002F # M365\u002FEntra full chain (AADSTS, CA, ROPC)\n│ ├── meme-coin-audit\u002F # token rug-pull + SPL\u002FToken-2022 audit\n│ ├── mid-engagement-ir-detection\u002F # detect SOC patches + attacker activity mid-test\n│ ├── offensive-osint\u002F # 15-reference probe arsenal\n│ ├── okta-attack\u002F # Okta IdP enum, factor flows, push fatigue\n│ ├── osint-methodology\u002F # 5-stage recon + asset graph\n│ ├── redteam-mindset\u002F # red-team operator discipline + DO NOT STOP\n│ ├── redteam-report-template\u002F # client-facing deliverable format\n│ ├── report-writing\u002F # H1\u002FBugcrowd\u002FIntigriti templates (vendored)\n│ ├── security-arsenal\u002F # payloads + bypass tables (vendored)\n│ ├── supply-chain-attack-recon\u002F # dep-confusion, GH Actions, SBOM mining\n│ ├── triage-validation\u002F # 7-Question Gate + 4 validation gates (vendored)\n│ ├── vmware-vcenter-attack\u002F # vCenter\u002FWorkspace ONE\u002FAria CVE chain\n│ ├── web2-recon\u002F # subdomain enum, host discovery (vendored)\n│ └── web3-audit\u002F # 10 DeFi bug classes (vendored)\n├── commands\u002F # 15 slash commands\n├── scripts\u002F\n│ ├── hunt.sh # engagement-folder scaffolder\n│ ├── install.sh # single-step installer\n│ ├── install-community-skills.sh # optional: refresh vendored upstream\n│ ├── cbh.py # terminal-native CLI runner\n│ └── refresh-cve-index.py # CISA KEV refresh against in-scope vendors\n├── docs\u002F # architecture · credits · CLI reference · CVE coverage · pattern libraries · verification labs\n├── assets\u002F # banner + architecture \u002F capability-map \u002F engagement-flow SVGs\n└── README.md · INSTALL.md · USAGE.md · CONTRIBUTING.md · SECURITY.md · LICENSE\n```\n\nDrop the contents of `skills\u002F` into `~\u002F.claude\u002Fskills\u002F` and Claude auto-triggers on relevant phrases. The `install.sh` script does this plus copies commands to `~\u002F.claude\u002Fcommands\u002F` and wires `hunt.sh` into your shell rc.\n\n---\n\n## Skill Index\n\n51 skills across 11 capability domains + 15 slash commands. **Skills auto-load by keyword** — you don't invoke them by name; describe what you're testing in plain English and the matching skill loads.\n\n### Quick lookup — find a skill by what you're seeing\n\nThe fastest way to land on the right skill. If you see the pattern in the left column, the right column is the skill that loads.\n\n| When you see this on the target… | Skill that loads |\n|---|---|\n| Reflected user input echoed back in HTML \u002F JS context | `hunt-xss` |\n| User-controlled value in a database query response | `hunt-sqli` |\n| Numeric ID in URL or body (`\u002Fusers\u002F42`, `?invoice_id=12345`) | `hunt-idor` |\n| URL parameter accepting URLs (`?url=`, `?next=`, `?redirect=`, `?callback=`) | `hunt-ssrf` |\n| File upload form \u002F `\u002Favatar`, `\u002Fattachment`, `\u002Fimport` endpoint | `hunt-file-upload` |\n| GraphQL endpoint (`\u002Fgraphql`, `\u002Fv1\u002Fgraphql`, GraphiQL playground) | `hunt-graphql` |\n| ASP.NET `__VIEWSTATE` field in form \u002F WebForms \u002F `.aspx` paths | `hunt-aspnet` |\n| Cisco WebVPN cookie + `\u002F+CSCOE+\u002Flogon.html` redirect | `enterprise-vpn-attack` |\n| Microsoft `login.microsoftonline.com` SAML redirect | `m365-entra-attack` |\n| Okta tenant subdomain (`*.okta.com`, `*.oktapreview.com`) | `okta-attack` |\n| Login form with no rate-limit on credential check | `hunt-auth-bypass` + `hunt-ato` |\n| OTP \u002F 2FA flow with retry button | `hunt-mfa-bypass` |\n| JWT token in cookie \u002F Authorization header | `hunt-api-misconfig` (JWT attacks inside) |\n| Public S3 bucket \u002F Lambda URL \u002F kubelet :10250 \u002F Docker :2375 | `hunt-cloud-misconfig` |\n| SharePoint farm path (`\u002F_layouts\u002F15\u002F`, `\u002F_vti_bin\u002F`) | `hunt-sharepoint` |\n| `\u002Fapi\u002Fusers\u002F{id}` PUT \u002F DELETE on a SaaS REST API | `hunt-idor` + `hunt-api-misconfig` |\n\nIf none of the above match: tell Claude *\"I want to test for X\"* (where X is the bug class) and the relevant `hunt-*` loads.