Pentest Agents Bug Bounty Framework

Pentest Agents 漏洞赏金框架

Skill by ara.so — Security Skills collection.

Autonomous bug-bounty framework for Claude Code, Codex, Gemini, Cursor, Windsurf, Copilot, and OpenClaw. Ships 50 agents, 26 commands, 19 CLI tools, 11 skills, and 2 MCP servers (bounty platforms + writeup search). Includes 2,500 lines of concrete payloads, 7-Question Gate validation, autonomous hunt loops, A→B exploit chain building, persistent brain with endpoint tracking, and cross-IDE installer.

由ara.so开发的Skill——安全技能合集。

一款适用于Claude Code、Codex、Gemini、Cursor、Windsurf、Copilot及OpenClaw的自动化漏洞赏金框架。内置50个Agent、26条命令、19款CLI工具、11项Skill，以及2台MCP服务器（漏洞赏金平台集成+漏洞报告搜索）。包含2500行实战Payload、7问题验证关卡、自动化狩猎循环、A→B利用链构建、具备端点跟踪的持久化Brain系统，以及跨IDE安装器。

Installation

安装

For Claude Code (Native)

适用于Claude Code（原生支持）

bash

undefined

bash

undefined

Clone the repository

git clone https://github.com/H-mmer/pentest-agents-suite cd pentest-agents-suite/pentest-agents

Quick start with MCP servers (no global pip install)

export HACKERONE_USERNAME=your_username export HACKERONE_TOKEN=your_api_token

Scaffold a new bounty workspace

uv run python3 tools/scaffold.py hackerone tesla cd ~/bounties/hackerone-tesla

Launch Claude Code

claude

undefined

claude

undefined

For Other AI Coding Tools

适用于其他AI编码工具

bash

undefined

bash

undefined

Use pre-rendered bundles directly

cd pentest-agents-suite/pentest-agents/providers/codex # or gemini, cursor, etc. codex # or: gemini, cursor, windsurf

OR install into your project

python3 -m tools.installer install --targets all --scope project python3 -m tools.installer install --targets codex --scope global

undefined

python3 -m tools.installer install --targets all --scope project python3 -m tools.installer install --targets codex --scope global

undefined

Installer Commands

安装器命令

bash

undefined

bash

undefined

List installed targets

pentest-agents list

Install to specific targets

pentest-agents install --targets claude_code,codex --scope global pentest-agents install --dry-run # Preview before installing

Verify installation

pentest-agents verify

Uninstall (safe rollback)

pentest-agents uninstall

Regenerate provider bundles

pentest-agents render --targets all pentest-agents render --check # Check for drift

undefined

pentest-agents render --targets all pentest-agents render --check # Check for drift

undefined

MCP Servers

MCP服务器

Bounty Platforms Server (16 Platforms)

漏洞赏金平台服务器（支持16个平台）

HackerOne (full API), Bugcrowd, Intigriti, Immunefi, YesWeHack + 11 stubs.

Configuration:

bash

undefined

HackerOne（完整API支持）、Bugcrowd、Intigriti、Immunefi、YesWeHack及11个 stub 平台。

配置：

bash

undefined

HackerOne (full API support)

export HACKERONE_USERNAME=your_username export HACKERONE_TOKEN=your_api_token

Bugcrowd

export BUGCROWD_EMAIL=your_email export BUGCROWD_TOKEN=your_token

Intigriti

export INTIGRITI_TOKEN=your_token

YesWeHack

export YWH_API_KEY=your_api_key


**7 MCP Tools:**
- `list_platforms` - List all configured platforms
- `get_program_scope` - Fetch in/out-of-scope assets
- `get_program_policy` - Get submission rules
- `search_hacktivity` - Find similar reports
- `sync_program` - Download scope to local brain
- `draft_report` - Prepare submission
- `submit_report` - Submit to platform

export YWH_API_KEY=your_api_key


**7款MCP工具：**
- `list_platforms` - 列出所有已配置的平台
- `get_program_scope` - 获取项目的测试范围/非测试范围资产
- `get_program_policy` - 获取提交规则
- `search_hacktivity` - 查找类似漏洞报告
- `sync_program` - 将测试范围下载至本地Brain系统
- `draft_report` - 准备漏洞提交报告
- `submit_report` - 向平台提交报告

