A self-contained Claude skill bundle for bug hunting and external red-team work · 71 skills · 15 slash commands · 681 disclosed-report patterns across 24 core vulnerability classes · enterprise identity + infrastructure attack matrices · engagement-folder scaffolding · Burp MCP integration · battle-tested across authorized red-team and bug-hunting engagements, plus public training platforms (DVWA, OWASP Juice Shop, Hacker101, testphp.vulnweb.com).
Built by Sachin Sharma — Bug Hunting & GenAI Security Research.
SPONSORED BY
<img alt="Atlas Cloud" src="https://github.com/elementalsouls/Claude-BugHunter/raw/v2.1/assets/sponsors/atlas-cloud-light.svg" height="36">
claude-bughunter is a drop-in skill bundle for the Claude Code skills system. Install once and Claude Code stops being a chatbot and starts behaving like a senior bug-hunting researcher or red-team operator: it knows the techniques, the chain templates, the VRT mappings, the platform CVE chains, and the hygiene — and it stays in scope.
Four layers stack:
bug-bounty + bb-methodology + redteam-mindset — how to think. 5-phase non-linear hunting workflow, critical-thinking framework, developer-psychology heuristics, anomaly detection patterns, and the red-team operator-discipline corrections (when scope is "external red team" not "bug hunting / WAPT").hunt-* skills + security-arsenal — what to look for in webapps. Per-class detection patterns, payloads, bypass tables, and chain templates — the original 24 per-class skills curated from 681 disclosed HackerOne reports, plus 20+ framework/surface skills (Next.js, Spring Boot, Laravel, Kubernetes, CI/CD, gRPC, WebSocket, deserialization, …) from the community v3 expansion.m365-entra-attack, okta-attack, cloud-iam-deep, vmware-vcenter-attack, enterprise-vpn-attack, hunt-sharepoint, hunt-aspnet, hunt-ntlm-info, apk-redteam-pipeline, supply-chain-attack-recon — current 2024-2026 CVE chains, AADSTS error references, version-fingerprint matrices, and post-credential escalation paths.triage-validation + bugcrowd-reporting + evidence-hygiene + redteam-report-template + mid-engagement-ir-detection — how to ship it. 7-Question Gate, VRT category fallback, severity-request paragraphs, OOS rebuttals, cookie/PII redaction, client-facing red-team deliverable format, and SOC-patch / mid-engagement-attacker detection methodology.All triggered automatically by topic — describe what you're testing in plain English and the relevant skill loads. No invocation by name.
71 skills · 15 commands · 681 disclosed reports curated · 6-phase workflow · exercised against public training platforms (DVWA, OWASP Juice Shop, Hacker101, testphp.vulnweb.com) and calibrated through authorized real-world engagements.
git clone https://github.com/elementalsouls/Claude-BugHunter.git
cd Claude-BugHunter
bash scripts/install.sh # copies skills + commands into ~/.claude/
That's it. Open Claude Code and describe what you're testing in plain English — the right skill loads automatically, no invocation by name:
> Testing acme.com — an in-scope HackerOne target. Run recon and rank the surface.
⟳ loading skills: web2-recon, offensive-osint, bb-methodology …
→ subdomain enum (subfinder + crt.sh) … 47 hosts
→ live hosts (httpx) … 12 · tech fingerprint … 6 distinct stacks
→ ranked surface: api.acme.com (GraphQL, introspection ON) ← start here
auth.acme.com (OAuth, SSO) ← hunt-oauth
Next: want me to probe the GraphQL introspection + OAuth redirect_uri?
→ Full Installation guide · Usage guide · searchable skill catalog.
The block above is an illustrative transcript. To record a real demo of your own session:
asciinema rec demo.cast→ upload to asciinema.org and drop the badge here.
This bundle covers the external attack surface — anything reachable from the internet without first compromising an internal endpoint.
