From eb39a0ea570c9e862403d9d491160a0d77da857a Mon Sep 17 00:00:00 2001 From: Affaan Mustafa Date: Sun, 5 Apr 2026 16:13:53 -0700 Subject: [PATCH] feat: add security bounty hunting skill --- AGENTS.md | 4 +- README.md | 6 +- README.zh-CN.md | 2 +- WORKING-CONTEXT.md | 1 + docs/zh-CN/AGENTS.md | 4 +- docs/zh-CN/README.md | 6 +- manifests/install-modules.json | 1 + skills/security-bounty-hunter/SKILL.md | 99 ++++++++++++++++++++++++++ 8 files changed, 112 insertions(+), 11 deletions(-) create mode 100644 skills/security-bounty-hunter/SKILL.md diff --git a/AGENTS.md b/AGENTS.md index 33e6efd0..5ce0dd94 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,6 +1,6 @@ # Everything Claude Code (ECC) — Agent Instructions -This is a **production-ready AI coding plugin** providing 39 specialized agents, 168 skills, 72 commands, and automated hook workflows for software development. +This is a **production-ready AI coding plugin** providing 39 specialized agents, 169 skills, 72 commands, and automated hook workflows for software development. **Version:** 1.10.0 @@ -146,7 +146,7 @@ Troubleshoot failures: check test isolation → verify mocks → fix implementat ``` agents/ — 39 specialized subagents -skills/ — 168 workflow skills and domain knowledge +skills/ — 169 workflow skills and domain knowledge commands/ — 72 slash commands hooks/ — Trigger-based automations rules/ — Always-follow guidelines (common + per-language) diff --git a/README.md b/README.md index 9d3c56cf..df42f295 100644 --- a/README.md +++ b/README.md @@ -236,7 +236,7 @@ For manual install instructions see the README in the `rules/` folder. When copy /plugin list ecc@ecc ``` -**That's it!** You now have access to 39 agents, 168 skills, and 72 legacy command shims. +**That's it!** You now have access to 39 agents, 169 skills, and 72 legacy command shims. ### Multi-model commands require additional setup @@ -1154,7 +1154,7 @@ The configuration is automatically detected from `.opencode/opencode.json`. |---------|-------------|----------|--------| | Agents | PASS: 39 agents | PASS: 12 agents | **Claude Code leads** | | Commands | PASS: 72 commands | PASS: 31 commands | **Claude Code leads** | -| Skills | PASS: 168 skills | PASS: 37 skills | **Claude Code leads** | +| Skills | PASS: 169 skills | PASS: 37 skills | **Claude Code leads** | | Hooks | PASS: 8 event types | PASS: 11 events | **OpenCode has more!** | | Rules | PASS: 29 rules | PASS: 13 instructions | **Claude Code leads** | | MCP Servers | PASS: 14 servers | PASS: Full | **Full parity** | @@ -1263,7 +1263,7 @@ ECC is the **first plugin to maximize every major AI coding tool**. Here's how e |---------|------------|------------|-----------|----------| | **Agents** | 39 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 | | **Commands** | 72 | Shared | Instruction-based | 31 | -| **Skills** | 168 | Shared | 10 (native format) | 37 | +| **Skills** | 169 | Shared | 10 (native format) | 37 | | **Hook Events** | 8 types | 15 types | None yet | 11 types | | **Hook Scripts** | 20+ scripts | 16 scripts (DRY adapter) | N/A | Plugin hooks | | **Rules** | 34 (common + lang) | 34 (YAML frontmatter) | Instruction-based | 13 instructions | diff --git a/README.zh-CN.md b/README.zh-CN.md index b342e42d..628afa6a 100644 --- a/README.zh-CN.md +++ b/README.zh-CN.md @@ -106,7 +106,7 @@ cp -r everything-claude-code/rules/perl ~/.claude/rules/ /plugin list ecc@ecc ``` -**完成!** 你现在可以使用 39 个代理、168 个技能和 72 个命令。 +**完成!** 你现在可以使用 39 个代理、169 个技能和 72 个命令。 ### multi-* 命令需要额外配置 diff --git a/WORKING-CONTEXT.md b/WORKING-CONTEXT.md index 33505bfd..fd62737d 100644 --- a/WORKING-CONTEXT.md +++ b/WORKING-CONTEXT.md @@ -93,6 +93,7 @@ Keep this file detailed for only the current sprint, blockers, and next actions. - 2026-04-05: Fixed the `main` npm CI break after the latest direct ports. `package-lock.json` had drifted behind `package.json` on the `globals` devDependency (`^17.1.0` vs `^17.4.0`), which caused all npm-based GitHub Actions jobs to fail at `npm ci`. Refreshed the lockfile only, verified `npm ci --ignore-scripts`, and kept the mixed-lock workspace otherwise untouched. - 2026-04-05: Direct-ported the useful discoverability part of `#1221` without duplicating a second healthcare compliance system. Added `skills/hipaa-compliance/SKILL.md` as a thin HIPAA-specific entrypoint that points into the canonical `healthcare-phi-compliance` / `healthcare-reviewer` lane, and wired both healthcare privacy skills into the `security` install module for selective installs. - 2026-04-05: Direct-ported the audited blockchain/web3 security lane from `#1222` into `main` as four self-contained skills: `defi-amm-security`, `evm-token-decimals`, `llm-trading-agent-security`, and `nodejs-keccak256`. These are now part of the `security` install module instead of living as an unmerged fork PR. +- 2026-04-05: Salvaged the only clearly non-overlapping piece of `#1203` as `skills/security-bounty-hunter/SKILL.md`, then kept the rest of that PR out. `api-connector-builder` duplicated existing connector/pattern-mining workflows and `dashboard-builder` was too generic and under-specified to land as a canonical ECC skill. - 2026-04-02: `ECC-Tools/main` shipped `9566637` (`fix: prefer commit lookup over git ref resolution`). The PR-analysis fire is now fixed in the app repo by preferring explicit commit resolution before `git.getRef`, with regression coverage for pull refs and plain branch refs. Mirrored public tracking issue `#1184` in this repo was closed as resolved upstream. - 2026-04-02: Direct-ported the clean native-support core of `#1043` into `main`: `agents/csharp-reviewer.md`, `skills/dotnet-patterns/SKILL.md`, and `skills/csharp-testing/SKILL.md`. This fills the gap between existing C# rule/docs mentions and actual shipped C# review/testing guidance. - 2026-04-02: Direct-ported the clean native-support core of `#1055` into `main`: `agents/dart-build-resolver.md`, `commands/flutter-build.md`, `commands/flutter-review.md`, `commands/flutter-test.md`, `rules/dart/*`, and `skills/dart-flutter-patterns/SKILL.md`. The skill paths were wired into the current `framework-language` module instead of replaying the older PR's separate `flutter-dart` module layout. diff --git a/docs/zh-CN/AGENTS.md b/docs/zh-CN/AGENTS.md index 33484893..f9b15971 100644 --- a/docs/zh-CN/AGENTS.md +++ b/docs/zh-CN/AGENTS.md @@ -1,6 +1,6 @@ # Everything Claude Code (ECC) — 智能体指令 -这是一个**生产就绪的 AI 编码插件**,提供 39 个专业代理、168 项技能、72 条命令以及自动化钩子工作流,用于软件开发。 +这是一个**生产就绪的 AI 编码插件**,提供 39 个专业代理、169 项技能、72 条命令以及自动化钩子工作流,用于软件开发。 **版本:** 1.10.0 @@ -147,7 +147,7 @@ ``` agents/ — 39 个专业子代理 -skills/ — 168 个工作流技能和领域知识 +skills/ — 169 个工作流技能和领域知识 commands/ — 72 个斜杠命令 hooks/ — 基于触发的自动化 rules/ — 始终遵循的指导方针(通用 + 每种语言) diff --git a/docs/zh-CN/README.md b/docs/zh-CN/README.md index 2e80bb41..c24c72aa 100644 --- a/docs/zh-CN/README.md +++ b/docs/zh-CN/README.md @@ -209,7 +209,7 @@ npx ecc-install typescript /plugin list ecc@ecc ``` -**搞定!** 你现在可以使用 39 个智能体、168 项技能和 72 个命令了。 +**搞定!** 你现在可以使用 39 个智能体、169 项技能和 72 个命令了。 *** @@ -1096,7 +1096,7 @@ opencode |---------|-------------|----------|--------| | 智能体 | PASS: 39 个 | PASS: 12 个 | **Claude Code 领先** | | 命令 | PASS: 72 个 | PASS: 31 个 | **Claude Code 领先** | -| 技能 | PASS: 168 项 | PASS: 37 项 | **Claude Code 领先** | +| 技能 | PASS: 169 项 | PASS: 37 项 | **Claude Code 领先** | | 钩子 | PASS: 8 种事件类型 | PASS: 11 种事件 | **OpenCode 更多!** | | 规则 | PASS: 29 条 | PASS: 13 条指令 | **Claude Code 领先** | | MCP 服务器 | PASS: 14 个 | PASS: 完整 | **完全对等** | @@ -1208,7 +1208,7 @@ ECC 是**第一个最大化利用每个主要 AI 编码工具的插件**。