security-bounty-hunter

帮助用户在代码仓库中识别可远程利用、具备漏洞赏金价值的安全问题。

星标

★ 209,790

来源

GitHub

更新于

2026-06-07

// 安全评估低风险

仅提示词，不执行代码
开源可审计
社区验证· 209.8k

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "security-bounty-hunter" 技能：
1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/security-bounty-hunter/SKILL.md
2. 保存为 ~/.claude/skills/security-bounty-hunter/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 用法示例

审查 Web 服务仓库漏洞

输入

请审查这个 Web 服务仓库，重点寻找可被远程利用且符合漏洞赏金报告标准的问题，如认证绕过、RCE、注入、权限提升或敏感数据泄露。忽略仅限本地环境或低价值的噪声问题，并按漏洞成因、利用路径、影响范围和复现步骤整理结果。

预期产出

一份按严重级别排序的高价值漏洞清单，包含可复现说明与报告要点。

筛选 API 项目的赏金目标

输入

分析这个 API 项目中最值得优先测试的攻击面，找出最可能形成有效赏金报告的远程漏洞入口。请说明哪些接口、鉴权逻辑、文件处理或第三方集成最有风险，并给出优先排查顺序。

预期产出

一份聚焦高风险远程攻击面的测试优先级建议与排查方向。

生成漏洞赏金报告草稿

输入

基于已发现的问题，生成一份适合提交给漏洞赏金平台的报告草稿。请包含标题、影响概述、受影响组件、前置条件、复现步骤、实际影响、修复建议，并突出其远程可利用性与业务风险。

预期产出

一份结构完整、可直接修改后提交的漏洞赏金报告草稿。

// 文档

Security Bounty Hunter

Use this when the goal is practical vulnerability discovery for responsible disclosure or bounty submission, not a broad best-practices review.

When to Use

Scanning a repository for exploitable vulnerabilities
Preparing a Huntr, HackerOne, or similar bounty submission
Triage where the question is "does this actually pay?" rather than "is this theoretically unsafe?"

How It Works

Bias toward remotely reachable, user-controlled attack paths and throw away patterns that platforms routinely reject as informative or out of scope.

In-Scope Patterns

These are the kinds of issues that consistently matter:

Pattern	CWE	Typical impact
SSRF through user-controlled URLs	CWE-918	internal network access, cloud metadata theft
Auth bypass in middleware or API guards	CWE-287	unauthorized account or data access
Remote deserialization or upload-to-RCE paths	CWE-502	code execution
SQL injection in reachable endpoints	CWE-89	data exfiltration, auth bypass, data destruction
Command injection in request handlers	CWE-78	code execution
Path traversal in file-serving paths	CWE-22	arbitrary file read or write
Auto-triggered XSS	CWE-79	session theft, admin compromise

Skip These

These are usually low-signal or out of bounty scope unless the program says otherwise:

Local-only pickle.loads, torch.load, or equivalent with no remote path
eval() or exec() in CLI-only tooling
shell=True on fully hardcoded commands
Missing security headers by themselves
Generic rate-limiting complaints without exploit impact
Self-XSS requiring the victim to paste code manually
CI/CD injection that is not part of the target program scope
Demo, example, or test-only code

Workflow

Check scope first: program rules, SECURITY.md, disclosure channel, and exclusions.
Find real entrypoints: HTTP handlers, uploads, background jobs, webhooks, parsers, and integration endpoints.
Run static tooling where it helps, but treat it as triage input only.
Read the real code path end to end.
Prove user control reaches a meaningful sink.
Confirm exploitability and impact with the smallest safe PoC possible.
Check for duplicates before drafting a report.

Example Triage Loop

semgrep --config=auto --severity=ERROR --severity=WARNING --json

Then manually filter:

drop tests, demos, fixtures, vendored code
drop local-only or non-reachable paths
keep only findings with a clear network or user-controlled route

Report Structure

## Description
[What the vulnerability is and why it matters]

## Vulnerable Code
[File path, line range, and a small snippet]

## Proof of Concept
[Minimal working request or script]

## Impact
[What the attacker can achieve]

## Affected Version
[Version, commit, or deployment target tested]