[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81625":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":12,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":39,"readmeContent":40,"aiSummary":41,"trendingCount":14,"starSnapshotCount":14,"syncStatus":15,"lastSyncTime":42,"discoverSource":43},81625,"bughunter-ai","h4ckologic\u002Fbughunter-ai","h4ckologic","Autonomous Bug Bounty Hunting Framework powered by Claude Code. 20 AI agents, state-machine orchestration, Burp Suite MCP, credential vault, LLM security track. Type 'hunt target.com' and let AI find the bugs.",null,"TypeScript",25,6,22,0,2,3,47.84,"MIT License",false,"main",true,[23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38],"ai-agents","anthropic","autonomous","bug-bounty","burp-suite","claude","claude-code","cybersecurity","hacking","llm-security","offensive-security","owasp","pentesting","playwright","security","vulnerability-scanner","2026-06-12 04:01:34","\u003Cp align=\"center\">\n \u003Cimg src=\"docs\u002Fimages\u002Fbughunter-banner.png\" alt=\"BugHunter AI\" width=\"800\" \u002F>\n\u003C\u002Fp>\n\n\u003Ch1 align=\"center\">BugHunter AI\u003C\u002Fh1>\n\n\u003Cp align=\"center\">\n \u003Cstrong>Autonomous Bug Bounty Hunting Framework Powered by Claude Code + PAI\u003C\u002Fstrong>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Cem>28 specialized AI agents. 8 orchestrated workflows. State-machine orchestration. 51 skills. Zero human input required.\u003C\u002Fem>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Ca href=\"#quick-start\">Quick Start\u003C\u002Fa> •\n \u003Ca href=\"#full-setup-guide\">Full Setup\u003C\u002Fa> •\n \u003Ca href=\"#pai-superpowers\">Superpowers\u003C\u002Fa> •\n \u003Ca href=\"#architecture\">Architecture\u003C\u002Fa> •\n \u003Ca href=\"#agents\">Agents\u003C\u002Fa> •\n \u003Ca href=\"#sample-prompts\">Prompts\u003C\u002Fa> •\n \u003Ca href=\"#contributing\">Contributing\u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FClaude_Code-Opus_4-blueviolet?style=for-the-badge&logo=anthropic\" alt=\"Claude Code\" \u002F>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPAI-v3.0-blue?style=for-the-badge\" alt=\"PAI v3.0\" \u002F>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FAgents-28-orange?style=for-the-badge\" alt=\"28 Agents\" \u002F>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FSkills-51-green?style=for-the-badge\" alt=\"51 Skills\" \u002F>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FTypeScript-Bun-black?style=for-the-badge&logo=bun\" alt=\"Bun\" \u002F>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FBurp_Suite-MCP-red?style=for-the-badge\" alt=\"Burp MCP\" \u002F>\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-green?style=for-the-badge\" alt=\"MIT License\" \u002F>\n\u003C\u002Fp>\n\n---\n\n## What is BugHunter AI?\n\nBugHunter AI is an **autonomous bug bounty hunting framework** that turns [Claude Code](https:\u002F\u002Fdocs.anthropic.com\u002Fen\u002Fdocs\u002Fclaude-code) into an elite security researcher. Built on top of the **PAI (Personal AI Infrastructure)** system, it combines 20 specialized vulnerability agents, 51 skills, 13 expert AI agents, 20 lifecycle hooks, and a full offensive security toolchain into a single command:\n\n```bash\n# That's it. One command. Autonomous hunting.\nhunt https:\u002F\u002Fapp.example.com\n```\n\n**What happens next:**\n1. A state machine initializes and tracks 10 phases of the hunt\n2. Credentials are loaded from an encrypted vault (never inline)\n3. The app is profiled — flows mapped, tech stack fingerprinted, trust boundaries identified\n4. Hypothesis-driven agents deploy in parallel — each with a specific attack theory\n5. Findings are reported in real-time with CVSS scoring\n6. A professional bug bounty report is generated automatically\n\n---\n\n## Why BugHunter AI?