\n\n---\n\n### Web Application Hunting (8 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `hunt-aspnet` | **ASP.NET ViewState · machineKey · WebForms · WCF · request-validator bypass** | authorized-engagement |\n| `hunt-csrf` | Cross-site request forgery (chain-required impact) | 10 H1 reports |\n| `hunt-file-upload` | File upload bypass — 10 techniques (double-ext, magic-bytes, polyglot, ZIP slip, SVG XSS) | curated |\n| `hunt-idor` | IDOR \u002F broken object-level authorization · cross-tenant access | 26 H1 reports |\n| `hunt-sqli` | SQL injection (classic, blind, time-based) · NoSQL injection | 8 H1 reports |\n| `hunt-ssti` | Server-side template injection (Jinja2, Twig, Freemarker, ERB, Spring) | curated |\n| `hunt-xss` | Reflected · Stored · DOM · blind XSS · CSP bypass | 174 H1 reports |\n| `hunt-xxe` | XML external entity (in-band, OOB, XXE-via-DOCX) | 4 H1 reports |\n\n### Authentication & Identity (5 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `hunt-ato` | Account takeover taxonomy — 9 distinct paths + chains | curated |\n| `hunt-auth-bypass` | Broken authentication \u002F access control | 4 H1 reports |\n| `hunt-mfa-bypass` | MFA \u002F 2FA bypass — 7 patterns (OTP brute, race, recovery dump, factor downgrade) | curated |\n| `hunt-oauth` | OAuth 2.0 \u002F OIDC flaws · open-redirect chain · state-parameter abuse | 10 H1 reports |\n| `hunt-saml` | SAML \u002F SSO attacks · XML signature wrapping · comment injection | curated |\n\n### API & Infrastructure (6 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `hunt-api-misconfig` | API misconfig — mass assignment, JWT attacks, prototype pollution, CORS | curated |\n| `hunt-cloud-misconfig` | Cloud \u002F K8s misconfig — public S3, Lambda URLs, kubelet :10250, Docker :2375 | curated |\n| `hunt-graphql` | GraphQL — introspection, alias batching, depth abuse, node() IDOR | 3 H1 reports |\n| `hunt-rce` | RCE — crown-jewel chains, deserialization, code injection | 67 H1 reports |\n| `hunt-ssrf` | SSRF + 11 IP-bypass techniques · cloud metadata exfil | 9 H1 reports |\n| `hunt-subdomain` | Subdomain takeover — 27+ provider fingerprints + chain to ATO | 11 H1 reports |\n\n### Advanced & Concurrency (6 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `hunt-business-logic` | Business logic flaws — coupon abuse, balance manipulation, state-machine reversal | 7 H1 reports |\n| `hunt-cache-poison` | Web cache poisoning · cache deception · CDN exploitation | 4 H1 reports |\n| `hunt-http-smuggling` | HTTP request smuggling (CL.TE, TE.CL, H2.CL, H2.TE) | curated |\n| `hunt-llm-ai` | LLM \u002F agentic AI — prompt injection, ASCII smuggling, ASI01–ASI10 | curated |\n| `hunt-misc` | Catch-all for less-common classes (clickjacking, open-redirect, XS-leaks, etc.) | 225 H1 reports |\n| `hunt-race-condition` | Race conditions \u002F TOCTOU — double-spend, MFA-bypass-via-race | 3 H1 reports |\n\n### Enterprise Identity & Cloud Attack ★ (3 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `cloud-iam-deep` | Cloud IAM priv-esc — AWS (24+), Azure (8+), GCP (6+) patterns · STS chaining · IMDS · K8s SA tokens · confused-deputy | original |\n| `m365-entra-attack` | M365 \u002F Entra ID — AADSTS codes, user enum, Smart Lockout math, CA bypass, ROPC, SAML SSO browser flow | authorized-engagement |\n| `okta-attack` | Okta-as-IdP — tenant discovery, user enum vectors, factor enumeration, push-fatigue, FastPass abuse, OIDC redirect_uri tampering | original |\n\n### Infrastructure & Appliance Attack ★ (4 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `enterprise-vpn-attack` | Enterprise SSL VPN — Cisco ASA\u002FAnyConnect · Fortinet · Citrix NetScaler · Palo Alto · Pulse\u002FIvanti · SonicWall · F5 | authorized-engagement |\n| `hunt-ntlm-info` | NTLM\u002FNegotiate anonymous Type-2 disclosure — AV_PAIRS leakage, internal DNS forest, default WIN-XXX hostnames | authorized-engagement |\n| `hunt-sharepoint` | SharePoint on-prem (2013–SE) — ToolShell precondition chain (CVE-2025-53770), SOAP auth bypass, anon FormDigest, SafeControl enum | authorized-engagement |\n| `vmware-vcenter-attack` | VMware vSphere \u002F vCenter \u002F Workspace ONE \u002F Aria CVE chain (CVE-2021-21972 → CVE-2024-37085) | original |\n\n### Red Team Tradecraft ★ (4 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `apk-redteam-pipeline` | Android APK red-team pipeline — Play Store + apkpure acquisition, jadx decompile, secret\u002FJWT\u002FFirebase grep, Frida templates | authorized-engagement |\n| `mid-engagement-ir-detection` | Mid-engagement IR detection — SOC patches mid-test, external attacker activity, baseline-shift detection | authorized-engagement |\n| `redteam-mindset` | Red-team operator discipline — mindset corrections separating offensive from defensive WAPT, \"DO NOT STOP\" primary directive | authorized-engagement |\n| `supply-chain-attack-recon` | Supply-chain recon — dep-confusion, GH Actions injection, SBOM mining, container registry exposure, internal-package leakage | original |\n\n### Recon & OSINT (4 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `bb-local-toolkit` | Full pipeline router for local cloned bug-bounty repos | original |\n| `offensive-osint` | 15-reference probe arsenal — subdomain enum, identity fabric, secret patterns, sector recon | original |\n| `osint-methodology` | 5-stage recon pipeline · 29-type asset graph · severity rubric · time budgeting | original |\n| `web2-recon` | Subdomain enumeration · host discovery · URL crawling | original |\n\n### Workflow & Validation (5 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `bb-methodology` | 5-phase non-linear workflow + critical-thinking framework | vendored |\n| `bug-bounty` | Master orchestrator — pulls in other skills as needed | vendored |\n| `hunt-dispatch` ★ | `\u002Fhunt` two-track dispatcher — Red Team vs WAPT mode, fingerprints target, loads platform skills | original |\n| `security-arsenal` | Payloads, bypass tables, wordlists, gf patterns | vendored |\n| `triage-validation` | 7-Question Gate · 4 pre-submission gates · never-submit list | original |\n\n### Reporting & Hygiene (4 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `bugcrowd-reporting` | Bugcrowd VRT category fallback · severity-request paragraph · OOS rebuttals · chained-finding patterns | original |\n| `evidence-hygiene` | Cookie redaction · PII black-bar · HAR sanitization · screenshot hygiene | original |\n| `redteam-report-template` ★ | Client-facing red-team deliverable — Subject \u002F Observations \u002F Description \u002F Impact \u002F Recommendation \u002F PoC, MD + DOCX packaging | authorized-engagement |\n| `report-writing` | H1 \u002F Bugcrowd \u002F Intigriti \u002F Immunefi templates · CVSS 3.1 + 4.0 | original |\n\n### Specialized (2 skills)\n\n| Skill | What it covers | Coverage source |\n|---|---|---|\n| `meme-coin-audit` | Token rug-pull detection · honeypot · LP lock bypass | original |\n| `web3-audit` | Smart-contract audit · 10 DeFi bug classes · Foundry PoC template | original |\n\n---\n\n### Slash Commands (15)\n\nYou type these directly into Claude Code. They route to the right skills automatically.