Skills

hunt-graphql

Installation
SKILL.md

Crown Jewel Targets

GraphQL vulnerabilities are high-value because the attack surface is both broad and deep — a single endpoint can expose entire data models, privilege escalation paths, and cross-API state confusion. Highest payouts occur in:

  • Platform APIs (GitHub, Shopify, Stripe-tier targets) where GraphQL mutations interact with REST APIs managing the same resources
  • Race conditions between GraphQL mutations and REST endpoints where state synchronization is non-atomic — these hit medium-to-high severity reliably
  • Authorization persistence bugs where team/org/repo membership state is controlled by one API but readable/writable by another
  • B2B SaaS platforms where one tenant affecting another via schema traversal = critical
  • Internal admin GraphQL endpoints accidentally exposed to lower-privilege users

The GitHub reports demonstrate the crown jewel pattern: privilege that should be revoked persists because two APIs disagree on ground truth.

Attack Surface Signals

Installs
33
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
May 24, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
hunt-graphql — elementalsouls/claude-bughunter