Event-driven priority-queue hunt loop for autonomous bug bounty hunting. Iterative, adaptive, signal-driven. From zero to validated H1 reports with continuous intelligence feedback, gadget chaining, and coverage tracking. The hunter doesn't sleep.
From greyhatccnpx claudepluginhub overtimepog/greyhatcc --plugin greyhatccThis skill uses the workspace's default tool permissions.
_archive/amplification.md_archive/chaining.md_archive/evasion.md_archive/exploit.md_archive/intel.md_archive/recon.md_archive/report.md_archive/test.md_archive/validate.mdschemas/README.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
[HUNT ACTIVATED - AUTONOMOUS OFFENSIVE SECURITY OPERATOR]
Takes a program name or HackerOne URL. Delivers validated, chain-analyzed, HackerOne-ready vulnerability reports.
{{ARGUMENTS}}
{{ARGUMENTS}} is parsed automatically:
security) -> used directly with H1 APIhttps://hackerone.com/security) -> extract handleexample.com) -> used as primary target, attempt H1 lookup--resume flag -> load existing hunt-state/ and continue--dry-run flag -> seed queue and display plan without executing--focus <type> -> prioritize specific vuln class (ssrf, idor, xss, etc.)--budget <n> -> maximum token budget--time <n> -> maximum time in minutesThis skill is a thin entry point. It does NOT carry attack methodology, MCP tool catalogs, or worker playbooks. Those live in:
policy/ — centralized rules (worker contracts, severity, evidence, chaining, validation, etc.)stages/ — stage controllers that define what happens in each pipeline phaseagents/ — narrow, single-mission workers that know their own toolsThis skill Dispatcher agent Narrow workers
(entry point) -> (state + routing) -> (single mission each)
| | |
| v v
| hunt-state/ files policy/ files
| (JSON state) (shared rules)
| |
v v
stages/ decision-log.md
(phase defs) (audit trail)
Extract program handle from {{ARGUMENTS}}. Detect flags (--resume, --dry-run, --focus, --budget, --time).
If --resume or hunt-state/hunt.json exists with status "running":
hunt-state/current-stage.md for where we left offhunt-state/next-actions.md for what to do nexthunt-state/decision-log.md for recent decisions (last 20 lines)stages/hunt-plan.md for initialization instructionsh1_program_detail -> program overviewh1_structured_scopes -> in-scope and out-of-scope assetsh1_bounty_table -> payout rangesh1_program_policy -> rules and exclusionshunt-state/current-stage.md with content: hunt-planhunt-state/next-actions.mdThis is the core loop. Dispatch to the dispatcher agent which handles all state management and worker coordination:
Task(
subagent_type="greyhatcc:dispatcher",
model="opus",
prompt="Hunt: " + program_handle + "\n" +
"Stage: " + current_stage + "\n" +
"Flags: " + flags_summary + "\n" +
"Resume: read hunt-state/ for full context.\n" +
"Stage controller: read stages/" + current_stage + ".md\n" +
"Execute the current stage. Dispatch narrow workers for each work item.\n" +
"Save state after every item. Write decision-log entries.\n" +
"When stage is complete, update current-stage.md and return."
)
After the dispatcher returns from a stage:
hunt-state/current-stage.md for the next stageStage flow:
hunt-plan -> hunt-recon -> hunt-test -> hunt-validate -> hunt-confirm -> hunt-report
^ | |
+-- hunt-fix --+ |
^ |
+---------------------+
All state lives in hunt-state/ directory. The dispatcher owns these files.
| File | Purpose |
|---|---|
hunt.json | Top-level HuntState (program, status, stats) |
queue.json | Priority queue of WorkItems |
findings.json | All findings with validation status |
surfaces.json | Discovered attack surface |
gadgets.json | Exploitation primitives with provides/requires |
signals.json | Weak signals for investigation |
coverage.json | Endpoint x vuln-class coverage matrix |
current-stage.md | Human-readable current stage + context |
next-actions.md | Queue head and upcoming work |
decision-log.md | Running audit log of dispatch decisions |
intel-log.json | Intel module run history |
reports/ | Generated H1-ready reports |
evidence/ | Screenshots, HTTP logs, extracted data |
This skill is designed to survive context compaction:
Stop when ANY:
Workers and the dispatcher read these as needed. They are NOT injected into this skill's context:
policy/worker-contract.md — output format all workers must followpolicy/severity.md — severity definitions and chain upliftpolicy/evidence-schema.md — evidence file formatpolicy/queue-schema.md — work item schema and priority referencepolicy/mcp-tools.md — complete MCP tool catalog (71 tools)policy/compaction.md — compaction protocolpolicy/recovery.md — post-compaction recovery stepspolicy/amplification-rules.md — signal -> investigation mappingpolicy/chaining-rules.md — gadget graph methodologypolicy/reporting-standards.md — H1 report formatpolicy/validation-rules.md — 5-gate validation pipeline