Skip to content

tags:- claude-bughunter
- bug-hunting
- red-team
- security-skills
- web-security

Claude-BugHunter: A Comprehensive Skill Bundle for Bug Hunting and Red-Team Operations

Original URL: https://github.com/elementalsouls/Claude-BugHunter

Introduction

The article introduces Claude-BugHunter, an open‑source skill bundle that integrates with the Claude Code platform to turn a conversational AI into a senior‑level bug‑hunter or external red‑team operator. It provides 51 curated skills, 15 slash commands, and 681 disclosed‑report patterns covering 24 vulnerability classes, plus specialized attack matrices for enterprise identities and infrastructure. The bundle is designed for authorized engagements (bug‑bounty, pentesting, red‑team) and deliberately excludes internal AD attacks, post‑exploitation tooling, and C2 tradecraft.

Main Points

1. Core Architecture and Capability Map

  • 51 skills grouped into 7 capability domains: Recon, Hunt (Web Application), Platform Attack, Red Team Tradecraft, Workflow & Validation, Reporting & Hygiene, and CLI.
  • Skills auto‑load based on keyword description; users do not invoke them by name.
  • The 51 skills are organized into a 6‑phase hunting workflow (Scope → Recon → Hunt → Validate → Capture → Report) with a non‑linear, iterative structure.
  • A 7‑Question Gate runs at the Validate phase, ensuring each finding meets real‑world, in‑scope, and impact criteria before reporting.

2. Scope and Exclusions

  • In‑scope: External attack surfaces reachable from the internet, including web apps, APIs, SaaS, OAuth, JWT, file upload, IDOR, SSRF, RCE, and a broad set of enterprise platforms (M365/Entra ID, Okta, SharePoint, VMware vCenter, SSL VPNs, Android APKs, supply‑chain reconnaissance).
  • Out‑of‑scope: Internal Active Directory attacks, post‑exploitation persistence, C2 frameworks, evasion techniques, iOS/hardware testing, binary exploitation, and any activity that requires internal compromise before external testing.

3. Key Features and Deliverables

  • Pattern Libraries: 681 disclosed‑report patterns extracted from HackerOne and other public programs, organized by vulnerability class and attack vector.
  • Enterprise Attack Chains: Dedicated matrices for M365/Entra, Okta, cloud IAM, VMware vCenter, VPN appliances, SharePoint, ASP.NET, NTLM, and supply‑chain recon, covering current 2024‑2026 CVE trends.
  • Red‑Team Discipline: “DO NOT STOP” mindset and mid‑engagement incident‑response detection are baked in for red‑team mode, enabling continuous testing even when client SOC patches are applied.
  • Reporting Templates: Pre‑built templates for Bugcrowd, Intigriti, Immunefi, and a client‑facing DOCX format for red‑team deliverables, with mandatory evidence hygiene (cookie redaction, PII black‑bar, HAR sanitization).
  • CLI and Slash Commands: A secondary deterministic Python CLI (cbh) for scripted automation and bulk recon, and primary slash commands that integrate with Claude Code’s conversational interface.

4. Workflow Details

  • Scope Phase: Define target, scaffold folder, fill scope.md, and load bug‑bounty and methodology skills.
  • Recon Phase: Subdomain enumeration, endpoint mapping, OSINT, and identity fabric construction using 15 reference probes.
  • Hunt Phase: Auto‑load relevant hunt‑ skills based on observed patterns (e.g., hunt‑sqli, hunt‑ssrf, hunt‑mfa‑bypass). The 28 hunt‑ skills cover injection, authorization, server‑side, identity, API, and business logic flaws.
  • Validate Phase: Run the 7‑Question Gate; outcomes are PASS, DOWNGRADE, CHAIN REQUIRED, or KILL. Only PASS proceeds to reporting.
  • Capture Phase: Apply evidence hygiene (redact cookies, PII, sanitize HAR) before drafting the report.
  • Report Phase: Generate platform‑specific reports (Bugcrowd VRT, generic H1, or red‑team DOCX) using the report‑writing skill.

5. Installation and Usage

  • Prerequisites: Linux/macOS or WSL2, Claude Code subscription or API key, Python 3.9+, Git.
  • Installation involves cloning the repo, running ./scripts/install.sh, which copies skills to ~/.claude/skills, commands to ~/.claude/commands, and adds the hunt shell command to the user’s shell rc file.
  • After installation, users can start an engagement with hunt <target> or run the CLI with cbh recon <target>, cbh triage, etc.
  • Example first hunt: use a public vulnerable site like OWASP Juice Shop or a HackerOne VDP to practice the full workflow.

6. Limitations and Future Directions

  • The bundle deliberately excludes internal AD attacks, C2 frameworks, and post‑exploitation tooling, indicating a roadmap for future specialized bundles.
  • Ongoing maintenance includes refreshing CVE coverage via the CISA KEV list, updating disclosed‑report patterns, and expanding platform‑specific attack matrices (e.g., Citrix, F5, AD Certificate Services).
  • Community contributions are encouraged through the CONTRIBUTING.md file, which outlines skill quality standards and PR guidelines.

Conclusion

Claude‑BugHunter provides a structured, reusable framework that transforms a conversational AI into a disciplined bug‑hunter or external red‑team operator. By codifying 51 skills, 681 disclosed patterns, and a six‑phase workflow with a mandatory 7‑Question Gate, it reduces wasted effort, improves finding validity, and standardizes reporting across diverse engagement types. Its modular design, automatic skill loading, and support for both conversational and deterministic CLI interfaces make it a versatile tool for security researchers, bug‑bounty hunters, and authorized red‑team operators seeking a comprehensive, platform‑agnostic hunting toolkit.