Writeup Search Server (BYO Index)

漏洞报告搜索服务器（自定义索引）

Three search modes (auto-detected, graceful fallback):

Mode	Requires	Searches
FAISS (semantic)	`faiss-cpu` , `sentence-transformers` , your `metadata.db` + `index.faiss`	Your writeup corpus via vector embeddings
SQLite (keyword)	Your `metadata.db` only	Your writeup corpus via `LIKE` over text
Local (default)	Nothing	`rules/payloads.md` + shipped skills

Configuration:

bash

undefined

三种搜索模式（自动检测，优雅降级）：

模式	依赖条件	搜索范围
FAISS（语义搜索）	`faiss-cpu` 、 `sentence-transformers` 、你的 `metadata.db` + `index.faiss`	通过向量嵌入搜索你的漏洞报告库
SQLite（关键词搜索）	仅需你的 `metadata.db`	通过文本 `LIKE` 匹配搜索你的漏洞报告库
本地模式（默认）	无依赖	搜索 `rules/payloads.md` 及内置Skill

配置：

bash

undefined

Point to your index directory

export WRITEUP_DB_DIR="$HOME/.local/share/pentest-writeups"

OR place files in default location:

~/.local/share/pentest-writeups/metadata.db

~/.local/share/pentest-writeups/index.faiss (optional)


**Build Your Own Index:**

```bash
cd rag-builder


**构建自定义索引：**

```bash
cd rag-builder

1. Inspect the plan (dry-run, no writes)

python3 build.py status python3 build.py ingest

2. Pre-flight check (probe URLs with git ls-remote)

python3 build.py ingest --check-remotes

3. Clone + index repos from repos.yaml

python3 build.py ingest --execute

4. Point MCP server at the output

export WRITEUP_DB_DIR="$PWD/data" python3 ../mcp-writeup-server/server.py --test


Edit `rag-builder/repos.yaml` to customize the 146-entry seed list of CTF archives, bug-bounty reports, and payload collections.

**4 MCP Tools:**
- `search_writeups` - Semantic/keyword search for prior art
- `get_writeup` - Full writeup content by ID
- `search_techniques` - Exploitation techniques by vuln class
- `search_payloads` - Curated payloads from `rules/payloads.md`

export WRITEUP_DB_DIR="$PWD/data" python3 ../mcp-writeup-server/server.py --test


编辑`rag-builder/repos.yaml`可自定义包含146个条目的种子列表，涵盖CTF归档、漏洞赏金报告及Payload集合。

**4款MCP工具：**
- `search_writeups` - 对已有漏洞报告进行语义/关键词搜索
- `get_writeup` - 通过ID获取完整漏洞报告内容
- `search_techniques` - 按漏洞类别搜索利用技术
- `search_payloads` - 从`rules/payloads.md`中查找精选Payload

Core Workflow

核心工作流

bash

undefined

bash

undefined

New program

/new → /sync → /brain init → /analyze → /surface → /hunt

Returning

/resume <target> → /hunt or /autopilot

After finding

/validate → /chain → /report → /dupcheck → /submit → /learn

Batch triage

/triage # 7-Question Gate on all findings

undefined

/triage # 7-Question Gate on all findings

undefined

Key Commands (26 Total)

核心命令（共26条）

In Claude Code Session

在Claude Code会话中

bash

undefined

bash

undefined

Set model and sync program

/model opus /sync hackerone tesla

Initialize brain and check status

/brain init /status

Hunt for vulnerabilities

/hunt tesla.com /hunt tesla.com --vuln-class sqli /autopilot tesla.com # Autonomous loop

