Second major bundle release. 51 → 71 skills, a CI quality/safety gate, a docs site, and security fixes to the toolkit's own code.
✨ Added
- 20 new
hunt-*skills (community v3 expansion — thanks @muhsiindeniiz):hunt-lfi,hunt-nosqli,hunt-deserialization,hunt-cors,hunt-host-header,hunt-open-redirect,hunt-brute-force,hunt-session,hunt-ldap,hunt-nextjs,hunt-nodejs,hunt-dom,hunt-websocket,hunt-grpc,hunt-laravel,hunt-springboot,hunt-k8s,hunt-cicd,hunt-source-leak,hunt-tls-network. (28 → 48 hunt modules.) - CI skill-linter — validates every
SKILL.mdand blocks leaked secrets + client/engagement identifiers (SHA-256 denylist; plaintext names never enter the repo). - Docs site — GitHub Pages under
docs/with a searchable, auto-generated skill catalog. - Community infrastructure — issue/PR templates,
CODEOWNERS,CODE_OF_CONDUCT.md,CHANGELOG.md,FUNDING.yml. - New
hunt-auth-bypassfunction-level access control section; Azure App Service takeover fingerprint inhunt-subdomain.
🔒 Fixed (security — closes #13)
- Path traversal (
cbh recon) and arbitrary file write (cbh report --out) — real path containment. - Shell injection in the
hunt.shengagement scaffold — neutralized. - Q5 validation-gate logic (duplicates no longer pass).
- Loud warning when
--proxydisables TLS verification.
Credit: @sseshachala (report + fix), @muhsiindeniiz (skills), @xiaolai (earlier PRs).
💜 Sponsor
Atlas Cloud — full-modal AI inference, one API for video/image/LLM.
Full changelog: https://github.com/elementalsouls/Claude-BugHunter/blob/main/CHANGELOG.md