hackerone

The code/documentation describes a powerful automation for bug bounty workflows that, as written, enables high-risk operations: execution of arbitrary PoC scripts and large-scale active testing without enforced sandboxing, consent checks, or rate limiting. These behaviors create significant supply-chain and operational risks (possible host compromise, data exfiltration, accidental DoS against targets, and unchecked exfiltration via the /pentest skill). Treat this package as potentially dangerous in production until mitigations are implemented: mandatory sandboxed PoC execution, strict concurrency controls, enforced scope authorization, and a full audit of the /pentest agent implementation and any automated submission/upload flows.