Validate findings

/validate # 7-Question Gate /chain # Build exploit chain /triage # Batch validate all findings

Report submission

/report /dupcheck /submit /learn # Update brain with learnings

Brain management

/brain show endpoints /brain add endpoint https://api.tesla.com/v1/users /brain note "Found rate limit bypass in auth flow" /brain search "jwt"

Cost tracking

/cost # Show session costs

undefined

/cost # Show session costs

undefined

Scaffold Tool

脚手架工具

python

undefined

python

undefined

Create new bounty workspace

import subprocess

Scaffold for HackerOne program

subprocess.run([ "uv", "run", "python3", "tools/scaffold.py", "hackerone", "tesla" ])

Scaffold for Bugcrowd program

subprocess.run([ "uv", "run", "python3", "tools/scaffold.py", "bugcrowd", "acme-corp" ])


This generates:
- `~/bounties/<platform>-<program>/` directory
- `CLAUDE.md`, `AGENTS.md`, `.codex/`, `.gemini/`, `.cursor/` configs
- `.mcp.json` with platform + writeup server config
- `.agents/skills/` with all framework skills

subprocess.run([ "uv", "run", "python3", "tools/scaffold.py", "bugcrowd", "acme-corp" ])


此命令会生成：
- `~/bounties/<platform>-<program>/` 目录
- `CLAUDE.md`、`AGENTS.md`、`.codex/`、`.gemini/`、`.cursor/` 配置文件
- 包含平台及报告搜索服务器配置的`.mcp.json`
- 存放所有框架Skill的`.agents/skills/`目录

Agent System (50 Agents)

Agent系统（50个Agent）

Key orchestrator agents:

```
chain-builder
```
- Links findings into exploit chains (A→B)
```
correlator
```
- Cross-references findings with brain
```
recon-ranker
```
- Prioritizes attack surface
```
hunt-orchestrator
```
- Coordinates active hunting
```
validator
```
- 7-Question Gate compliance

Specialized hunters:

```
sqli-hunter
```
,
```
xss-hunter
```
,
```
ssrf-hunter
```
```
authz-hunter
```
,
```
jwt-hunter
```
,
```
idor-hunter
```

api-hunter

,

graphql-hunter

,

websocket-hunter

Agents inherit model via

model: "inherit"

frontmatter. Orchestrators dispatch to specialized agents automatically.

核心编排Agent：

```
chain-builder
```
- 将多个漏洞发现链接成利用链（A→B）
```
correlator
```
- 将漏洞发现与Brain系统进行交叉关联
```
recon-ranker
```
- 对攻击面进行优先级排序
```
hunt-orchestrator
```
- 协调主动漏洞狩猎
```
validator
```
- 执行7问题验证关卡合规检查

专项狩猎Agent：

```
sqli-hunter
```
、
```
xss-hunter
```
、
```
ssrf-hunter
```
```
authz-hunter
```
、
```
jwt-hunter
```
、
```
idor-hunter
```

api-hunter

、

graphql-hunter

、

websocket-hunter

Agent通过前置内容

model: "inherit"

继承模型配置。编排Agent会自动调度专项Agent执行任务。

Configuration Files

配置文件

.mcp.json (Claude Code)

.mcp.json（Claude Code）

json

{
  "mcpServers": {
    "bounty-platforms": {
      "command": "uv",
      "args": [
        "run",
        "--with", "mcp",
        "python3",
        "mcp-bounty-server/server.py"
      ],
      "env": {
        "HACKERONE_USERNAME": "your_username",
        "HACKERONE_TOKEN": "your_token"
      }
    },
    "writeup-search": {
      "command": "uv",
      "args": [
        "run",
        "--with", "mcp",
        "--with", "faiss-cpu",
        "--with", "sentence-transformers",
        "python3",
        "mcp-writeup-server/server.py"
      ],
      "env": {
        "WRITEUP_DB_DIR": "/home/user/.local/share/pentest-writeups"
      }
    }
  }
}