\n\n| Command | What it does |\n|---|---|\n| `\u002Fautopilot` | Autonomous hunt loop with configurable checkpoints |\n| `\u002Fchain` | Build A→B→C exploit chain for higher payouts |\n| `\u002Fhunt \u003Ctarget>` | Start hunting on a target — loads scope, picks attack surface |\n| `\u002Fintel \u003Ctarget>` | On-demand CVE \u002F disclosed-report intel |\n| `\u002Fmemory-gc` | Inspect \u002F rotate hunt-memory JSONL files |\n| `\u002Fpickup \u003Ctarget>` | Resume previous hunt — shows history + suggestions |\n| `\u002Frecon \u003Ctarget>` | Run full recon pipeline — subfinder · dnsx · httpx · katana · nuclei |\n| `\u002Fremember` | Log finding or pattern to hunt memory |\n| `\u002Freport` | Write submission-ready report — H1\u002FBugcrowd\u002FIntigriti\u002FImmunefi |\n| `\u002Fscope \u003Casset>` | Check if an asset is in scope before hunting |\n| `\u002Fsurface \u003Ctarget>` | Ranked attack surface from recon + memory |\n| `\u002Ftoken-scan` | Meme-coin \u002F token security scan |\n| `\u002Ftriage` | Quick 7-Question Gate (faster than `\u002Fvalidate`) |\n| `\u002Fvalidate` | Full 7-Question Gate + 4-gate checklist |\n| `\u002Fweb3-audit \u003Ccontract>` | Smart-contract 10-class checklist |\n\n**Reading the columns:**\n- **Skill** — the exact identifier (matches the folder name in `~\u002F.claude\u002Fskills\u002F`)\n- **What it covers** — one-line summary; full content is in the skill's `SKILL.md`\n- **Coverage source** — where the patterns came from: an H1 report count (curated from public disclosures), `curated` (hand-assembled from research), `original` (author-written), `vendored` (upstream community skill), or `authorized-engagement` (derived from authorized red-team work)\n- **★** marks a skill that's newer and worth flagging for established hunters who may not have its specific coverage yet\n\n---\n\n## Architecture\n\n51 skills across 6 phases, with a 27-skill `hunt-*` sub-stack, a 7-skill enterprise-platform attack layer (M365\u002FOkta\u002Fcloud-IAM\u002FvCenter\u002FVPN\u002FSharePoint\u002FAPK), an integration layer (Burp MCP, the `hunt` shell command, optional Anthropic + HackerOne APIs), and a usage decision tree for picking the right skill per task.\n\n![architecture overview](assets\u002Farchitecture-overview.svg)\n\nFor deeper reference views — a 3-layer stack architecture and an engagement pipeline with the 4 branched outcomes from the Validate gate — see [`docs\u002Farchitecture.md`](docs\u002Farchitecture.md).\n\n---\n\n## The 7-Question Gate\n\nBefore drafting any report — `\u002Ftriage` or `\u002Fvalidate` runs every candidate finding through:\n\n1. Can an attacker use this RIGHT NOW with a real HTTP request?\n2. Is the impact on the program's accepted-impact list?\n3. Is the asset in scope?\n4. Does it work without privileged access an attacker can't get?\n5. Is this not already known or documented behavior?\n6. Can impact be proved beyond \"technically possible\"?\n7. Is this not on the never-submit list?\n\nOne NO = KILL. Move on. This single discipline separates productive researchers from N\u002FA noise.