This is for when you're actually hunting bugs for bounty submissions, not running a compliance checklist. It steers you toward remotely reachable vulnerabilities that platforms actually pay for: SSRF, auth bypass, SQL injection, RCE paths. It explicitly filters out the noise that wastes time, like local-only deserialization, hardcoded shell commands, or self-XSS. The workflow is scope check, find real entrypoints, trace user input to sinks, prove it works, then report. It's opinionated about what matters and what doesn't, which is exactly what you want when the goal is a valid HackerOne or Huntr report instead of a 200-item Semgrep dump.
npx -y skills add affaan-m/ecc --skill security-bounty-hunter --agent claude-codeInstalls into .claude/skills of the current project.
Select a file.
giuseppe-trisciuoglio/developer-kit