Hunt platform credentials. These are required for /intel, MCP integrations, and submission tracking.
HackerOne
Critical
Bug bounty platform — required for /intel, H1 MCP, Hacktivity lookups
HACKERONE_API_TOKEN
HACKERONE_API_USERNAME
Bugcrowd
Critical
Bug bounty platform — required for Bugcrowd program intel and submission workflows
BUGCROWD_API_TOKEN
Intigriti
High
Bug bounty platform — personal access token for Intigriti program data
INTIGRITI_API_TOKEN
Immunefi
Low
Web3 bug bounty — no public API yet; use your handle directly in reports
No API key — handle-based
Shell Template (.zshrc / .bashrc)
Paste into your shell config. Fill in your actual keys. Never commit this file with real values.
# ── Hunt Platform Credentials ────────────────────────────────────────
export HACKERONE_API_TOKEN=<YOUR_KEY>
export HACKERONE_API_USERNAME=<YOUR_H1_HANDLE>
export BUGCROWD_API_TOKEN=<YOUR_KEY>
export INTIGRITI_API_TOKEN=<YOUR_KEY>
# ── Subdomain Recon ───────────────────────────────────────────────────
export GITHUB_TOKEN=<YOUR_PAT>
export SHODAN_API_KEY=<YOUR_KEY>
export CHAOS_KEY=<YOUR_KEY>
export CENSYS_API_ID=<YOUR_ID>
export CENSYS_API_SECRET=<YOUR_SECRET>
export SECURITYTRAILS_API_KEY=<YOUR_KEY>
export NETLAS_API_KEY=<YOUR_KEY>
export GITLAB_TOKEN=<YOUR_PAT>
export BINARYEDGE_API_KEY=<YOUR_KEY>
export LEAKIX_API_KEY=<YOUR_KEY>
export WHOISXML_API_KEY=<YOUR_KEY>
# ── Threat Intel ─────────────────────────────────────────────────────
export VIRUSTOTAL_API_KEY=<YOUR_KEY>
export URLSCAN_API_KEY=<YOUR_KEY>
export INTELX_API_KEY=<YOUR_KEY>
export FOFA_KEY=<YOUR_KEY>
export FOFA_EMAIL=<YOUR_EMAIL>
# ── Notifications ────────────────────────────────────────────────────
export DISCORD_WEBHOOK_URL=<YOUR_WEBHOOK_URL>
export TELEGRAM_API_KEY=<YOUR_BOT_TOKEN>
export TELEGRAM_CHAT_ID=<YOUR_CHAT_ID>
export SLACK_WEBHOOK_URL=<YOUR_WEBHOOK_URL>
# ── Local Tools ──────────────────────────────────────────────────────
export OBSIDIAN_API_KEY=<YOUR_KEY>
export COLLAB_URL=<YOUR_INTERACTSH_URL>
export SEARXNG_BASE_URL=http://localhost:8888subfinder provider-config.yaml
File location: ~/.config/subfinder/provider-config.yaml — or use doctor.py --sync-subfinder to auto-fill from env vars.
github:
- <GITHUB_TOKEN>
shodan:
- <SHODAN_API_KEY>
chaos:
- <CHAOS_KEY>
censys:
- <CENSYS_API_ID>:<CENSYS_API_SECRET>
securitytrails:
- <SECURITYTRAILS_API_KEY>
netlas:
- <NETLAS_API_KEY>
virustotal:
- <VIRUSTOTAL_API_KEY>
binaryedge:
- <BINARYEDGE_API_KEY>
leakix:
- <LEAKIX_API_KEY>Integration Setup
- Clone:
git clone https://github.com/kdairatchi/claude-bug-bounty ~/claude-bug-bounty - Copy template:
cp templates/hunter.yaml.example ~/claude-bug-bounty/config/hunter.yaml - Add env vars to
~/.zshrcusing the Shell Template above - Run:
bash ~/claude-bug-bounty/install.sh - Verify:
python3 ~/claude-bug-bounty/tools/doctor.py --section env
Key Rotation Guide
| Service | Recommended Interval | Trigger immediately if… | Where to rotate |
|---|---|---|---|
| HackerOne | Quarterly | Token visible in logs, public repo, or report | Settings → API token |
| GitHub PAT | Set expiry (90d) or annually | Pushed to public repo (GitHub alerts you) | Settings → Tokens |
| Shodan | On breach only | Unexpected API quota drain | Account page |
| Bugcrowd | Quarterly | Token in public code or logs | Profile → API |
| Discord Webhook | On leak only | Spam messages in your channel | Channel → Integrations → Webhooks → delete + recreate |
| VirusTotal | Annually | Quota exhausted unexpectedly | My API key |
🗺️
Roadmap
- Phase 2 — Browser localStorage key manager: paste your keys, page generates ready-to-use config files, nothing sent to any server
- Phase 3 — Rotation reminders + in-browser API ping validation + .env / hunter.yaml download generator
PRs welcome at github.com/kdairatchi/keyatlas