\n\n---\n\n## Quick Start\n\n**Time to first hunt:** ~10 minutes if you have prerequisites, ~25 minutes if you're starting fresh.\n\n### Step 1 — Prerequisites (5 minutes, one-time)\n\nYou need these BEFORE the install will work. Check each one:\n\n| What | Why | Verify with | Where to get it |\n|---|---|---|---|\n| **macOS or Linux** | Install script + shell scaffold are POSIX | `uname -a` | (Windows users: use WSL2 Ubuntu) |\n| **Claude Code CLI** | The bundle runs as skills loaded by Claude Code | `claude --version` | https:\u002F\u002Fclaude.ai\u002Fdownload |\n| **Claude Pro\u002FTeam or Max plan** | Claude Code needs a subscription OR an API key | `claude \u002Flogin` (then sign in) | https:\u002F\u002Fclaude.ai\u002Fupgrade |\n| **Python 3.9+** | For the `cbh` CLI (terminal-side companion) | `python3 --version` | `brew install python` (mac) \u002F `apt install python3` (linux) |\n| **`git`** | To clone this repo | `git --version` | usually pre-installed |\n\n**Optional but recommended:**\n- **Burp Suite Pro or Community** — `https:\u002F\u002Fportswigger.net\u002Fburp` — needed only if you want HTTP-history capture. Skills work fine without it.\n\n### Step 2 — Install the bundle (2 minutes)\n\nCopy-paste these three commands into your terminal:\n\n```bash\nmkdir -p ~\u002Fsecurity-research && cd ~\u002Fsecurity-research\ngit clone https:\u002F\u002Fgithub.com\u002Felementalsouls\u002FClaude-BugHunter.git\ncd Claude-BugHunter && .\u002Fscripts\u002Finstall.sh\n```\n\n**Expected output** (scrolls past ~80 lines — you can ignore the per-skill detail; just look for the banner at the bottom):\n```\nInstalling Claude-BugHunter bundle from \u002FUsers\u002Fyou\u002FResearch\u002FClaude-BugHunter\n\nSkills → \u002FUsers\u002Fyou\u002F.claude\u002Fskills\n ✓ Installed skill: apk-redteam-pipeline\n ✓ Installed skill: bb-methodology\n ... (one line per skill — 51 total) ...\n\nCommands → \u002FUsers\u002Fyou\u002F.claude\u002Fcommands\n ✓ Installed command: \u002Fautopilot\n ... (15 total) ...\n\n ✓ Installed hunt shell command at \u002FUsers\u002Fyou\u002F.claude\u002Fscripts\u002Fhunt.sh\n ✓ Added 'source ~\u002F.claude\u002Fscripts\u002Fhunt.sh' to \u002FUsers\u002Fyou\u002F.zshrc\n\n============================================\n✓ Install complete\n============================================\n\nNext: open a new terminal (or 'source ~\u002F.zshrc') and try:\n hunt acme-test\n```\n\nIf you see `command not found` for `git` or `python3`, go back to Step 1.\n\nRestart your terminal (or `source ~\u002F.zshrc`) so the `hunt` shell command is available.\n\n### Step 3 — Verify install (30 seconds)\n\n```bash\n# Verify the hunt scaffold (running with no args shows usage — that means it loaded)\nhunt\n# Expected: prints \"Usage: hunt \u003Ctarget-name>\" + default base path\n\n# Count the installed skills (should be 51)\nls ~\u002F.claude\u002Fskills\u002F | wc -l\n# Expected: 51\n\n# Spot-check a few skills loaded\nls ~\u002F.claude\u002Fskills\u002F | grep -E '^(hunt-xss|hunt-rce|m365-entra-attack|triage-validation)$'\n# Expected: all 4 lines print back\n```\n\nIf `hunt` says \"command not found\": run `source ~\u002F.zshrc` (or `source ~\u002F.bashrc` on Linux) and try again. If that doesn't fix it, see [INSTALL.md → Troubleshooting](INSTALL.md#troubleshooting).\n\n### Step 4 — Your first hunt (5–10 minutes)\n\n**Don't have a target yet?