Public Skills Builder
March 12, 2026 · View on GitHub
Public Skills Builder
Generate Claude Code bug bounty skills from public HackerOne reports and GitHub writeups — no private reports needed.
Feed it 500+ public bug bounty reports. Get back 18 ready-to-use Claude Code skill files — one per vulnerability class — packed with real-world techniques, payloads, and bypass patterns.
Quick Start · Output · Sources · Usage
Why Use This
Bug bounty reports are the best training data for hunting. This tool reads hundreds of disclosed HackerOne reports and community writeups, then uses Claude to distill them into structured skill files you can load directly into Claude Code.
No private reports required. Everything comes from public data.
Quick Start
git clone https://github.com/shuvonsec/public-skills-builder
cd public-skills-builder
python3 -m venv .venv
source .venv/bin/activate
pip install anthropic requests
cp .env.example .env
# Edit .env — add your ANTHROPIC_API_KEY
Sources
| Source | Auth needed | What it fetches |
|---|---|---|
| HackerOne public feed | None | Publicly disclosed reports |
| HackerOne REST API | H1 API key | Your own resolved reports |
| GitHub writeup repos | None (optional token) | 1,200+ community writeups |
Output
One markdown skill file per vulnerability class, ready to load into Claude Code:
skills/
hunt-idor.md
hunt-ssrf.md
hunt-xss.md
hunt-rce.md
hunt-oauth.md
hunt-sqli.md
hunt-business-logic.md
... (18 vuln classes total)
README.md ← index of all skills
Each skill file contains:
- Crown jewel targets
- Attack surface signals
- Step-by-step hunting methodology
- Payloads and grep patterns
- Bypass techniques
- Gate 0 validation checklist
Usage
# Public GitHub writeups only (just needs Claude API key)
python3 public_skills_builder.py --source github
# HackerOne public disclosed reports (no H1 key needed)
python3 public_skills_builder.py --source h1-public
# Everything — all sources, all vuln classes
python3 public_skills_builder.py --source all --limit 500
# Specific vuln classes only
python3 public_skills_builder.py --vuln-type idor ssrf xss oauth
# Specific H1 program
python3 public_skills_builder.py --source h1 --program shopify --limit 200
Supported Vuln Classes
idor ssrf xss sqli rce auth-bypass oauth race-condition
business-logic graphql cache-poison xxe upload ssti csrf
subdomain llm-ai crypto
Using the Skills in Claude Code
Once generated, load a skill into Claude Code by pointing it at the file:
claude
# Then: "Load skills/hunt-idor.md and help me hunt IDOR on target.com"
Or copy skill files into your Claude Code project's .claude/ directory so they load automatically.
Requirements
- Python 3.10+
ANTHROPIC_API_KEY— from console.anthropic.comH1_API_KEY— optional, from hackerone.com/settings/api_tokenGITHUB_TOKEN— optional, increases GitHub API rate limits
Legal
For authorized security testing only. Only test targets within an approved bug bounty program scope.
MIT License · Built for bug hunters who learn from the community
Star if this saved you research time