ghostonbutterbread/race
skills/race/SKILL.md
Use when testing race conditions, concurrent workflow flaws, double-submit bugs, parallel requests, locking issues, time-of-check/time-of-use behavior, or state consistency under load.
testing
Updated Apr 23, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness raceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 23, 2026, 3:40 AM199.6s1 file scanned
SKILL.md
- name:
- race
- description:
- Use when testing race conditions, concurrent workflow flaws, double-submit bugs, parallel requests, locking issues, time-of-check/time-of-use behavior, or state consistency under load.
Race Condition Testing
Test for race conditions, state desynchronization, and concurrent workflow flaws.
Required Preflight
Read shared state in this order before testing:
notes/summary.mdnotes/observations.mdchecklist.md(race items only)todo.md(race items only)
Primary Harness
Use agents/bypass_harness.py in --type race mode for first-pass concurrent replay. Set --concurrency above the module burst size so the harness does not artificially serialize the race.
python agents/bypass_harness.py --target https://target.com/api/redeem \
--type race --program target --concurrency 20 --rps 20
Mode Matrix
| Mode | Use When | What It Tests |
|------|----------|---------------|
| single-use | Token, coupon, or invite should be consumed once | Duplicate acceptance before invalidation |
| limit | Quotas or redemption limits should gate actions | Pre-check bypass under concurrency |
| toctou | Read-then-write checks gate value changes | Stale authorization, balance, or inventory windows |
| workflow | Multiple endpoints change the same object state | Conflicting transitions and ordering bugs |
Primary Commands
# Default race pass
python agents/bypass_harness.py --target https://target.com/api/redeem \
--type race --program target --concurrency 20 --rps 20
CLI Notes
agents/bypass_harness.py
| Option | Description |
|--------|-------------|
| --target, -t | Target URL (required) |
| --type, -T | Use race |
| --program | Program name for shared storage |
| --output-dir, -o | Override raw artifact directory |
| --timeout | Request timeout in seconds |
| --concurrency, -c | Max parallel requests; keep above the race burst |
| --rps | Requests per second |
| --verbose, -v | Verbose debug output |
| --quiet, -q | Show hits only |
Stop Conditions
- Stop if behavior risks irreversible financial impact or harms real user data.
- Stop if the only effect is duplicate responses with no duplicated state change.
- Stop if the target becomes unstable.
Files
- Playbook:
$HARNESS_ROOT/prompts/race-playbook.md - Shared Root:
$HARNESS_SHARED_BASE/{program}/agent_shared/ - Race Findings:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/race/findings.md - Bypass Artifacts:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/bypass/
Workflow
- Complete the required preflight reads in shared state order.
- Read
prompts/race-playbook.md. - Run
agents/bypass_harness.pyin--type racemode for duplicate-request testing. - Confirm any promising result by proving duplicated or inconsistent state, not just varied responses.
- Write findings to
agent_shared/findings/race/findings.md. - Update race entries in
checklist.md,todo.md, and relevant notes.
Related Skills
ghostonbutterbread/request-exploration
testing
VerifiedTrustedCommunity
Systematic live request mutation: flip booleans, field ops, headers, content-type, parser differentials, replay vs intercept, null/empty testing. Inherits live-testing-policy scope/rate/ownership rules.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/password-reset
development
VerifiedTrustedCommunity
Test password reset, forgot-password, reset-token, email reset, and account recovery flows for account takeover risks.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/intelligent-fuzzing
tools
VerifiedTrustedCommunity
Targeted param/field discovery using tech stack clues, naming conventions, and controlled-rate ffuf — then feeds findings into request-exploration for mutation. Not brute-force; informed and scoped.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/create-account
testing
VerifiedTrustedCommunity
Ghost-only workflow for creating approved bug bounty test accounts and saving credential references.
SKILL.mdUpdated Jun 13, 2026