** Use one of these — they EXIST to be tested by people new to bug hunting:\n\n| Where | What it is | Why use it for your first hunt |\n|---|---|---|\n| **`hackerone.com\u002Fsecurity`** | HackerOne's own bug bounty | Mature program, accepts almost everything, fast response |\n| **`bugcrowd.com\u002Fprograms`** | Browse public programs | Filter \"Open to anyone\" + \"VDP\" (no payout but no review either) |\n| **`juice-shop.herokuapp.com`** | OWASP Juice Shop (deliberately vulnerable) | Practice without authorization concerns |\n| **`testphp.vulnweb.com`** | Acunetix test target (deliberately vulnerable) | Practice SQLi, XSS in a safe environment |\n\nFor your first real attempt against a public bug bounty program, use **HackerOne's own program** (`hackerone.com\u002Fsecurity`). They're paid to receive your testing.\n\n**Run your first engagement:**\n\n```bash\n# Set up an engagement folder (replace 'h1-vdp' with any name you want)\nhunt h1-vdp\ncd ~\u002FTargets\u002Fh1-vdp\n\n# Open Claude Code in this folder\nclaude\n```\n\nYou're now inside Claude Code, in an engagement folder with `CLAUDE.md`, `scope.md`, `findings\u002F`, `evidence\u002F` already set up. Now ask Claude to start:\n\n> **You type this into Claude:**\n> *I want to do a bug bounty hunt on hackerone.com — their own VDP at https:\u002F\u002Fhackerone.com\u002Fsecurity. Walk me through the workflow from scratch. Start with recon.*\n\n**What you'll see Claude do:**\n1. ✅ Load `bb-methodology` skill (the 6-phase workflow)\n2. ✅ Load `triage-validation` skill (the 7-Question Gate that runs before any submission)\n3. ✅ Load `offensive-osint` + `web2-recon` for recon\n4. ✅ Ask you to confirm scope and engagement mode (bug-bounty vs red-team vs pentest)\n5. ✅ Generate concrete commands you can run to start mapping the target\n\nYou don't need to know what each skill does — they auto-load based on what you describe. Just keep telling Claude what you're seeing and what you want to do next.\n\n### Step 5 — When you think you found something\n\n**Before drafting any report, type this into Claude:**\n\n```\n\u002Ftriage\n```\n\nThen describe the finding to Claude in plain English: *\"I found that the password-reset page returns the user's email back in the response when given a valid user ID — looks like account-enumeration.\"*\n\nClaude runs the **7-Question Gate** (Q1: real HTTP request? Q2: accepted-impact? Q3: in-scope? … Q6: concrete impact, not technically-possible? Q7: not on the never-submit list?). Returns one of:\n- **PASS** → you're cleared to write the report (`\u002Freport`)\n- **DOWNGRADE** → you have a finding but it's a lower tier\n- **KILL** → don't draft this; move on\n- **CHAIN REQUIRED** → it's only valid as part of a larger chain\n\n**This single step prevents the most common mistake new hunters make: drafting reports for findings that get rejected as N\u002FA.**\n\n### Step 6 — When ready to submit\n\n```\n\u002Freport\n```\n\nClaude triggers `report-writing` (the report body template) + the platform-specific skill (`bugcrowd-reporting` for Bugcrowd, generic H1 template otherwise). The output is copy-paste-ready.\n\n---\n\nFor Burp Suite Pro MCP integration (optional layer), see [INSTALL.md](INSTALL.md). For the full engagement walkthrough with a worked example, see [USAGE.md](USAGE.md).\n\n---\n\n## Authorization\n\nThese skills are intended for assets you **own** or have **written authorization to assess** (bug-bounty in-scope assets, pentest engagement letters, CTF challenges, your own infrastructure).