Claude Code Skills + for HackerOne & Bugcrowd hunters. Recon → Hunt → Validate → Report. End-to-end.
Claude CyberSecurity Skills transforms Claude Code into a bug bounty hunting partner that knows the workflow, the tools, the payloads, and the platforms.
Most security repos give you a tool list or a methodology PDF. This gives you 30 production-grade Skills that Claude auto-loads when you describe a task — each one wired to real tools (subfinder, nuclei, sqlmap, ffuf, dalfox, etc.), with custom payloads, validation gates, and HackerOne/Bugcrowd-specific report templates.
Tell Claude: "hunt this new H1 program at target.com" Claude: chains program-selection → scope-analysis → subdomain-enum → asset-discovery → fingerprinting → suggested vuln vectors → ready-to-fire commands.
📖 For the full deep-dive: see PROJECT_REPORT.md — comprehensive 22-section report covering architecture, all 30 skills, playbooks, arsenal, ROI analysis, and roadmap.
┌─────────────────┐
│ 1. PRE-HUNT │ pick program • parse scope • mind-map
└────────┬────────┘
│
┌────────▼────────┐
│ 2. RECON │ subdomains • assets • JS • params
└────────┬────────┘ (continuous monitoring optional)
│
┌────────▼────────┐
│ 3. HUNT │ 15 vuln classes • chained playbooks
└────────┬────────┘
│
┌────────▼────────┐
│ 4. VALIDATE │ 7-Question Gate • 4 pre-submit gates
└────────┬────────┘
│
┌────────▼────────┐
│ 5. REPORT │ H1 / Bugcrowd / Intigriti templates
└─────────────────┘
| # | Skill | Trigger phrases |
|---|---|---|
| 01 | program-selection | "should I hunt this program", "pick H1 target" |
| 02 | scope-analysis | "parse this scope", "what's in scope" |
| 03 | threat-modeling-mindmap | "threat model this app", "mind map target" |
| # | Skill | Trigger phrases |
|---|---|---|
| 04 | subdomain-enum | "enumerate subdomains", "subfinder run" |
| 05 | asset-discovery | "find live hosts", "probe with httpx" |
| 06 | fingerprinting | "tech stack", "what's running" |
| 07 | js-analysis | "analyze JS", "find endpoints in JS" |
| 08 | content-discovery | "fuzz directories", "find parameters" |
| 09 | continuous-monitoring | "monitor target", "alert on new subdomain" |
| # | Skill | Trigger phrases |
|---|---|---|
| 10 | idor-hunting | "test IDOR", "find IDOR" |
| 11 | auth-bypass | "bypass auth", "forced browsing" |
| 12 | ato-chains | "account takeover", "ATO chain" |
| 13 | xss | "test XSS", "CSP bypass" |
| 14 | sqli | "SQL injection", "sqlmap" |
| 15 | ssrf | "test SSRF", "cloud metadata" |
| 16 | ssti | "template injection", "Jinja2 SSTI" |
| 17 | file-upload | "upload bypass", "file upload" |
| 18 | graphql | "test GraphQL", "introspection" |
| 19 | jwt-attacks | "JWT bypass", "alg=none" |
| 20 | oauth-oidc | "OAuth flaw", "redirect_uri" |
| 21 | business-logic | "race condition", "logic flaw" |
| 22 | subdomain-takeover | "subdomain takeover", "dangling DNS" |
| 23 | cache-poisoning | "cache poisoning", "web cache" |
| 24 | http-smuggling | "request smuggling", "CL.TE" |
| # | Skill | Trigger phrases |
|---|---|---|
| 25 | llm-ai-security | "prompt injection", "test LLM", "AI app" |
| 26 | mobile-recon-android | "decompile APK", "mobile app" |
| 27 | cloud-misconfig | "S3 bucket", "exposed cloud" |
| # | Skill | Trigger phrases |
|---|---|---|
| 28 | triage-validation | "validate finding", "is this reportable" |
| 29 | hackerone-reporting | "write H1 report", "HackerOne template" |
| 30 | bugcrowd-reporting | "Bugcrowd report", "VRT mapping" |
git clone https://github.com/0xGhostCAT/claude-cybersecurity-skills.git
cd claude-cybersecurity-skills
chmod +x INSTALL.sh
./INSTALL.shgit clone https://github.com/0xGhostCAT/claude-cybersecurity-skills.git
cd claude-cybersecurity-skills
.\INSTALL.ps1docker build -t claude-cybersecurity-skills -f docker/claude-cybersecurity-skills.Dockerfile .
docker run -it -v $(pwd)/loot:/loot claude-cybersecurity-skills# Global (all projects)
mkdir -p ~/.claude/skills
cp -r skills/* ~/.claude/skills/
# Project-specific
mkdir -p ./.claude/skills
cp -r skills/* ./.claude/skills/# 1. Pick a target from H1
claude "I got invited to a private H1 program for *.example.com. Help me decide if it's worth hunting."
