Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

ghostonbutterbread/bountylens

Name: bountylens
Author: ghostonbutterbread

skills/bountylens/SKILL.md

npx skillsauth add ghostonbutterbread/bug-bounty-harness bountylens

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

BountyLens

Use when a task needs to read or write BountyLens hunt sessions, findings, leads, tested endpoints, notes, report drafts, program records, watchlist, recommendations, or hunter stats.

Core Decision

Do not require agents to add @bountylens/mcp to their MCP config. The package is a stdio MCP wrapper around the BountyLens REST API, so agents should use the direct API helper in this skill unless Ryushe explicitly asks for MCP-client wiring.

Token source:

~/.env

Expected variables:

BOUNTYLENS_API_KEY=bl_...
BOUNTYLENS_URL=https://bountylens.com

BOUNTYLENS_URL is optional and defaults to https://bountylens.com.

Required Rules

Never print, paste, commit, summarize, or expose BOUNTYLENS_API_KEY or raw ~/.env contents.
Do not shell-source ~/.env; use scripts/bountylens_api.py, which parses key/value lines without executing the file.
Treat BountyLens as an external system. Before writing reports or findings, check for PII, real secrets, cookies, tokens, private customer data, and accidental sensitive file contents.
Use full URLs for endpoints in findings, leads, tested entries, and reports whenever the target has a known base URL.
Do not delete sessions, entries, or reports unless Ryushe explicitly asks for deletion in the current task.
Do not mark a report submitted unless Ryushe explicitly says it was submitted or asks you to set that status.
Keep local Ghost findings and BountyLens entries consistent when both are in use: BountyLens can be the dashboard/log, but local canonical evidence still belongs in the relevant project or bounty directory.

Workflow

Verify the helper can load configuration without exposing secrets:
```
python3 skills/bountylens/scripts/bountylens_api.py --check
```

For reads, use the direct helper:

python3 skills/bountylens/scripts/bountylens_api.py GET /sessions --query status=active
python3 skills/bountylens/scripts/bountylens_api.py GET /watchlist
python3 skills/bountylens/scripts/bountylens_api.py GET /programs --query q=shopify

For writes, prepare a minimal JSON payload and send it through the helper:

python3 skills/bountylens/scripts/bountylens_api.py POST /sessions/123/entries \
  --data-json '{"type":"lead","title":"Interesting redirect behavior","endpoint":"https://example.com/path","method":"GET","description":"Observed redirect parameter behavior; needs validation."}'

For report drafts, prefer reading the local markdown report file and wrapping it in JSON with a short script or jq, then POST to:
```
/sessions/{session_id}/reports
```
Report back with BountyLens object IDs, titles, session IDs, and non-secret status. Do not include the API token or raw auth headers.

Useful Endpoints

Sessions:

GET    /sessions
POST   /sessions
GET    /sessions/{session_id}
PUT    /sessions/{session_id}
DELETE /sessions/{session_id}

Entries:

GET    /sessions/{session_id}/entries
POST   /sessions/{session_id}/entries
POST   /sessions/{session_id}/entries/bulk
PUT    /sessions/{session_id}/entries/{entry_id}
DELETE /sessions/{session_id}/entries/{entry_id}

Reports:

GET    /sessions/{session_id}/reports
POST   /sessions/{session_id}/reports
PUT    /sessions/{session_id}/reports/{report_id}
DELETE /sessions/{session_id}/reports/{report_id}

Programs and intelligence:

GET /programs?q={query}
GET /programs/{handle}
GET /recommend
GET /watchlist
GET /stats

MCP Compatibility

Only use this path when a task specifically needs a real MCP server process, for example manual integration testing with an MCP client:

npx -y @bountylens/mcp

The process expects BOUNTYLENS_API_KEY and optionally BOUNTYLENS_URL in its environment. Prefer passing those from the current process environment or a secret-aware launcher. Do not add the server to global Claude/Codex/OpenClaw MCP config just to make BountyLens available to agents.

Stop Conditions

BOUNTYLENS_API_KEY is missing from the environment and ~/.env.
A requested write would include secrets, cookies, tokens, private customer data, or unreviewed sensitive files.
A requested delete or submitted status change was not explicitly approved by Ryushe in the current task.
The API returns an ownership, subscription, authentication, or rate-limit error that changes the expected workflow.

ghostonbutterbread/bountylens

skills/bountylens/SKILL.md

Use BountyLens sessions, findings, leads, tested endpoints, reports, watchlist, stats, and program intelligence without per-agent MCP config.

tools

Updated Jun 13, 2026

$ install --global

skillsauth

npx skillsauth add ghostonbutterbread/bug-bounty-harness bountylens

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 13, 2026, 2:33 AM13.0s2 files scanned

SKILL.md

name:: bountylens
description:: Use BountyLens sessions, findings, leads, tested endpoints, reports, watchlist, stats, and program intelligence without per-agent MCP config.