\n\nThe skills include validation gates that auto-trigger when you point Claude at unverified third-party targets — `triage-validation`'s 7-Question Gate explicitly asks whether the asset is in scope (Q3) and on the program's accepted-impact list (Q2). The `bugcrowd-reporting` skill includes researcher-side hygiene (Bugcrowdninja alias, account-state restoration, friendly-tester posture) that signals legitimate authorized testing to the target's fraud team.\n\nThe bundle explicitly **excludes**: weaponizing 0-days against unauthorized targets, post-exploitation tooling, malware development, mass-targeting infrastructure. See [`SECURITY.md`](SECURITY.md) for the full posture.\n\n---\n\n## Documentation\n\n| Doc | Contents |\n|---|---|\n| [`README.md`](README.md) | This file — capability map, structure, quick start |\n| [`INSTALL.md`](INSTALL.md) | Full setup with Burp MCP integration and optional skill regenerator |\n| [`USAGE.md`](USAGE.md) | Workflow walkthrough · decision tree · worked engagement example |\n| [`docs\u002Farchitecture.md`](docs\u002Farchitecture.md) | 6-phase architecture · skill-to-phase mapping · engagement composition |\n| [`docs\u002Fcbh-cli.md`](docs\u002Fcbh-cli.md) | `cbh` CLI — native runner orchestrating recon + classify + triage + report |\n| [`docs\u002Fcve-coverage.md`](docs\u002Fcve-coverage.md) | CISA KEV coverage snapshot — refreshed weekly via the workflow template at `docs\u002Fautomation\u002Fcve-refresh.yml.template` |\n| [`docs\u002Fcredits.md`](docs\u002Fcredits.md) | Full attribution: 43 original skills + 8 vendored from upstream |\n| [`CONTRIBUTING.md`](CONTRIBUTING.md) | PR guidelines · skill quality standards · scope |\n| [`SECURITY.md`](SECURITY.md) | Authorized-use posture · responsible disclosure · what's excluded |\n| [`LICENSE`](LICENSE) | MIT |\n\n---\n\n## Why this exists\n\nMost bug-hunting Claude setups are either too generic (one big \"security\" prompt) or too fragmented (you bookmark 30 disclosed reports and re-read them every engagement). Neither scales past the second target.\n\nThis bundle was built and validated through authorized engagements that exposed different capability gaps:\n\n**Bug-bounty engagement** — surfaced four gaps a starter 3-skill stack could not close:\n\n1. **No hypothesis discipline** — drafts written before validation → wasted hours, hurt validity ratio\n2. **No per-program reporting tactics** — VRT defaults auto-downgraded P3-worthy findings to P4\n3. **No engagement coordination** — findings, evidence, and submission IDs scattered across folders\n4. **No evidence hygiene** — screenshots leaked cookies and victim PII\n\n**External red-team engagement** — exposed five additional gaps that bug-bounty defaults made worse:\n\n1. **Conservative defaults retracted real findings** — WAPT mindset stopped tests early on defended targets where red-team continuation would have surfaced bypass chains → `redteam-mindset`\n2. **No mid-engagement situational awareness** — client SOC patched confirmed SQLi within 30 min; external attacker locked 14 accounts during a live test session — both invisible without explicit detection methodology → `mid-engagement-ir-detection`\n3. **No enterprise-platform attack chains** — M365 + Entra ID, on-prem SharePoint, Cisco SSL VPN, vCenter, and 7 Android APKs all needed current 2024-2026 CVE knowledge and platform-specific tradecraft → `m365-entra-attack`, `okta-attack`, `hunt-sharepoint`, `hunt-aspnet`, `hunt-ntlm-info`, `vmware-vcenter-attack`, `enterprise-vpn-attack`, `apk-redteam-pipeline`\n4. **No client-facing deliverable format** — bug-bounty report templates don't fit enterprise red-team where output is a 50KB+ MD + DOCX with embedded screenshots → `redteam-report-template`\n5. **No post-credential escalation model** — when recon yielded credentials (AWS keys, JWTs, GCP JSON), it was unclear what they granted or how to escalate → `cloud-iam-deep`\n\nThe 24 per-class `hunt-*` skills address gap-zero (*\"what should I look for in webapps\"*) by codifying patterns from 574+ disclosed HackerOne reports — Claude knows the actual chain templates real triagers paid for, not abstract OWASP Top 10. The enterprise-platform and red-team-tradecraft layers address what bug-bounty alone cannot: external red-team engagements against monitored enterprise targets.\n\n---\n\n## Roadmap\n\n- [ ] HackerOne MCP integration (currently only Burp MCP wired in)\n- [ ] Per-engagement memory layer — pattern recall across targets\n- [ ] Industry-specific hunt skills — `hunt-fintech-graphql`, `hunt-healthcare-fhir`, `hunt-gov-compliance`\n- [ ] Program-rules-parser skill — auto-generate structured `scope.md` from program text\n- [ ] Refresh `hunt-*` skills with newer disclosed reports (re-run `public-skills-builder`)\n- [ ] Additional enterprise-platform skills — `citrix-netscaler-deep`, `f5-bigip-attack`, `ad-cs-attack` (AD Certificate Services)\n- [ ] Refresh enterprise-VPN CVE matrix quarterly to track 2026 advisories\n- [ ] Update architecture SVG to include the 7-skill enterprise-platform layer\n- [ ] CHANGELOG.md and CODE_OF_CONDUCT.md (matching Claude-OSINT layout)\n\n---\n\n## About\n\nOperational tradecraft accumulated across bug-bounty engagements and authorized pentests, codified into Claude skills. Platform-agnostic — slot into any engagement workflow you already use, or none.\n\n**Author:** [ElementalSoul](https:\u002F\u002Fgithub.com\u002Felementalsouls) · GenAI Security Research\n\n**Sister project:** [Claude-OSINT](https:\u002F\u002Fgithub.com\u002Felementalsouls\u002FClaude-OSINT) — paired skills for the recon phase that this bundle picks up after.\n\n**Vendored foundation:** [shuvonsec\u002Fclaude-bug-bounty](https:\u002F\u002Fgithub.com\u002Fshuvonsec\u002Fclaude-bug-bounty) — methodology, validation, reporting, payload library (8 of 51 skills + 15 slash commands)\n\n**Generator tool used (not vendored):** [shuvonsec\u002Fpublic-skills-builder](https:\u002F\u002Fgithub.com\u002Fshuvonsec\u002Fpublic-skills-builder) — used to scaffold per-class skills from H1 disclosed reports\n\n**Inspirations:**\n- [archangel \u002F douglasday](https:\u002F\u002Fhackerone.com\u002F) — top-10 H1 hunter; per-class skill pattern\n- [Trail of Bits — `trailofbits\u002Fskills`](https:\u002F\u002Fgithub.com\u002Ftrailofbits\u002Fskills) — skill-authoring discipline\n- [SecSkills — `trilwu\u002Fsecskills`](https:\u002F\u002Fgithub.com\u002Ftrilwu\u002Fsecskills) — subagent pattern\n\n**Tool inventory:**\n- [PortSwigger Burp Suite + MCP Server extension](https:\u002F\u002Fportswigger.net\u002Fburp)\n- [ProjectDiscovery](https:\u002F\u002Fgithub.com\u002Fprojectdiscovery) — subfinder · dnsx · httpx · katana · nuclei\n- [SecLists](https:\u002F\u002Fgithub.com\u002Fdanielmiessler\u002FSecLists) · [Assetnote Wordlists](https:\u002F\u002Fwordlists.assetnote.io\u002F)\n\n**License:** [MIT](LICENSE) — use freely, attribution appreciated.\n\n---\n\n> *\"Give Claude the right skill and it stops being a chatbot. It becomes an operator.\"*\n","Claude-BugHunter 是一个专为漏洞挖掘和外部红队工作设计的 Claude 代码技能包。它集成了51项技能、15个斜杠命令以及横跨24类漏洞的574多种公开报告模式,还提供了企业身份和基础设施攻击矩阵。该项目使用Python编写,通过集成Burp MCP并提供参与文件夹脚手架等功能,极大提升了安全研究人员在授权红队测试和漏洞赏金活动中的效率。适用于需要进行Web应用、API等互联网可访问资产的安全评估场景。",2,"2026-06-11 03:55:58","CREATED_QUERY"]