Summary
I'd like to propose a new skill called bug-hunter, designed to help LLMs perform structured security audits on Android applications, with a focus on bug bounty preparation and OWASP Mobile Top 10 coverage.
I've implemented it in my fork and it's ready for review:
👉 https://github.com/MartinPSDev/skills/blob/main/security/bug-hunter/SKILL.md
Motivation
Android developers often need to audit their apps before public release, bug bounty submission, or third-party security review. There is currently no security-focused skill in this repository. This skill fills that gap by providing:
- A universal vulnerability checklist covering all major Android attack surfaces (data storage, networking, IPC, cryptography, WebView, binary protections, etc.)
- Vertical-specific checklists for sensitive domains: Banking/Fintech, Health/HIPAA, Enterprise/MDM, and E-commerce
- Context detection logic that automatically identifies the app's domain from package names, dependencies, and manifest entries
- A structured reporting format with severity, OWASP mapping, vulnerable code snippet, and remediation
- A responsible disclosure disclaimer
Proposed path
security/bug-hunter/SKILL.md
Checklist coverage
| Category |
Included |
| OWASP Mobile Top 10 |
✅ |
| Android-specific CVEs patterns |
✅ |
| Hardcoded secrets detection |
✅ |
| Exported components audit |
✅ |
| TLS / certificate pinning |
✅ |
| Cryptography misuse |
✅ |
| WebView attack surface |
✅ |
| Vertical checklists (fintech, health, enterprise, e-commerce) |
✅ |
| Reporting format with severity + remediation |
✅ |
Notes
I understand that public PRs are not accepted at this time, which is why I'm submitting this as an issue. Happy to provide any additional context, adjust the content, or answer questions from the maintainers.
Licensed under Apache-2.0, consistent with the rest of this repository.
Summary
I'd like to propose a new skill called
bug-hunter, designed to help LLMs perform structured security audits on Android applications, with a focus on bug bounty preparation and OWASP Mobile Top 10 coverage.I've implemented it in my fork and it's ready for review:
👉 https://github.com/MartinPSDev/skills/blob/main/security/bug-hunter/SKILL.md
Motivation
Android developers often need to audit their apps before public release, bug bounty submission, or third-party security review. There is currently no security-focused skill in this repository. This skill fills that gap by providing:
Proposed path
Checklist coverage
Notes
I understand that public PRs are not accepted at this time, which is why I'm submitting this as an issue. Happy to provide any additional context, adjust the content, or answer questions from the maintainers.
Licensed under Apache-2.0, consistent with the rest of this repository.