json

{
  "mcpServers": {
    "bounty-platforms": {
      "command": "uv",
      "args": [
        "run",
        "--with", "mcp",
        "python3",
        "mcp-bounty-server/server.py"
      ],
      "env": {
        "HACKERONE_USERNAME": "your_username",
        "HACKERONE_TOKEN": "your_token"
      }
    },
    "writeup-search": {
      "command": "uv",
      "args": [
        "run",
        "--with", "mcp",
        "--with", "faiss-cpu",
        "--with", "sentence-transformers",
        "python3",
        "mcp-writeup-server/server.py"
      ],
      "env": {
        "WRITEUP_DB_DIR": "/home/user/.local/share/pentest-writeups"
      }
    }
  }
}

cost_hook.py (Automatic Cost Tracking)

cost_hook.py（自动成本追踪）

Add to Claude Code

settings.json

:

json

{
  "hooks": {
    "SubagentStop": "python3 /path/to/pentest-agents/hooks/cost_hook.py",
    "Stop": "python3 /path/to/pentest-agents/hooks/cost_hook.py",
    "SessionStart": "python3 /path/to/pentest-agents/hooks/welcome.py"
  }
}

Logs to

cost-tracking.json

:

json

{
  "sessions": [
    {
      "timestamp": "2026-05-17T10:30:00Z",
      "agent": "sqli-hunter",
      "input_tokens": 15000,
      "output_tokens": 2500,
      "cost_usd": 0.12
    }
  ]
}

添加至Claude Code的

settings.json

：

json

{
  "hooks": {
    "SubagentStop": "python3 /path/to/pentest-agents/hooks/cost_hook.py",
    "Stop": "python3 /path/to/pentest-agents/hooks/cost_hook.py",
    "SessionStart": "python3 /path/to/pentest-agents/hooks/welcome.py"
  }
}

日志会写入

cost-tracking.json

：

json

{
  "sessions": [
    {
      "timestamp": "2026-05-17T10:30:00Z",
      "agent": "sqli-hunter",
      "input_tokens": 15000,
      "output_tokens": 2500,
      "cost_usd": 0.12
    }
  ]
}

Brain System (Persistent Memory)

Brain系统（持久化记忆）

bash

undefined

bash

undefined

Initialize brain for target

/brain init

Add discoveries

/brain add endpoint https://api.example.com/v1/users /brain add finding "JWT lacks signature verification in /auth" /brain add technique "SSRF via PDF renderer"

Query brain

/brain search "jwt" /brain show endpoints /brain show findings /brain stats

Export for reporting

/brain export findings.json


Python API:

```python
from tools.brain import Brain

brain = Brain("tesla.com")
brain.init()

/brain export findings.json


Python API：

```python
from tools.brain import Brain

brain = Brain("tesla.com")
brain.init()

Track endpoints

brain.add_endpoint("https://api.tesla.com/v1/users", { "method": "GET", "auth": "Bearer token", "params": ["user_id", "include_deleted"] })

Store findings

brain.add_finding({ "vuln_class": "IDOR", "severity": "high", "endpoint": "/v1/users/{id}", "description": "Lack of authz check allows cross-account access", "poc": "curl -H 'Authorization: Bearer USER_A' https://api.tesla.com/v1/users/USER_B_ID" })

Query

jwt_findings = brain.search("jwt") all_endpoints = brain.get_endpoints() stats = brain.stats()

undefined

jwt_findings = brain.search("jwt") all_endpoints = brain.get_endpoints() stats = brain.stats()

undefined

Payload System

Payload系统

Rules Engine

规则引擎

Framework ships

rules/payloads.md

with 2,500 lines of categorized payloads:

python

undefined

框架内置

rules/payloads.md

，包含2500行分类Payload：

python

undefined

Query via MCP

In Claude Code session:

Agent calls search_payloads("sqli mysql")

Returns context-aware payloads from rules/payloads.md


**Payload categories:**
- SQL injection (MySQL, PostgreSQL, MSSQL, Oracle)
- XSS (reflected, stored, DOM)
- SSRF (cloud metadata, internal endpoints)
- XXE, SSTI, command injection
- JWT manipulation
- GraphQL introspection/batching
- NoSQL injection


**Payload类别：**
- SQL注入（MySQL、PostgreSQL、MSSQL、Oracle）
- XSS（反射型、存储型、DOM型）
- SSRF（云元数据、内部端点）
- XXE、SSTI、命令注入
- JWT篡改
- GraphQL自省/批处理
- NoSQL注入

Custom Payloads

自定义Payload

Add to workspace

payloads/<vuln-class>.md

:

markdown

undefined

添加至工作区的

payloads/<vuln-class>.md

：

markdown

undefined

Custom SQLi Payloads for Tesla

Time-based blind (WAF bypass)

' AND (SELECT * FROM (SELECT(SLEEP(5)))a)-- - ' AND SLEEP(5) AND '1'='1


Agents will query both shipped and custom payloads.

' AND (SELECT * FROM (SELECT(SLEEP(5)))a)-- - ' AND SLEEP(5) AND '1'='1


Agent会同时查询内置和自定义Payload。

7-Question Gate (Validation)

7问题验证关卡

Every finding must pass before submission:

python

undefined

所有漏洞发现必须通过以下7个问题的验证才能提交：

python

undefined

Triggered via /validate command

questions = [ "What is the exact attack vector?", "What is the business impact?", "Can you reproduce it 3 times?", "Is it in scope per program policy?", "Have you checked for duplicates?", "Is there a clear fix recommendation?", "Does the PoC include only test data?" ]

Agent validates each finding against all 7

Blocks submission if any answer is unclear

undefined

undefined

Exploit Chain Builder

利用链构建器

bash

undefined

bash

undefined

After finding multiple related issues

/chain

Agent analyzes:

1. Finding A: SSRF in PDF renderer

2. Finding B: Admin panel on internal IP

3. Finding C: CSRF on admin delete user

Builds chain:

A (SSRF) → B (access admin) → C (delete users)

Calculates combined severity: CRITICAL

Generates unified PoC


Python API:

```python
from tools.chain_builder import ChainBuilder

builder = ChainBuilder()

builder.add_finding("ssrf", {
    "endpoint": "/render-pdf",
    "impact": "Access internal network"
})

builder.add_finding("csrf", {
    "endpoint": "/admin/delete-user",
    "impact": "Delete arbitrary users",
    "requires": "Admin session"
})

chain = builder.build()


Python API：

```python
from tools.chain_builder import ChainBuilder

builder = ChainBuilder()

builder.add_finding("ssrf", {
    "endpoint": "/render-pdf",
    "impact": "Access internal network"
})

builder.add_finding("csrf", {
    "endpoint": "/admin/delete-user",
    "impact": "Delete arbitrary users",
    "requires": "Admin session"
})

chain = builder.build()

Returns: dependency graph, combined severity, unified PoC

undefined

undefined

Platform Integration Examples

平台集成示例

HackerOne

python

undefined

python

undefined

Via MCP tools in agent session

List programs

programs = await mcp.call_tool("list_platforms", {})

Get Tesla scope

scope = await mcp.call_tool("get_program_scope", { "platform": "hackerone", "program": "tesla" })

Search for similar reports

similar = await mcp.call_tool("search_hacktivity", { "platform": "hackerone", "query": "IDOR users endpoint", "limit": 10 })

