Ask me what skills you need
What are you building?
Tell me what you're working on and I'll find the best agent skills for you.
Hunting skill for business-logic vulnerabilities (CWE-840 Business Logic Errors, CWE-841 Improper Enforcement of Behavioral Workflow, CWE-639 Authorization Bypass via User-Controlled Key in business contexts, CWE-362 race conditions on financial flows). Built from 44 corpus reports plus 8.8K shared-platform reports across HackerOne, Bugcrowd, Huntr, GitHub Security Advisories, plus 2024-2026 meta verified against NVD — Lilishop coupon overpurchasing (CVE-2024-50654 CVSS 7.5), WWBN AVideo wallet double-spend TOCTOU (CVE-2026-34368, GHSA-h54m-c522-h6qr), Keycloak 2FA bypass (CVE-2025-3910, GHSA-5jfq-x6xp-7rw2), AlegroCart 1.2.9 negative-quantity price manipulation (Andrey Stoykov SecLists Apr 2025), Bagisto cart price manipulation (Rudransh Singh Rajpurohit Sep 2025), Doppler free-trial reset (Aditya Sunny Dec 2024), Stripe hasEverTrialed bypass (better-auth #6863 Dec 2025), email-alias trial-abuse (Mahmoud Magdy Dec 2025), Samsung Account 2FA bypass via IMEI leak (Gregory Greekas Dec 2024), 2FA bypass via password reset (KhaledAhmed107 Jan 2026), pre-ATO via SSO migration (Giongnef Jan 2024), Tesla 2020 free vehicle software upgrade race condition, Uber 2016 infinite promo credits, Aditya Bhatt 2025 InfoSec writeup on race-condition coupon stacking. Use when hunting price/quantity manipulation, coupon/discount abuse, race-condition on payment-and-checkout, MFA/2FA bypass, password reset bypass, free-trial abuse, referral abuse, currency-conversion abuse, workflow-step skipping, role/scope escalation, pre-account takeover, OTP enumeration, or any "the app trusted client-side state" finding.
Business-logic flaws are the highest-creativity-required class in bug bounty — most don't get CVEs because they're application-specific, but they're often the highest-paying single-finding class on commercial SaaS because they map directly to financial loss. The 24-month meta has crystallized around eight asset types. All CVEs below are NVD-verified.
1. Payment / checkout flow manipulation (mid four-figure to mid five-figure on e-commerce / fintech). The "client trusts price/quantity" pattern. CVE-2024-50654 Lilishop coupon overpurchasing (CVSS 7.5 HIGH) — concurrent coupon-collection requests bypass quantity limit. AlegroCart v1.2.9 negative-quantity price manipulation (Andrey Stoykov disclosure SecLists Apr 2025 at https://seclists.org/fulldisclosure/2025/Apr/22) — GET /alegrocart/index.php?...&quantity=-100 produces -100 × $15.99 = -$1,599.00 cart subtotal; checkout flow accepts negative total. Bagisto CMS v2.3.6 cart price manipulation (Rudransh Singh Rajpurohit Sep 2025 at https://medium.com/@rudranshsinghrajpurohit/cve-2025-56426-cart-price-manipulation-vulnerability-in-bagisto-cms-468b72311969) — modify cart parameter to -1, sy
npx skills add H-mmer/pentest-agents --skill hunt-business-logicHow clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.
Mostly clear, but there are still a few confusing or poorly structured parts.
How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.
Mostly actionable with clear steps; only a few small gaps remain.