以 |---------|------------|------------|-----------|----------| | **智能体** | 39 | 共享 (AGENTS.md) | 共享 (AGENTS.md) | 12 | | **命令** | 72 | 共享 | 基于指令 | 31 | -| **技能** | 168 | 共享 | 10 (原生格式) | 37 | +| **技能** | 169 | 共享 | 10 (原生格式) | 37 | | **钩子事件** | 8 种类型 | 15 种类型 | 暂无 | 11 种类型 | | **钩子脚本** | 20+ 个脚本 | 16 个脚本 (DRY 适配器) | N/A | 插件钩子 | | **规则** | 34 (通用 + 语言) | 34 (YAML 前页) | 基于指令 | 13 条指令 | diff --git a/manifests/install-modules.json b/manifests/install-modules.json index d3c39f01..c6d308bf 100644 --- a/manifests/install-modules.json +++ b/manifests/install-modules.json @@ -244,6 +244,7 @@ "skills/perl-security", "skills/security-review", "skills/security-scan", + "skills/security-bounty-hunter", "skills/springboot-security", "skills/evm-token-decimals", "the-security-guide.md" diff --git a/skills/security-bounty-hunter/SKILL.md b/skills/security-bounty-hunter/SKILL.md new file mode 100644 index 00000000..0ff8b603 --- /dev/null +++ b/skills/security-bounty-hunter/SKILL.md @@ -0,0 +1,99 @@ +--- +name: security-bounty-hunter +description: Hunt for exploitable, bounty-worthy security issues in repositories. Focuses on remotely reachable vulnerabilities that qualify for real reports instead of noisy local-only findings. +origin: ECC direct-port adaptation +version: "1.0.0" +--- + +# Security Bounty Hunter + +Use this when the goal is practical vulnerability discovery for responsible disclosure or bounty submission, not a broad best-practices review. + +## When to Use + +- Scanning a repository for exploitable vulnerabilities +- Preparing a Huntr, HackerOne, or similar bounty submission +- Triage where the question is "does this actually pay?" rather than "is this theoretically unsafe?" + +## How It Works + +Bias toward remotely reachable, user-controlled attack paths and throw away patterns that platforms routinely reject as informative or out of scope. + +## In-Scope Patterns + +These are the kinds of issues that consistently matter: + +| Pattern | CWE | Typical impact | +| --- | --- | --- | +| SSRF through user-controlled URLs | CWE-918 | internal network access, cloud metadata theft | +| Auth bypass in middleware or API guards | CWE-287 | unauthorized account or data access | +| Remote deserialization or upload-to-RCE paths | CWE-502 | code execution | +| SQL injection in reachable endpoints | CWE-89 | data exfiltration, auth bypass, data destruction | +| Command injection in request handlers | CWE-78 | code execution | +| Path traversal in file-serving paths | CWE-22 | arbitrary file read or write | +| Auto-triggered XSS | CWE-79 | session theft, admin compromise | + +## Skip These + +These are usually low-signal or out of bounty scope unless the program says otherwise: + +- Local-only `pickle.loads`, `torch.load`, or equivalent with no remote path +- `eval()` or `exec()` in CLI-only tooling +- `shell=True` on fully hardcoded commands +- Missing security headers by themselves +- Generic rate-limiting complaints without exploit impact +- Self-XSS requiring the victim to paste code manually +- CI/CD injection that is not part of the target program scope +- Demo, example, or test-only code + +## Workflow + +1. Check scope first: program rules, SECURITY.md, disclosure channel, and exclusions. +2. Find real entrypoints: HTTP handlers, uploads, background jobs, webhooks, parsers, and integration endpoints. +3. Run static tooling where it helps, but treat it as triage input only. +4. Read the real code path end to end. +5. Prove user control reaches a meaningful sink. +6. Confirm exploitability and impact with the smallest safe PoC possible. +7. Check for duplicates before drafting a report. + +## Example Triage Loop + +```bash +semgrep --config=auto --severity=ERROR --severity=WARNING --json +``` + +Then manually filter: + +- drop tests, demos, fixtures, vendored code +- drop local-only or non-reachable paths +- keep only findings with a clear network or user-controlled route + +## Report Structure + +```markdown +## Description +[What the vulnerability is and why it matters] + +## Vulnerable Code +[File path, line range, and a small snippet] + +## Proof of Concept +[Minimal working request or script] + +## Impact +[What the attacker can achieve] + +## Affected Version +[Version, commit, or deployment target tested] +``` + +## Quality Gate + +Before submitting: + +- The code path is reachable from a real user or network boundary +- The input is genuinely user-controlled +- The sink is meaningful and exploitable +- The PoC works +- The issue is not already covered by an advisory, CVE, or open ticket +- The target is actually in scope for the bounty program