\n\n| Manual Bug Bounty | BugHunter AI |\n|---|---|\n| Hours of recon before first payload | Autonomous recon → profiling → attack in minutes |\n| Forget where you left off between sessions | State machine checkpoints every phase — `--resume` anytime |\n| Credentials in plaintext notes | Encrypted vault with 1Password integration |\n| Run same tools blindly on every target | Hypothesis-driven: agents attack WHERE the AppProfile says bugs live |\n| Test one thing at a time | 5 agents run in parallel, findings shared in real-time |\n| Miss AI\u002FLLM vulnerabilities | Dedicated LLMSecurityAgent with OWASP LLM Top 10 |\n| Medium findings silently dropped | Mediums archived for attack chain correlation |\n| No memory between hunts | Cross-session learning — gets smarter with every engagement |\n| Single tool \u002F single domain | 51 skills covering web, mobile, API, cloud, network, binary, AI |\n\n---\n\n## The Full Stack: PAI + Superpowers + BugHunter\n\nBugHunter AI is not just a skill — it's part of a **complete offensive security infrastructure**. Here's what you get when you install the full setup:\n\n### PAI (Personal AI Infrastructure) v3.0\n\nThe foundation layer. PAI is a general problem-solving system that provides:\n\n- **The Algorithm (v1.5.0)** — 7-phase structured reasoning (OBSERVE → THINK → PLAN → BUILD → EXECUTE → VERIFY → LEARN)\n- **51 Skills** — Specialized capabilities from security to content creation\n- **13 Expert Agents** — Architect, Engineer, Pentester, Researcher variants, QA Tester, and more\n- **20 Lifecycle Hooks** — Automated security validation, session management, algorithm tracking\n- **Cross-Session Memory** — Persistent learning across conversations\n- **Voice System** — ElevenLabs TTS integration with custom AI personality\n- **Multi-Channel Notifications** — ntfy, Discord, Twilio alerts for long tasks and findings\n\n### Superpowers Plugin\n\nClaude Code's official `superpowers` plugin adds enhanced capabilities:\n\n- Extended tool access and MCP server integration\n- Advanced agent orchestration with team mode\n- Enhanced permission management\n\n### Security Skill Stack (16 Skills)\n\n| Skill | Coverage |\n|-------|----------|\n| **BugBountyFramework** | Autonomous 10-phase hunt orchestration |\n| **WebAssessment** | OWASP WSTG v5, OWASP Top 10 |\n| **SecurityHub** | Master security command center with intelligent skill routing |\n| **OffensiveSecurityOrchestrator** | Kill chain tracking, adaptive methodology |\n| **APISecurityTesting** | REST, GraphQL, gRPC, BOLA, BFLA, mass assignment |\n| **MobileSecurity** | OWASP MASTG v2, Frida, Objection, MobSF |\n| **NetworkSecurity** | AD attacks, BloodHound, Kerberoasting, pivoting |\n| **CloudSecurity** | AWS\u002FAzure\u002FGCP, IAM escalation, Pacu, ScoutSuite |\n| **ExploitDev** | Heap exploitation, ROP chains, safe-linking bypass |\n| **ReverseEngineering** | Ghidra, radare2, binary analysis |\n| **MalwareAnalysis** | Static\u002Fdynamic analysis, YARA, IOC extraction |\n| **PromptInjection** | OWASP LLM Top 10, MITRE ATLAS |\n| **VulnResearch** | CVE development, AFL++ fuzzing, CodeQL |\n| **SASTOrchestration** | Semgrep, CodeQL, custom rules, taint tracking |\n| **SCASecurity** | SBOM, supply chain, dependency confusion |\n| **ThreatModeling** | STRIDE, PASTA, attack trees |\n| **Recon** | Subdomain enum, asset discovery, Shodan |\n| **RedTeam** | 32-agent adversarial analysis |\n\n### Expert Agent Army (13 Agents)\n\n| Agent | Specialty |\n|-------|-----------|\n| **Pentester** | Offensive security specialist — vulnerability assessment, exploitation |\n| **Engineer** | Elite principal engineer — TDD, strategic planning |\n| **Architect** | System design — constitutional principles, feature specs |\n| **Algorithm** | PAI Algorithm expert — ISC creation and evolution |\n| **Designer** | UX\u002FUI