# 2. Recon
claude "run full recon on example.com using the subdomain-enum and asset-discovery skills"
# 3. Hunt
claude "the JS file at app.example.com/static/main.js exposes /api/v3/user/{id}/orders. Hunt IDOR."
# 4. Validate before reporting
claude "run the 7-Question Gate on my IDOR finding"
# 5. Report
claude "write a HackerOne report for this IDOR. CVSS Critical scope. Frame impact around PII access."claude-cybersecurity-skills/
├── README.md ← you are here
├── INSTALL.sh / INSTALL.ps1 ← install all tools
├── docker/ ← all-in-one Docker image
├── skills/ ← 30 SKILL.md files
├── playbooks/ ← multi-skill workflows
│ ├── new-target-day1.md
│ ├── continuous-recon-pipeline.md
│ ├── ato-chain-hunt.md
│ ├── ssrf-to-rce-aws.md
│ └── llm-app-fullhunt.md
├── arsenal/ ← shared payloads & resources
│ ├── wordlists/
│ ├── nuclei-templates/ ← custom (not in nuclei-templates repo)
│ ├── sqlmap-tampers/ ← custom WAF bypass tampers
│ ├── xss-payloads/
│ ├── ssrf-payloads/
│ ├── ssti-payloads/
│ ├── file-upload-polyglots/
│ ├── prompt-injection-payloads/
│ └── semgrep-rules/
├── templates/ ← report templates per platform
│ ├── hackerone-template.md
│ ├── bugcrowd-template.md
│ ├── intigriti-template.md
│ └── cvss-calculator.md
└── docs/
├── 7-question-gate.md
├── always-rejected-list.md
├── conditional-chain-table.md
└── tool-cheatsheets/
Click to expand full tool list (60+ tools)
Subdomain enumeration: subfinder, amass, assetfinder, chaos, findomain, sublist3r
Probing & discovery: httpx, dnsx, naabu, masscan, nmap
Crawling: katana, waybackurls, gau, hakrawler, gospider
Fuzzing: ffuf, feroxbuster, dirsearch, gobuster
Parameter discovery: arjun, paramspider, x8
JS analysis: LinkFinder, SecretFinder, JSluice, mantra, getJS
Scanning: nuclei, nikto, wapiti
Injection: sqlmap, ghauri, NoSQLMap, dalfox, XSStrike, kxss, gxss, SSRFmap, Gopherus, tplmap, commix
Auth: jwt_tool, jwtcat, hydra
API/GraphQL: kiterunner, graphw00f, clairvoyance, inql
Secrets/SAST: trufflehog, gitleaks, semgrep, noseyparker
Cloud: prowler, ScoutSuite, cloudsplaining
Mobile: apktool, jadx, MobSF
LLM testing: garak, promptfoo
Utilities: interactsh-client, anew, qsreplace, unfurl, gron, httpx-toolkit
- The 7-Question Gate — answer all 7 before writing any report.
- Always-Rejected List — what NOT to submit. Save your N/A ratio.
- Conditional Chain Table — when a "low" becomes a "critical" by chaining.
- Tool Cheatsheets — one-pager per tool.
This arsenal is for authorized testing only. Use exclusively on:
- HackerOne / Bugcrowd / Intigriti / Immunefi programs you're enrolled in
- Your own systems
- Lab environments (HTB, PortSwigger Academy, etc.)
- CTF competitions
Unauthorized scanning, exploitation, or data access is illegal in most jurisdictions. Offensive skills include explicit authorization gates that confirm scope before running.
You are responsible for legal compliance. The authors accept no liability for misuse.
MIT — see LICENSE.
- The bug bounty community (Disclosed reports, conference talks, payouts shared)
- SecLists — the universal wordlist standard
- PayloadsAllTheThings — payload reference
- nuclei-templates — template engine
- HackTricks — the offensive encyclopedia
PRs welcome. See CONTRIBUTING.md for how to add a skill, payload, or playbook.
Star ⭐ if useful. Hunt ethically. Get paid.