submit
$
npx mdskill add H-mmer/pentest-agents/submitPrepare and submit a report for finding: $ARGUMENTS
SKILL.md
.github/skills/submitView on GitHub ↗
--- name: submit description: "Draft and submit a vulnerability report to the bug bounty platform. Reads scope.yaml for platform/program, uses brain + findings for content. Always drafts first for review." disable-model-invocation: false --- Prepare and submit a report for finding: $ARGUMENTS Workflow: 0. Read `rules/identities.md` to learn which env vars hold the researcher handle, email alias, and API token for the platform identified in step 1. NEVER hardcode a username or email; always reference the env-var symbol. If a required var is unset, abort with `error: <VAR> is not set; refusing to guess` and surface it to the user. 1. Read `scope.yaml` to determine the platform and program handle. 2. Read the finding details from brain/findings/poc directory matching "$ARGUMENTS". 3. Use MCP tool `draft_report` to create a platform-formatted draft: - Format title as: `[Vuln Type] in [Component] allows [Impact] via [Vector]` - Include CVSS vector string (CVSS 3.1 for HackerOne, CVSS 4.0 for all others) - Map vulnerability type to platform-specific taxonomy (H1 weakness IDs, Bugcrowd VRT) - Include all reproduction steps, impact, and remediation 4. Show the draft to the user and ASK FOR CONFIRMATION before submitting. 5. ONLY after explicit user approval, use MCP tool `submit_report` to submit. 6. After submission, update the brain: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py record <target> confirmed <technique> "Submitted as report #<id> on <platform>"` 7. Update findings.json status to "reported". IMPORTANT: NEVER submit without showing the draft and getting explicit user confirmation. ## Top-Tier Submission Discipline Submission is a controlled release. Before asking for approval, verify: - `/validate` PASS or explicit accepted equivalent exists - `/quality` score is acceptable and blocking issues are fixed - `/dupcheck` result is included or intentionally skipped with reason - all evidence paths exist on disk - platform taxonomy, severity, and CVSS version match the platform - no secrets, customer data, or prohibited artifacts are over-shared - remediation is actionable and scoped to the root cause Show the user the final title, severity, platform, target asset, evidence list, and any residual risk. If anything changed after draft generation, re-run quality before submission.
More from H-mmer/pentest-agents
- analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
- auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
- autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
- brainCentral knowledge coordinator. Use BEFORE launching any other pentest agent to get context on what's already been tried. Also use AFTER any agent completes to record findings, exhausted vectors, and learned patterns. The brain prevents redundant work across sessions and agents.
- browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
- browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
- browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
- business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
- chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
- chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.