specialist — Figma, shadcn\u002Fui |\n| **Artist** | Visual content — Flux, GPT-Image-1, prompt engineering |\n| **QATester** | Browser-automation validation — Gate 4 completion gates |\n| **Intern** | 176-IQ generalist — multi-faceted problem solving |\n| **ClaudeResearcher** | Multi-query academic research via Claude WebSearch |\n| **CodexResearcher** | Technical archaeology — O3, GPT-5-Codex consultation |\n| **GeminiResearcher** | Multi-perspective research via Google Gemini |\n| **GrokResearcher** | Contrarian analysis via xAI Grok |\n| **PerplexityResearcher** | Investigative journalism via Perplexity |\n\n### MCP Servers (3 Core + 5 Recommended)\n\n**Core (Pre-configured):**\n| Server | Purpose |\n|--------|---------|\n| **Burp Suite MCP** | Proxy traffic analysis, scope sync, Collaborator, HAR export |\n| **Filesystem MCP** | Direct file system access |\n| **GitHub MCP** | Repository operations, PR management |\n\n**Recommended Security MCPs:**\n| Server | Purpose | Install |\n|--------|---------|---------|\n| **Shodan** | Internet asset search | `npm install -g @shodan\u002Fmcp-server` |\n| **VirusTotal** | Malware\u002FIOC analysis | `npx -y @virustotal\u002Fmcp-server` |\n| **CVE\u002FNVD** | Vulnerability database | Custom Python server |\n| **Nuclei** | Vulnerability scanning | Custom Node server |\n| **GitHub Security Advisory** | CVE tracking | Via GitHub MCP |\n\n### Plugins (4 Active)\n\n| Plugin | Purpose |\n|--------|---------|\n| **superpowers** | Enhanced Claude Code capabilities |\n| **claude-mem** | Persistent cross-session memory |\n| **swift-lsp** | Swift language server protocol |\n| **ui-ux-pro-max** | Advanced UI\u002FUX design capabilities |\n\n### Lifecycle Hooks (20 Hooks)\n\n| Hook | Trigger | Purpose |\n|------|---------|---------|\n| **SecurityValidator** | Pre: Bash, Edit, Write, Read | Validates all tool calls for security |\n| **VoiceGate** | Pre: Bash | Voice notification gate |\n| **AgentExecutionGuard** | Pre: Task | Guards agent execution |\n| **SkillGuard** | Pre: Skill | Validates skill invocations |\n| **SetQuestionTab** | Pre: AskUserQuestion | Terminal tab management |\n| **AlgorithmTracker** | Post: Bash, Task* | Tracks algorithm phase progression |\n| **QuestionAnswered** | Post: AskUserQuestion | Tracks Q&A flow |\n| **WorkCompletionLearning** | SessionEnd | Captures learnings from work |\n| **SessionSummary** | SessionEnd | Generates session summaries |\n| **RelationshipMemory** | SessionEnd | Builds relationship context |\n| **UpdateCounts** | SessionEnd | Updates system statistics |\n| **IntegrityCheck** | SessionEnd | Validates system integrity |\n| **RatingCapture** | UserPromptSubmit | Captures quality ratings |\n| **AutoWorkCreation** | UserPromptSubmit | Auto-creates work tracking |\n| **UpdateTabTitle** | UserPromptSubmit | Dynamic terminal tab titles |\n| **SessionAutoName** | UserPromptSubmit | Auto-names sessions |\n| **StartupGreeting** | SessionStart | Displays PAI banner |\n| **LoadContext** | SessionStart | Loads session context |\n| **CheckVersion** | SessionStart | Version checks |\n| **StopOrchestrator** | Stop | Clean shutdown handling |\n\n---\n\n## Architecture\n\n```mermaid\nflowchart TB\n subgraph Input[\"User Input\"]\n A[\"hunt target.com\"]\n B[\"hunt --config target.json\"]\n C[\"hunt --apk app.apk\"]\n end\n\n subgraph PAI[\"PAI Infrastructure (v3.0)\"]\n direction TB\n ALG[\"The Algorithm (7 phases)\"]\n SK[\"51 Skills\"]\n HK[\"20 Hooks\"]\n MEM[\"Cross-Session Memory\"]\n VOICE[\"Voice System\"]\n end\n\n subgraph Orchestrator[\"Hunt Orchestrator (State Machine)\"]\n direction TB\n P0[\"Phase 0: INIT\"]\n P1[\"Phase 1: MEMORY_LOAD\"]\n P2[\"Phase 2: TARGET_INGEST\"]\n P3[\"Phase 3: APP_UNDERSTANDING\"]\n P4[\"Phase 4: RECON\"]\n P5[\"Phase 5: AGENT_DEPLOY\"]\n P6[\"Phase 6: DYNAMIC_TEST\"]\n