Submit report

report = await mcp.call_tool("submit_report", { "platform": "hackerone", "program": "tesla", "title": "IDOR in /v1/users allows cross-account access", "severity": "high", "description": "...", "poc": "...", "impact": "..." })

undefined

report = await mcp.call_tool("submit_report", { "platform": "hackerone", "program": "tesla", "title": "IDOR in /v1/users allows cross-account access", "severity": "high", "description": "...", "poc": "...", "impact": "..." })

undefined

Bugcrowd

python

undefined

python

undefined

Sync program to local brain

await mcp.call_tool("sync_program", { "platform": "bugcrowd", "program": "acme-corp" })

Get submission policy

policy = await mcp.call_tool("get_program_policy", { "platform": "bugcrowd", "program": "acme-corp" })

undefined

policy = await mcp.call_tool("get_program_policy", { "platform": "bugcrowd", "program": "acme-corp" })

undefined

Autonomous Hunt Loop

自动化狩猎循环

bash

undefined

bash

undefined

Start autopilot mode

/autopilot tesla.com

Agent loop:

1. Query writeup DB for techniques

2. Test endpoints from brain

3. Execute payloads from rules/

4. Validate findings (7-Question Gate)

5. Build exploit chains

6. Log to brain

7. Repeat with new techniques


Modes:
- `--paranoid` - Extra validation, slower
- `--normal` - Balanced (default)
- `--aggressive` - Fast, more false positives


模式：
- `--paranoid` - 额外验证，速度较慢
- `--normal` - 平衡模式（默认）
- `--aggressive` - 快速模式，误报率较高

Troubleshooting

故障排查

MCP Server Not Starting

MCP服务器无法启动

bash

undefined

bash

undefined

Test manually

cd mcp-bounty-server uv run --with mcp python3 server.py --test

cd mcp-writeup-server uv run --with mcp --with faiss-cpu --with sentence-transformers python3 server.py --test

cd mcp-bounty-server uv run --with mcp python3 server.py --test

cd mcp-writeup-server uv run --with mcp --with faiss-cpu --with sentence-transformers python3 server.py --test

Check env vars

echo $HACKERONE_TOKEN echo $WRITEUP_DB_DIR

Verify .mcp.json paths are absolute

cat .mcp.json | grep command

undefined

cat .mcp.json | grep command

undefined

Writeup Search Falls Back to Local

漏洞报告搜索降级至本地模式

bash

undefined

bash

undefined

Check if metadata.db exists

ls -lh ~/.local/share/pentest-writeups/metadata.db

Verify schema

sqlite3 ~/.local/share/pentest-writeups/metadata.db "PRAGMA table_info(writeups);"

Expected columns: id, title, url, content/text/body/writeup

Test FAISS dependencies

python3 -c "import faiss; import sentence_transformers; print('OK')"

undefined

python3 -c "import faiss; import sentence_transformers; print('OK')"

undefined

Brain Not Persisting

Brain系统无法持久化数据

bash

undefined

bash

undefined

Check brain directory

ls -la ~/.pentest-agents/brains/

Manually initialize

python3 -c "from tools.brain import Brain; b = Brain('tesla.com'); b.init(); print(b.stats())"

