Skills

hunt-source-leak

Installation
SKILL.md

HUNT-SOURCE-LEAK — Source Code & Build Artifact Leakage

Crown Jewel Targets

Source map exposing TypeScript source = see all API routes, auth logic, secrets. Swagger/OpenAPI JSON = complete API surface map.

Highest-value findings:

  • .js.map source maps — reconstruct full TypeScript/ES6 source code → find hardcoded API keys, internal endpoints, auth logic bypasses
  • swagger.json / openapi.json — complete REST API specification with all endpoints, parameters, auth schemes, and internal route names
  • .env / .env.production — APP_KEY, DB_PASSWORD, API_KEY, SECRET_KEY in plaintext
  • .git/ exposuregit clone the entire source history → all past hardcoded secrets
  • asset-manifest.json / _next/static/ — all JS bundle paths → systematic source map discovery
  • build-info / info.json — git commit hash, build timestamp, dependency versions → CVE targeting

Phase 1 — Quick Wins (Run First)

Installs
9
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
Jun 5, 2026
Security Audits
Gen Agent Trust HubFail
SocketWarn
SnykFail
hunt-source-leak — elementalsouls/claude-bughunter