P7[\"Phase 7: VULN_ASSESS\"]\n P8[\"Phase 8: LEARNING\"]\n P9[\"Phase 9: REPORT\"]\n\n P0 --> P1 --> P2 --> P3 --> P4 --> P5 --> P6 --> P7 --> P8 --> P9\n end\n\n subgraph Tools[\"Tool Layer\"]\n V[\"Credential Vault\"]\n AU[\"Auth Manager\"]\n BB[\"Burp Bridge\"]\n PW[\"Playwright Harness\"]\n AP[\"Appium Harness\"]\n end\n\n subgraph MCPs[\"MCP Servers\"]\n BURP[\"Burp Suite MCP\"]\n FS[\"Filesystem MCP\"]\n GH[\"GitHub MCP\"]\n SH[\"Shodan MCP\"]\n VT[\"VirusTotal MCP\"]\n end\n\n subgraph Agents[\"Agent Army (Parallel)\"]\n direction LR\n AG1[\"XSSAgent\"]\n AG2[\"SQLiAgent\"]\n AG3[\"SSRFAgent\"]\n AG4[\"IDORAgent\"]\n AG5[\"AuthAgent\"]\n AG6[\"LLMSecurityAgent\"]\n AG7[\"APIAgent\"]\n AG8[\"MobileAgent\"]\n AG9[\"...12 more\"]\n end\n\n subgraph SecuritySkills[\"Security Skills (16)\"]\n direction LR\n SS1[\"WebAssessment\"]\n SS2[\"SecurityHub\"]\n SS3[\"APISecurityTesting\"]\n SS4[\"PromptInjection\"]\n SS5[\"...12 more\"]\n end\n\n subgraph Output[\"Output\"]\n R[\"Bug Bounty Report\"]\n F[\"Real-time Findings\"]\n D[\"Live Dashboard\"]\n N[\"Notifications (ntfy\u002FDiscord\u002FSMS)\"]\n end\n\n Input --> PAI\n PAI --> Orchestrator\n P2 --> V\n P3 --> AU\n P3 --> BB\n P4 --> SecuritySkills\n P5 --> Agents\n P6 --> PW\n P6 --> AP\n Agents --> MCPs\n Agents --> F\n P9 --> R\n Orchestrator --> D\n F --> N\n\n style PAI fill:#1e3a5f,stroke:#3b82f6,color:#fff\n style Orchestrator fill:#1a1a2e,stroke:#e94560,color:#fff\n style Agents fill:#0f3460,stroke:#e94560,color:#fff\n style Tools fill:#16213e,stroke:#0f3460,color:#fff\n style MCPs fill:#1a1a3e,stroke:#00d2ff,color:#fff\n style SecuritySkills fill:#2d1b69,stroke:#8b5cf6,color:#fff\n style Input fill:#533483,stroke:#e94560,color:#fff\n style Output fill:#0f3460,stroke:#00d2ff,color:#fff\n```\n\n---\n\n## Quick Start\n\nFor the minimal BugHunter-only install:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fh4ckologic\u002Fbughunter-ai.git\ncd bughunter-ai\n.\u002Finstall.sh\n```\n\nFor the **full setup with PAI, Superpowers, and all security skills**, see the [Full Setup Guide](SETUP.md).\n\n---\n\n## Full Setup Guide\n\nSee **[SETUP.md](SETUP.md)** for the complete, step-by-step guide to replicate the full infrastructure:\n\n1. Install prerequisites (Claude Code, Bun, Go tools, Burp Suite)\n2. Install PAI v3.0 (the foundation)\n3. Configure your identity (DA + Principal)\n4. Install plugins (Superpowers, claude-mem, ui-ux-pro-max)\n5. Configure MCP servers (Burp, Filesystem, GitHub)\n6. Install BugHunter AI skill\n7. Set up optional security MCPs (Shodan, VirusTotal, NVD)\n8. Configure notifications (ntfy, Discord, Twilio)\n9. Verify the installation\n\n---\n\n## Hunt Modes\n\n| Mode | CVSS Threshold | Finding Target | Best For |\n|------|----------------|----------------|----------|\n| `bounty` (default) | >= 8.0 | 10 | Bug bounty programs — only critical\u002Fhigh findings |\n| `pentest` | >= 4.0 | 20 | Penetration tests — comprehensive coverage |\n| `comprehensive` | >= 0.0 | 50 | Full security audits — everything documented |\n\n```bash\nhunt https:\u002F\u002Ftarget.com # bounty mode (default)\nhunt https:\u002F\u002Ftarget.com --mode pentest # pentest mode\nhunt https:\u002F\u002Ftarget.com --mode comprehensive # comprehensive mode\n```\n\n---\n\n## Agents\n\nBugHunter deploys **20 specialized agents**, each an expert in one vulnerability class:\n\n| Agent | Focus | Key Techniques |\n|-------|-------|----------------|\n| **AppReviewAgent** | Application understanding | Flow mapping, tech fingerprinting, trust boundary analysis |\n| **LLMSecurityAgent** | AI\u002FLLM vulnerabilities | OWASP LLM Top 10, prompt injection, RAG poisoning |\n| **XSSAgent** | Cross-site scripting | Reflected, stored, DOM-based, mutation XSS |\n| **SQLiAgent** | SQL injection | Union, blind, time-based, second-order SQLi |\n| **SSRFAgent** | Server-side request forgery | Cloud metadata, internal services, protocol smuggling |\n| **IDORAgent** | Insecure direct object refs | Horizontal\u002Fvertical privilege escalation, UUID prediction |\n| **AuthAgent** | Authentication bypass | JWT attacks, session fixation, OAuth flaws, MFA bypass |\n| **APIAgent** | API security | BOLA, mass assignment, rate limiting, GraphQL introspection |\n| **CORSAgent** | CORS misconfiguration | Origin reflection, null origin, wildcard subdomains |\n| **FileUploadAgent** | File upload attacks | Content-type bypass, polyglot files, path traversal |\n| **XXEAgent** | XML external entities | Blind XXE, OOB data exfiltration, SSRF via XXE |\n| **RCEAgent** | Remote code execution | Command injection, SSTI, deserialization, SSRF→RCE |\n| **BusinessLogicAgent** | Business logic flaws | Race conditions, price manipulation, workflow bypass |\n| **MobileAgent** | Android\u002FiOS security | SSL pinning bypass, exported components, insecure storage |\n| **WindowsAgent** | Windows\u002FAD attacks | Kerberoasting, NTLM relay, privilege escalation |\n| **ReconAgent** | Reconnaissance | Subdomain enum, port scanning, tech fingerprinting |\n| **ReverseEngineeringAgent** | Binary analysis | Static analysis, dynamic analysis, vulnerability identification |\n| **ExploitDevAgent** | Exploit development | PoC creation, payload crafting, reliability testing |\n| **DesktopAppAgent** | Desktop app security | Electron, .NET, Java app testing |\n| **GraphQLAgent** | GraphQL security | Introspection, batch abuse, nested DoS, relay IDOR, subscription hijack |\n| **WebSocketAgent** | WebSocket security | CSWSH, message injection, origin bypass, auth hijacking |\n| **CSRFAgent** | CSRF exploitation | Token\u002FSameSite\u002FReferer bypass, content-type tricks, CORS+CSRF chains |\n| **CachePoisoningAgent** | Web cache poisoning | Unkeyed header injection, cache deception, CDN-specific bypasses |\n| **HTTPSmugglingAgent** | HTTP request smuggling | CL.TE, TE.CL, H2.CL desync, response queue poisoning |\n| **SubdomainTakeoverAgent** | Subdomain takeover | Dangling DNS, cloud service fingerprinting, cookie\u002FCSP impact |\n| **RaceConditionAgent** | Race conditions | HTTP\u002F2 single-packet attack, limit bypass, double-spend, TOCTOU |\n| **PrototypePollutionAgent** | Prototype pollution | Client-side PP→XSS gadgets, server-side PP→RCE, AST injection |\n| **LLMAgent** | Legacy LLM testing | Basic prompt testing (superseded by LLMSecurityAgent) |\n\n### How Agents Work\n\nAgents don't blindly scan. They receive **specific hypotheses** from the AppProfile:\n\n```\nTraditional scanning: BugHunter AI:\n\"Run sqlmap on all URLs\" → \"The \u002Fapi\u002Fv1\u002Freports?filter= parameter\n is passed into a PostgreSQL ORDER BY\n clause — test time-based blind SQLi HERE\"\n```\n\nThis means **90% less noise** and **10x faster confirmation**.\n\n---\n\n## Orchestrator Workflows\n\nThe hunt orchestrator classifies your target and dispatches the appropriate workflow. Each workflow defines its own phases, agent dispatch order, parallelism, and gate conditions.\n\n| Workflow | Trigger | Phases | Agents | Lines |\n|----------|---------|--------|--------|-------|\n| **W_HUNT_WEB** | Web application URL | 10 | 21 agents (parallel) | 2,018 |\n| **W_HUNT_API** | API endpoint \u002F Swagger \u002F GraphQL | 9 | 10 agents | 487 |\n| **W_HUNT_LLM** | AI\u002FLLM app (chatbot, RAG, copilot) | 13 | 8 agents | 688 |\n| **W_HUNT_MOBILE** | APK \u002F IPA file | 10 | 7 agents | 1,037 |\n| **W_HUNT_NETWORK** | IP range \u002F CIDR \u002F AD target | 9 | 5 agents | 814 |\n| **W_HUNT_CLOUD** | AWS \u002F Azure \u002F GCP environment | 10 | 5 agents | 607 |\n| **W_HUNT_THICK_CLIENT** | Electron \u002F .NET \u002F Java desktop app | 10 | 6 agents | 874 |\n| **W_RECON** | Standalone recon request | 10 | 2 agents | 703 |\n\n### How Workflows Work\n\n```\nhunt https:\u002F\u002Ftarget.com\n │\n ├── Orchestrator classifies target type\n ├── Loads W_HUNT_WEB workflow\n ├── Phase 1: RECON (ReconAgent + SubdomainTakeoverAgent)\n ├── Phase 2: APP PROFILING (AppReviewAgent via dev-browser)\n ├── Phase 3: AUTH TESTING (AuthAgent)\n ├── Phase 4: INJECTION (SQLi + XSS + XXE + RCE — PARALLEL)\n ├── Phase 5: ACCESS CONTROL (IDOR + CORS + CSRF — PARALLEL)\n ├── Phase 6: BUSINESS LOGIC (BusinessLogic + RaceCondition — PARALLEL)\n ├── Phase 7: ADVANCED (SSRF + CachePoisoning + HTTPSmuggling + PrototypePollution — PARALLEL)\n ├── Phase 8: API\u002FPROTOCOL (GraphQL + WebSocket + API — PARALLEL, conditional)\n ├── Phase 9: FILE HANDLING (FileUploadAgent, conditional)\n └── Phase 10: REPORTING (aggregate, score, deduplicate, generate report)\n```\n\nEach phase has **gate conditions** — the workflow only advances when the gate criteria are met. Agents within a phase run in parallel for maximum speed.\n\n---\n\n## Tool Chain\n\n| Tool | File | Purpose |\n|------|------|---------|\n| **Hunt Orchestrator** | `Tools\u002Fhunt-orchestrator.ts` | State machine — phase tracking, checkpointing, resume, dashboard |\n| **Credential Vault** | `Tools\u002Fcredential-vault.ts` | Encrypted credential storage, 1Password, env vars, auto-redact |\n| **Auth Manager** | `Tools\u002Fauth-manager.ts` | B2C\u002FOAuth\u002FSAML automation, session persistence, health checks |\n| **Burp Bridge** | `Tools\u002Fburp-bridge.ts` | Burp Suite REST API bridge — scope sync, HAR export, Collaborator |\n| **Browser Harness** | `Tools\u002Fplaywright-harness.ts` | Browser automation via dev-browser CLI (primary) \u002F Playwright CLI (fallback) |\n| **Appium Harness** | `Tools\u002Fappium-harness.ts` | Mobile app testing — Android\u002FiOS through proxy |\n\n---\n\n## Sample Prompts\n\n### Your First Hunt\n\n```\nhunt https:\u002F\u002Fapp.example.com\n```\n\n### Hunt with Stored Credentials\n\n```\nStore credentials for example-corp: username admin@test.com, password SecureP@ss123\n\nhunt https:\u002F\u002Fapp.example.com --creds vault:example-corp\n```\n\n### Pentest Mode (Find More)\n\n```\nhunt https:\u002F\u002Fstaging.example.com --mode pentest\n```\n\n### Hunt an AI Application\n\n```\nhunt https:\u002F\u002Fai-chatbot.example.com --mode pentest\n\nFocus on AI-specific vulnerabilities:\n- Extract the system prompt\n- Test cross-user data access\n- Try prompt injection (direct and indirect)\n- Test RAG poisoning via document upload\n```\n\n### Resume a Hunt\n\n```\nhunt https:\u002F\u002Fapp.example.com --resume\n```\n\n### Full Power Hunt\n\n```\nhunt https:\u002F\u002Fapp.example.com using username test@example.com and password TestPass123\n\nUse all available tools, skills, workflows, and MCPs.\nUse Playwright and Burp MCPs to perform dynamic analysis.\nMap the entire application attack surface.\nUnderstand the application before attacking.\nFind 10 high-severity vulnerabilities.\nDon't stop until done.\n```\n\n### Use Security Skills Directly\n\n```\n# Run a web assessment using the WebAssessment skill\n\u002FWebAssessment https:\u002F\u002Ftarget.com\n\n# Use the SecurityHub for guided methodology\n\u002FSecurityHub start assessment on https:\u002F\u002Ftarget.com\n\n# Run OSINT reconnaissance\n\u002FRecon https:\u002F\u002Ftarget.com --deep\n\n# Test LLM\u002FAI security\n\u002FPromptInjection https:\u002F\u002Fai-app.com\n```\n\nSee [examples\u002Fsample-prompts.md](examples\u002Fsample-prompts.md) for more.\n\n---\n\n## Live Dashboard\n\nCheck hunt progress anytime:\n\n```\nhunt https:\u002F\u002Ftarget.com --status\n```\n\n```\n======================================================================\n HUNT STATUS: https:\u002F\u002Fapp.example.com\n Mode: BOUNTY | Elapsed: 45m | Findings: 3\n Min CVSS: 8.0 | Target: 10 findings\n======================================================================\n [OK] INIT 2s\n [OK] MEMORY_LOAD 1s\n [OK] TARGET_INGEST 3s\n [OK] APP_UNDERSTANDING 120s (2 findings)\n [>>] RECON running...