If you're running an internal red team that includes domain-takeover chains via Kerberos or lateral movement, this bundle won't help you in those phases — and we'd rather say that up front than have you find out mid-engagement. The external surface handoff to internal-RT tooling (Impacket, NetExec, CrackMapExec, Rubeus, Certify, BloodHound) is intentionally outside our scope. Coverage for internal AD and post-exploit may come in a future update.
The 71 skills group into 7 capability domains. Each box below is a real skill on disk. Skills auto-load when their description keywords match what you're describing to Claude.
graph TB
classDef recon fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705
classDef hunt fill:#FFB591,stroke:#DA7756,stroke-width:2px,color:#080705
classDef platform fill:#FF8B14,stroke:#DA7756,stroke-width:2px,color:#fff
classDef redteam fill:#DA7756,stroke:#23201C,stroke-width:2px,color:#fff
classDef workflow fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705
classDef report fill:#FFB591,stroke:#DA7756,stroke-width:2px,color:#080705
classDef cli fill:#23201C,stroke:#DA7756,stroke-width:2px,color:#FFE4D1
subgraph SCOPE [" "]
direction LR
S1["Engagement scaffold
hunt <target>
bug-bounty · bb-methodology"]:::workflow
end
subgraph RECON ["Recon & Intelligence (3)"]
direction TB
R1["offensive-osint
15-ref probe arsenal"]:::recon
R2["web2-recon
subdomain + endpoint enum"]:::recon
R3["osint-methodology
5-stage pipeline"]:::recon
end
subgraph HUNT ["Hunt — Web App (48 hunt-* skills)"]
direction TB
H1["Injection
hunt-sqli · hunt-xss · hunt-ssti · hunt-rce"]:::hunt
H2["Authorization
hunt-idor · hunt-auth-bypass · hunt-csrf"]:::hunt
H3["Server-Side
hunt-ssrf · hunt-xxe · hunt-http-smuggling · hunt-cache-poison"]:::hunt
H4["Identity
hunt-jwt · hunt-saml · hunt-oauth · hunt-mfa-bypass · hunt-ato"]:::hunt
H5["API & Modern
hunt-graphql · hunt-api-misconfig · hunt-file-upload"]:::hunt
H6["Business & Race
hunt-business-logic · hunt-race-conditions · hunt-llm-ai · hunt-pii-leak"]:::hunt
end
subgraph PLATFORM ["Enterprise Platform Attack (7)"]
direction TB
P1["Identity Fabric
m365-entra-attack · okta-attack"]:::platform
P2["Cloud & Virt
cloud-iam-deep · vmware-vcenter-attack"]:::platform
P3["Perimeter Appliances
enterprise-vpn-attack"]:::platform
P4["SharePoint Ecosystem
hunt-sharepoint · hunt-aspnet · hunt-ntlm-info"]:::platform
P5["Mobile & Supply Chain
apk-redteam-pipeline · supply-chain-attack-recon"]:::platform
end
subgraph REDTEAM ["Red Team Tradecraft (2)"]
direction TB
RT1["redteam-mindset
DO NOT STOP directive
operator discipline"]:::redteam
RT2["mid-engagement-ir-detection
SOC-patch & attacker-activity
baseline-shift detection"]:::redteam
end
subgraph WORKFLOW ["Validation & Discipline"]
direction TB
V1["triage-validation
7-Question Gate
PASS / DOWNGRADE / KILL / CHAIN"]:::workflow
end
subgraph REPORT ["Capture & Report (3)"]
direction TB
E1["evidence-hygiene
cookie redaction · PII black-bar"]:::report
E2["report-writing
H1 · Intigriti · Immunefi templates"]:::report
E3["bugcrowd-reporting · redteam-report-template
VRT mapping · DOCX deliverable"]:::report
end
subgraph CLI ["Slash Commands & CLI (15 + 1)"]
direction LR
C1["Slash: /recon /hunt /triage /report /validate /chain /autopilot /scope /surface /pickup /intel /remember /memory-gc /token-scan /web3-audit"]:::cli
C2["cbh CLI: recon · classify · triage · report"]:::cli
end
SCOPE --> RECON
RECON --> HUNT
RECON --> PLATFORM
HUNT --> WORKFLOW
PLATFORM --> WORKFLOW
REDTEAM -.applies throughout.-> HUNT
REDTEAM -.applies throughout.-> PLATFORM
WORKFLOW --> REPORT
CLI -.routes into.-> RECON
CLI -.routes into.-> HUNT
CLI -.routes into.-> WORKFLOW
CLI -.routes into.-> REPORT
Every engagement follows the same 6-phase loop. Skills auto-load at each phase. The Validate gate has 4 possible outcomes — only PASS or DOWNGRADE continue forward to a report; KILL and CHAIN REQUIRED return you to Hunt with a verdict that prevents wasted reporting effort.
flowchart TD
classDef phase fill:#FFB591,stroke:#DA7756,stroke-width:3px,color:#080705
classDef gate fill:#FF8B14,stroke:#23201C,stroke-width:2px,color:#fff
classDef decision fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705
classDef terminal fill:#23201C,stroke:#DA7756,stroke-width:2px,color:#FFE4D1
classDef discipline fill:#DA7756,stroke:#23201C,stroke-width:2px,color:#fff
Start(["🎯 Engagement starts"]):::terminal --> Mode
Mode{"Engagement mode?
<i>bb-methodology Part 0</i>"}:::decision
Mode -->|"Bug Bounty"| Scope
Mode -->|"Red Team"| RTSetup
Mode -->|"Pentest"| Scope
RTSetup["Load red-team layer
<b>redteam-mindset</b>
DO NOT STOP directive
<b>mid-engagement-ir-detection</b>"]:::discipline
RTSetup --> Scope
Scope["<b>1. SCOPE</b>
hunt <target> → scaffold folder
Parse program rules
Fill scope.md
<i>skills: bug-bounty, bb-methodology</i>"]:::phase
Scope --> Recon
Recon["<b>2. RECON</b>
Subdomain enum · endpoint mapping
JS bundle harvest · identity fabric
<i>skills: offensive-osint, web2-recon</i>
commands: /recon · cbh recon <target>"]:::phase
Recon --> Hunt
Hunt["<b>3. HUNT</b>
Test bug-class hypotheses
Apply payloads from Pattern Libraries
<i>48 hunt-* skills auto-load by keyword</i>
commands: /hunt · /chain"]:::phase
Hunt --> Found{"Lead
found?"}:::decision
Found -->|"no"| Hunt
Found -->|"yes"| Validate
Validate["<b>4. VALIDATE</b>
Run the 7-Question Gate
Q1: real HTTP request?
Q2: accepted-impact list?
Q3: in scope?
Q4: no admin-only assumption?
Q5: not already known?
Q6: concrete impact, not 'technically possible'?
Q7: not on never-submit list?
<i>skill: triage-validation</i>
command: /triage"]:::phase
Validate --> Verdict{"Gate verdict"}:::gate
Verdict -->|"PASS
(all 7 ✓)"| Capture
Verdict -->|"DOWNGRADE
(Q2 or Q5 fail)"| Capture
Verdict -->|"CHAIN REQUIRED
(needs another primitive)"| Hunt
Verdict -->|"KILL
(any other failure)"| Hunt
Capture["<b>5. CAPTURE</b>
Cookie redaction · PII black-bar
HAR sanitization · screenshot order
<i>skill: evidence-hygiene</i>"]:::phase
Capture --> Report
Report["<b>6. REPORT</b>
Draft per platform template
H1 / Bugcrowd VRT / Intigriti / Immunefi
or client-facing DOCX (red-team)
<i>skills: report-writing, bugcrowd-reporting,
redteam-report-template</i>
command: /report"]:::phase
Report --> Submit(["📨 Submit"]):::terminal
Submit --> Track["Append UUID to submissions.txt
Cross-reference future chains
command: /remember"]
Track --> Hunt
Key properties of this flow:
/triage $ claude mcp add Claude-BugHunter \
-- python -m otcore.mcp_server <graph>