Standard bug bounty workflow for Android applications. Use when the target is an APK, rooted-device session, Android backend client, hybrid mobile app, or Firebase-backed mobile target that needs static and dynamic testing.
How this skill is triggered — by the user, by Claude, or both
Slash command
/bounty-hunting-programs:bounty-program-mobile-androidThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This workflow is intentionally Android-specific because the Codex-ready mobile tooling in this repo centers on APKs and rooted-device testing.
This workflow is intentionally Android-specific because the Codex-ready mobile tooling in this repo centers on APKs and rooted-device testing.
Load these references on demand:
../../references/bounty-standard.md../../references/codex-ready-building-blocks.md../../references/android-framework-matrix.md../../references/report-checklist.md18088 and any testing account guidanceandroid-framework-matrix.md.firebase-apk-scanner for Firebase keys, project IDs, storage, and leaked mobile configworkers-app-tester to verify the preconfigured proxy/cert path, auto-seed hosts from the APK or merge them from traffic, patch config.yaml, then run rooted-device traffic interception on port 18088, UI driving, and Frida-based checksburpsuite-project-parser when prior traffic evidence existssupply-chain-risk-auditor for mobile dependency risk if source code is also in scopebounty-program-web.scope/target.json, scope/in-scope.md, scope/rules.md, and prep/severity-conditions.md before assigning severity.medium+ finding exists or an exact blocker is recorded.npx claudepluginhub daothinh/spec-cdex --plugin bounty-hunting-programsCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.