\n [ ] AGENT_DEPLOY\n [ ] DYNAMIC_TEST\n [ ] VULN_ASSESS\n [ ] LEARNING\n [ ] REPORT\n\n FINDINGS:\n F-001 [critical] SSRF: Webhook URL fetches AWS metadata\n F-002 [high] IDOR: Access other users' expense reports\n F-003 [high] XSS: Stored XSS in admin notification panel\n======================================================================\n```\n\n---\n\n## Directory Structure\n\n```\n# BugHunter AI Skill (installed to ~\u002F.claude\u002Fskills\u002F)\n~\u002F.claude\u002Fskills\u002FBugBountyFramework\u002F\n├── SKILL.md # Main skill definition (v2.0)\n├── Agents\u002F # 20 specialized vulnerability agents\n│ ├── AppReviewAgent.md\n│ ├── LLMSecurityAgent.md\n│ ├── XSSAgent.md\n│ ├── SQLiAgent.md\n│ ├── SSRFAgent.md\n│ ├── IDORAgent.md\n│ ├── AuthAgent.md\n│ ├── APIAgent.md\n│ ├── CORSAgent.md\n│ ├── FileUploadAgent.md\n│ ├── XXEAgent.md\n│ ├── RCEAgent.md\n│ ├── BusinessLogicAgent.md\n│ ├── MobileAgent.md\n│ ├── WindowsAgent.md\n│ ├── ReconAgent.md\n│ ├── ReverseEngineeringAgent.md\n│ ├── ExploitDevAgent.md\n│ ├── DesktopAppAgent.md\n│ └── LLMAgent.md\n├── Tools\u002F # TypeScript tools (Bun runtime)\n│ ├── hunt-orchestrator.ts\n│ ├── credential-vault.ts\n│ ├── auth-manager.ts\n│ ├── burp-bridge.ts\n│ ├── playwright-harness.ts\n│ └── appium-harness.ts\n├── Templates\u002F\n│ ├── BugReport.md\n│ └── TargetConfig.md\n└── Wordlists\u002F\n\n# PAI Infrastructure (the foundation)\n~\u002F.claude\u002F\n├── settings.json # Central config (identity, hooks, permissions, plugins)\n├── CLAUDE.md # Entry point\n├── .mcp.json # MCP server configuration\n├── skills\u002F # 51 skills\n│ ├── PAI\u002F # Core PAI system\n│ ├── BugBountyFramework\u002F # This project\n│ ├── WebAssessment\u002F # OWASP WSTG v5\n│ ├── SecurityHub\u002F # Security command center\n│ ├── OffensiveSecurityOrchestrator\u002F\n│ ├── APISecurityTesting\u002F\n│ ├── MobileSecurity\u002F\n│ ├── NetworkSecurity\u002F\n│ ├── CloudSecurity\u002F\n│ ├── ExploitDev\u002F\n│ ├── ReverseEngineering\u002F\n│ ├── MalwareAnalysis\u002F\n│ ├── PromptInjection\u002F\n│ ├── VulnResearch\u002F\n│ ├── SASTOrchestration\u002F\n│ ├── SCASecurity\u002F\n│ ├── ThreatModeling\u002F\n│ ├── Recon\u002F\n│ ├── RedTeam\u002F\n│ ├── OSINT\u002F\n│ ├── Research\u002F # Multi-engine research\n│ ├── Browser\u002F # Browser automation\n│ ├── Fabric\u002F # 240+ prompt patterns\n│ └── ...35 more\n├── agents\u002F # 13 expert agent definitions\n│ ├── Pentester.md\n│ ├── Engineer.md\n│ ├── Architect.md\n│ └── ...10 more\n├── hooks\u002F # 20 lifecycle hooks\n│ ├── SecurityValidator.hook.ts\n│ ├── AlgorithmTracker.hook.ts\n│ ├── LoadContext.hook.ts\n│ ├── handlers\u002F # 7 hook handlers\n│ └── lib\u002F # 12 shared libraries\n├── mcps\u002F # Custom MCP servers\n│ └── burp-mcp\u002F\n├── VoiceServer\u002F # ElevenLabs TTS integration\n└── MEMORY\u002F # Persistent memory system\n ├── BugBounty\u002F\n │ ├── Sessions\u002F\n │ ├── Findings\u002F\n │ ├── PatternDB\u002F\n │ ├── LearningLogs\u002F\n │ ├── TargetProfiles\u002F\n │ └── Vault\u002F\n ├── LEARNING\u002F\n ├── SECURITY\u002F\n ├── STATE\u002F\n ├── WORK\u002F\n └── VOICE\u002F\n```\n\n---\n\n## How It Differs from Other Tools\n\n| Feature | BugHunter AI | Nuclei\u002FBurp Scanner | Manual Testing |\n|---------|-------------|---------------------|----------------|\n| **Intelligence** | Understands the app first, then attacks | Signature matching | Human expertise |\n| **Context** | Remembers across sessions | Stateless | Notes\u002Fmemory |\n| **Hypothesis-driven** | Tests specific theories | Tests everything | Depends on researcher |\n| **AI\u002FLLM testing** | First-class