Verify permissions

chmod -R u+w ~/.pentest-agents/

undefined

chmod -R u+w ~/.pentest-agents/

undefined

Cost Tracking Not Working

成本追踪不工作

bash

undefined

bash

undefined

Verify hook is registered

cat ~/.claude/settings.json | grep hooks

Check hook output

python3 hooks/cost_hook.py # Should emit JSON

View tracking log

cat cost-tracking.json | python3 -m json.tool

undefined

cat cost-tracking.json | python3 -m json.tool

undefined

Installer Conflicts

安装器冲突

bash

undefined

bash

undefined

Show what would be installed

pentest-agents install --dry-run --targets all

Check for drift

pentest-agents verify

Safe rollback

pentest-agents uninstall # Restores .pa-backup files

undefined

pentest-agents uninstall # Restores .pa-backup files

undefined

Provider Bundle Out of Sync

提供商包不同步

bash

undefined

bash

undefined

Check drift

python3 -m tools.installer render --check

Regenerate all providers

python3 -m tools.installer render --targets all

Regenerate specific target

python3 -m tools.installer render --targets codex

undefined

python3 -m tools.installer render --targets codex

undefined

Cross-IDE Compatibility

跨IDE兼容性

Feature	Claude Code	Codex	Gemini	Cursor	Windsurf	Copilot	OpenClaw
Native agents	✅	✅	✅	Skills only	Skills only	✅ (30KB limit)	Skills only
Slash commands	✅	✅	✅	Skills	Workflows	Prompts	Skills
Rules files	✅	✅ (32KB)	✅	✅	✅ (12KB/file)	✅	✅
MCP servers	✅	✅	✅	✅	✅ (user-level)	✅	✅ (user-level)
Model inheritance	✅	Via `model_reasoning_effort`	N/A	N/A	N/A	N/A	N/A

All targets get the same 50 agents, 26 commands, 2 MCP servers — only the file format differs.

功能	Claude Code	Codex	Gemini	Cursor	Windsurf	Copilot	OpenClaw
原生Agent	✅	✅	✅	仅支持Skill	仅支持Skill	✅（30KB限制）	仅支持Skill
Slash命令	✅	✅	✅	Skill	工作流	提示词	Skill
规则文件	✅	✅（32KB）	✅	✅	✅（单文件12KB）	✅	✅
MCP服务器	✅	✅	✅	✅	✅（用户级）	✅	✅（用户级）
模型继承	✅	通过 `model_reasoning_effort`	N/A	N/A	N/A	N/A	N/A

所有目标都支持50个Agent、26条命令、2台MCP服务器——仅文件格式有所不同。

pentest-agents-bug-bounty-framework

Original

Translation

Pentest Agents Bug Bounty Framework

Pentest Agents 漏洞赏金框架

Installation

安装

For Claude Code (Native)

适用于Claude Code（原生支持）

Clone the repository

Clone the repository

Quick start with MCP servers (no global pip install)

Quick start with MCP servers (no global pip install)

Scaffold a new bounty workspace

Scaffold a new bounty workspace

Launch Claude Code

Launch Claude Code

For Other AI Coding Tools

适用于其他AI编码工具

Use pre-rendered bundles directly

Use pre-rendered bundles directly

OR install into your project

OR install into your project

Installer Commands

安装器命令

List installed targets

List installed targets

Install to specific targets

Install to specific targets

Verify installation

Verify installation

Uninstall (safe rollback)

Uninstall (safe rollback)

Regenerate provider bundles

Regenerate provider bundles

MCP Servers

MCP服务器

Bounty Platforms Server (16 Platforms)

漏洞赏金平台服务器（支持16个平台）

HackerOne (full API support)

HackerOne (full API support)

Bugcrowd

Bugcrowd

Intigriti

Intigriti

YesWeHack

YesWeHack

Writeup Search Server (BYO Index)

漏洞报告搜索服务器（自定义索引）

Point to your index directory

Point to your index directory

OR place files in default location:

OR place files in default location:

~/.local/share/pentest-writeups/metadata.db

~/.local/share/pentest-writeups/metadata.db

~/.local/share/pentest-writeups/index.faiss (optional)

~/.local/share/pentest-writeups/index.faiss (optional)

1. Inspect the plan (dry-run, no writes)

1. Inspect the plan (dry-run, no writes)

2. Pre-flight check (probe URLs with git ls-remote)

2. Pre-flight check (probe URLs with git ls-remote)

3. Clone + index repos from repos.yaml

3. Clone + index repos from repos.yaml

4. Point MCP server at the output

4. Point MCP server at the output

Core Workflow

核心工作流

New program

New program

Returning

Returning

After finding

After finding

Batch triage

Batch triage

Key Commands (26 Total)

核心命令（共26条）

In Claude Code Session

在Claude Code会话中

Set model and sync program