intel
The /intel command aggregates security intelligence for a specified target by running CVE matching against its detected tech stack, fetching disclosed vulnerability reports from HackerOne, and cross-referencing findings against previous hunting sessions stored in memory. Use this command at the start of a security assessment or periodically during ongoing hunts to identify critical vulnerabilities, untested endpoints, and new attack surface that warrant immediate investigation.
mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/elementalsouls/Claude-BugHunter/HEAD/commands/intel.md -o ~/.claude/commands/intel.mdintel.md
# /intel Fetch actionable intelligence for a target. ## What This Does 1. Runs `learn.py` for CVEs and advisories matching the target's tech stack 2. Fetches HackerOne Hacktivity for the target (via HackerOne MCP if available) 3. Cross-references with hunt memory — flags untested CVEs and new endpoints 4. Outputs prioritized intel with hunt recommendations ## Usage ``` /intel target.com ``` ## Output ``` INTEL: target.com ═══════════════════════════════════════ ALERTS: [CRITICAL] CVE-2026-XXXX — Next.js middleware bypass (CVSS 9.1) target.com runs Next.js 14.2.3 (vulnerable). Patch: 14.2.4. → You haven't tested this endpoint yet. Hunt candidate. [HIGH] New feature detected: /api/v3/billing/invoices Not in your tested_endpoints list. 3 new paths. → New = unreviewed. Priority hunt target. [INFO] 2 new disclosed reports on HackerOne for target.com → Read for methodology insights before hunting. MEMORY CONTEXT: Last hunted: 2026-03-24 (2 days ago) Tech stack: Next.js 14.2.3, GraphQL, PostgreSQL Untested CVEs: 1 critical, 0 high ``` ## Data Sources | Source | What | Auth required? | |---|---|---| | `learn.py` — NVD | CVEs matching tech stack | No | | `learn.py` — GitHub Advisory | Security advisories | No | | `learn.py` — HackerOne Hacktivity | Disclosed reports | No | | HackerOne MCP (if connected) | Program stats, policy | No (public) | | Hunt memory | Previously tested endpoints | Local files |
Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember
Write a submission-ready bug bounty report. Generates H1/Bugcrowd/Intigriti/Immunefi format with CVSS 3.1 score, proof of concept, impact statement, and remediation. Run /validate first. Usage: /report