OWASP LLM Top 10 | Not supported | Rare expertise |\n| **Parallel agents** | 5 specialized agents simultaneously | Single scanner | One person |\n| **State machine** | Checkpoints, resume, never loses progress | Run from scratch | Bookmarks\u002Fnotes |\n| **Credential security** | Encrypted vault + 1Password | Config files | Plaintext notes |\n| **Multi-domain** | Web + Mobile + API + Cloud + Network + Binary | Single domain | Limited scope |\n| **Algorithm** | 7-phase structured reasoning (PAI) | None | Informal methodology |\n| **Skills ecosystem** | 51 skills, 16 security-focused | Plugin-based | Tool-dependent |\n\n---\n\n## Responsible Use\n\nThis framework is designed for **authorized security testing only**:\n\n- Only test applications you have **written permission** to test\n- Bug bounty programs with **clearly defined scope**\n- Penetration tests with **signed engagement letters**\n- Your own applications in **staging\u002Fdevelopment environments**\n\n**BugHunter AI enforces scope:** The framework includes hard scope enforcement that blocks testing out-of-scope targets. Configure your scope before hunting.\n\nThe maintainers are not responsible for misuse. Always follow your program's rules of engagement.\n\n---\n\n## Contributing\n\nWe welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n**Ideas for contributions:**\n- New specialized agents (e.g., GraphQLAgent, WebSocketAgent)\n- Additional auth strategy templates\n- Better wordlists\n- Integration with more MCP servers\n- New security skills\n- Improved report templates\n- Bug fixes and documentation\n\n---\n\n## License\n\nMIT License. See [LICENSE](LICENSE) for details.\n\n---\n\n## Acknowledgements\n\n- **[Anthropic](https:\u002F\u002Fanthropic.com)** — Claude Code, the AI engine behind everything\n- **[Daniel Miessler \u002F PAI](https:\u002F\u002Fgithub.com\u002Fdanielmiessler\u002FPAI)** — Personal AI Infrastructure v3.0 — the foundation layer providing the Algorithm (v1.5.0), 51 skills, 13 expert agents, 20 lifecycle hooks, cross-session memory, and the structured reasoning framework that makes autonomous hunting possible\n- **[Claude Code Superpowers](https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code)** — Official Claude Code plugin enabling enhanced tool access, advanced agent orchestration with team mode, and extended MCP server integration that powers parallel agent deployment\n- **[claude-mem](https:\u002F\u002Fgithub.com\u002Fthedotmack\u002Fclaude-mem)** — Persistent cross-session memory plugin that enables BugHunter's learning system to remember techniques, patterns, and findings across hunts\n- **[PortSwigger](https:\u002F\u002Fportswigger.net)** — Burp Suite integration via custom MCP bridge\n- **[ProjectDiscovery](https:\u002F\u002Fprojectdiscovery.io)** — Nuclei, httpx, subfinder, naabu — the recon backbone\n- **[Playwright](https:\u002F\u002Fplaywright.dev)** — Browser automation for dynamic testing and app profiling\n- **[Bun](https:\u002F\u002Fbun.sh)** — TypeScript runtime powering all tools and hooks\n- **[ElevenLabs](https:\u002F\u002Felevenlabs.io)** — Voice synthesis for the PAI notification and voice system\n- **[ntfy](https:\u002F\u002Fntfy.sh)** — Push notifications for long-running hunts\n\n---\n\n\u003Cp align=\"center\">\n \u003Cstrong>Built with Claude Code + PAI by \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fh4ckologic\">h4ckologic\u003C\u002Fa>\u003C\u002Fstrong>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Cem>If BugHunter AI helps you find bugs, give it a star!\u003C\u002Fem>\n\u003C\u002Fp>\n","BugHunter AI 是一个基于 Claude Code 的自主漏洞赏金狩猎框架。它集成了20个专业漏洞检测代理、51种技能和一套完整的进攻性安全工具链,能够自动执行从侦察到报告生成的全过程。项目使用 TypeScript 编写,并结合了状态机编排技术来管理漏洞狩猎的各个阶段,同时通过加密凭证库确保敏感信息的安全存储。适用于需要快速识别Web应用潜在安全威胁的场景,如企业内部安全审计或公开漏洞赏金计划中的自动化测试。","2026-06-11 04:05:46","CREATED_QUERY"]