BountyLens

Use when a task needs to read or write BountyLens hunt sessions, findings, leads, tested endpoints, notes, report drafts, program records, watchlist, recommendations, or hunter stats.

Core Decision

Token source:

~/.env

Expected variables:

BOUNTYLENS_API_KEY=bl_...
BOUNTYLENS_URL=https://bountylens.com

BOUNTYLENS_URL is optional and defaults to https://bountylens.com.

Required Rules

Never print, paste, commit, summarize, or expose BOUNTYLENS_API_KEY or raw ~/.env contents.
Do not shell-source ~/.env; use scripts/bountylens_api.py, which parses key/value lines without executing the file.
Treat BountyLens as an external system. Before writing reports or findings, check for PII, real secrets, cookies, tokens, private customer data, and accidental sensitive file contents.
Use full URLs for endpoints in findings, leads, tested entries, and reports whenever the target has a known base URL.
Do not delete sessions, entries, or reports unless Ryushe explicitly asks for deletion in the current task.
Do not mark a report submitted unless Ryushe explicitly says it was submitted or asks you to set that status.
Keep local Ghost findings and BountyLens entries consistent when both are in use: BountyLens can be the dashboard/log, but local canonical evidence still belongs in the relevant project or bounty directory.

Workflow

Verify the helper can load configuration without exposing secrets:
```
python3 skills/bountylens/scripts/bountylens_api.py --check
```

For reads, use the direct helper:

python3 skills/bountylens/scripts/bountylens_api.py GET /sessions --query status=active
python3 skills/bountylens/scripts/bountylens_api.py GET /watchlist
python3 skills/bountylens/scripts/bountylens_api.py GET /programs --query q=shopify

For writes, prepare a minimal JSON payload and send it through the helper:

python3 skills/bountylens/scripts/bountylens_api.py POST /sessions/123/entries \
  --data-json '{"type":"lead","title":"Interesting redirect behavior","endpoint":"https://example.com/path","method":"GET","description":"Observed redirect parameter behavior; needs validation."}'

For report drafts, prefer reading the local markdown report file and wrapping it in JSON with a short script or jq, then POST to:
```
/sessions/{session_id}/reports
```
Report back with BountyLens object IDs, titles, session IDs, and non-secret status. Do not include the API token or raw auth headers.

Useful Endpoints

Sessions:

GET    /sessions
POST   /sessions
GET    /sessions/{session_id}
PUT    /sessions/{session_id}
DELETE /sessions/{session_id}

Entries:

GET    /sessions/{session_id}/entries
POST   /sessions/{session_id}/entries
POST   /sessions/{session_id}/entries/bulk
PUT    /sessions/{session_id}/entries/{entry_id}
DELETE /sessions/{session_id}/entries/{entry_id}

Reports:

GET    /sessions/{session_id}/reports
POST   /sessions/{session_id}/reports
PUT    /sessions/{session_id}/reports/{report_id}
DELETE /sessions/{session_id}/reports/{report_id}

Programs and intelligence:

GET /programs?q={query}
GET /programs/{handle}
GET /recommend
GET /watchlist
GET /stats

MCP Compatibility

Only use this path when a task specifically needs a real MCP server process, for example manual integration testing with an MCP client:

npx -y @bountylens/mcp

Stop Conditions

BOUNTYLENS_API_KEY is missing from the environment and ~/.env.
A requested write would include secrets, cookies, tokens, private customer data, or unreviewed sensitive files.
A requested delete or submitted status change was not explicitly approved by Ryushe in the current task.
The API returns an ownership, subscription, authentication, or rate-limit error that changes the expected workflow.

Related Skills

ghostonbutterbread/request-exploration

testing

VerifiedTrustedCommunity

Systematic live request mutation: flip booleans, field ops, headers, content-type, parser differentials, replay vs intercept, null/empty testing. Inherits live-testing-policy scope/rate/ownership rules.

SKILL.mdUpdated Jun 13, 2026

ghostonbutterbread/request-exploration

ghostonbutterbread/password-reset

development

VerifiedTrustedCommunity

Test password reset, forgot-password, reset-token, email reset, and account recovery flows for account takeover risks.

SKILL.mdUpdated Jun 13, 2026

ghostonbutterbread/password-reset

ghostonbutterbread/intelligent-fuzzing

tools

VerifiedTrustedCommunity

Targeted param/field discovery using tech stack clues, naming conventions, and controlled-rate ffuf — then feeds findings into request-exploration for mutation. Not brute-force; informed and scoped.

SKILL.mdUpdated Jun 13, 2026

ghostonbutterbread/intelligent-fuzzing

ghostonbutterbread/create-account

testing

VerifiedTrustedCommunity

Ghost-only workflow for creating approved bug bounty test accounts and saving credential references.

SKILL.mdUpdated Jun 13, 2026

ghostonbutterbread/create-account

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/ghostonbutterbread/bug-bounty-harness.git

# Copy into Claude Code skills folder (global)
cp -r bug-bounty-harness/skills/bountylens ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

ghostonbutterbread/bug-bounty-harness

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT