bounty-hunter

Automated smart contract bug bounty hunting. Scans Immunefi/Code4rena targets with Slither static analysis, triages findings with local LLMs, and generates PoC templates. Zero API cost for scanning phase.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "bounty-hunter" with this command: npx skills add chipp11/angus-bounty-hunter

Bounty Hunter

Automated smart contract vulnerability scanner for bug bounty programs. Uses free tools (Slither + local LLMs) for the heavy lifting, saves expensive models for PoC writing.

Requirements

  • slither-analyzer (pip): Static analysis
  • solc-select (pip): Solidity compiler management
  • Node.js: For script execution
  • Optional: Ollama with any code model for local triage

Quick Start

# Scan a repo
bash scripts/scan.sh <github-repo-url> [src-dir]

# Triage findings (uses local LLM if available, otherwise prints raw)
bash scripts/triage.sh <scan-output.json>

# Generate PoC template for a finding
bash scripts/poc-template.sh <finding-id> <contract-address>

Workflow

  1. Target Selection — Check Immunefi/Code4rena for active programs
  2. Clone & Scanscan.sh clones the repo, installs solc, runs Slither
  3. Triagetriage.sh filters HIGH/MEDIUM findings, removes known false positives
  4. Deep Dive — Only read code that Slither flagged (save your tokens)
  5. PoC — Use poc-template.sh to generate Foundry test scaffolding
  6. Submit — Write up finding on Immunefi/Code4rena

Target Selection Criteria

Before scanning, check:

  • Scope last updated within 30 days (fresh code = more bugs)
  • Past payouts > $50K (they actually pay)
  • GitHub repo in scope (not just deployed addresses)
  • Solidity-based (Slither only works with Solidity)

Anti-Patterns

  • Don't read entire codebases manually — let Slither scan first
  • Don't spend > 1 hour on a target without a concrete lead
  • Don't submit known issues (check past reports first)
  • Don't ignore test coverage — untested code is where bugs hide

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

API Documentation Builder

Generate comprehensive API documentation from code with examples, types, and OpenAPI specs

Registry SourceRecently Updated
290michaelatamuk
Coding

Veracode

Veracode integration. Manage data, records, and automate workflows. Use when the user wants to interact with Veracode data.

Registry SourceRecently Updated
2040gora050
Coding

.Clawhub Dist

The autonomous Agentic Development Ecosystem. Propose, Build, Publish, and Compound.

Registry SourceRecently Updated
2420jsalfeld
Coding

Resource Guru

Resource Guru integration. Manage Persons, Projects, Clients, Bookings. Use when the user wants to interact with Resource Guru data.

Registry SourceRecently Updated
2490Profile unavailable