feat(arsenal): HackerOne disclosed-reports reference agent + methodology trim

[Ap6pack]

Summary

Two independent improvements:

1. New tool — HackerOne hacktivity reference agent

skills/offensive-osint/scripts/h1_reference.py — stdlib-only Python script (no API key, no deps) that queries HackerOne's public GraphQL API for disclosed reports and surfaces community-validated findings during recon.

New section offensive-osint §29.3 documents the tool with copy-paste commands for:

• Session-start baseline loading (--top-voted)
• Keyword search by attack class (--query "SSRF" --pages 10)
• Business-impact framing reference (--top-bounty)
• Program-specific lookups (--program <handle>)

python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --limit 25
python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --query "SSRF|OAuth" --pages 10
python3 skills/offensive-osint/scripts/h1_reference.py --top-bounty --severity critical high
python3 skills/offensive-osint/scripts/h1_reference.py --program shopify --pages 3

Three H1 GraphQL server bugs were discovered empirically and worked around (documented in the script and §29.3):

• Named variables + substate filter + report fields → server 500
• disclosed_at field + substate filter → server 500
• Sort + substate filter + report fields → server 500

2. Methodology trim

osint-methodology/SKILL.md reduced from 1,694 → 455 lines. Removed sections that duplicate the arsenal skill and collapsed specialty domains into a pointer block. Retained full strategic core: pipeline, asset graph, severity rubric, confidence upgrade workflows, OpSec, anti-patterns. Also includes a minor table fix for the confidence upgrade workflow.

---

CONTRIBUTING checklist

• Change is OSINT-only (read-only GraphQL queries, no exploitation)
• CHANGELOG.md updated under [Unreleased]
• README.md directory tree and capability table updated
• Six trigger phrases added to offensive-osint YAML frontmatter
• Smoke-test prompt #33 added with expected behavior (36 total prompts)
• Script placed in skills/offensive-osint/scripts/ matching secret_scan.py convention
• Commits follow <type>(<scope>): <subject> format
• Severity/detectability/confidence tags consistent with rubrics

Sample prompt exercising §29.3

"Before I start probing this target, pull community-validated HackerOne disclosures for SSRF and OAuth bypass techniques."

Expected behavior: Pulls offensive-osint §29.3; provides h1_reference.py command with --top-voted --query "SSRF|OAuth" --pages 10; does NOT invent report URLs or fabricate findings.

Test plan

• Install modified skill in Claude Code
• Run smoke-test prompt #33 — verify §29.3 is referenced and correct command provided
• python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --limit 5 — verify live results
• python3 skills/offensive-osint/scripts/h1_reference.py --top-voted --query "XSS" --pages 3 — verify keyword filtering
• Confirm no fabricated endpoints, regexes, or report URLs in Claude responses

🤖 Generated with Claude Code

[Ap6pack]

Overview of changes

This PR contributes two independent improvements. Happy to split into separate PRs if that is preferred.

---

1. skills/offensive-osint/scripts/h1_reference.py — new tool

A stdlib-only Python script (no API key, no third-party deps) that queries HackerOne's public GraphQL API for disclosed reports. The intent is to surface community-validated findings as a reference layer during recon — before probing a target, you can quickly pull what techniques have already been validated against similar programs.

Modes:

Flag	Purpose
--top-voted	Community-validated techniques, sorted by upvotes
--top-bounty	Highest-paid reports — useful for business-impact framing
--query <regex>	Keyword search across titles (e.g. "SSRF|OAuth")
--pages <n>	Paginate results (50/page, H1 API hard limit)
--severity	Client-side filter: critical high medium low
--cwe	Client-side CWE label filter
--program <handle>	Filter to a specific program's disclosures
--json	Machine-readable output for piping

Three H1 GraphQL server bugs discovered and worked around (documented in the script):

• Named query variables + substate filter + report fields → HTTP 500
• disclosed_at field + substate filter → HTTP 500
• Sort + substate filter + report fields → HTTP 500

The script detects and routes around each automatically.

---

2. skills/osint-methodology/SKILL.md — trim from 1,694 → 455 lines

The methodology skill had grown to duplicate large sections already covered by the arsenal skill. This trims it back to the strategic core that belongs there:

Kept: confidence levels + upgrade workflows, 5-stage pipeline + time budgets, asset graph taxonomy + triage rules, severity rubric + escalation, OpSec + detectability + back-off, breach × identity correlation, anti-patterns.

Removed: implementation-detail sections (identity fabric, API mapping, JS analysis, mobile, cloud, WAF/CDN bypass, vuln prioritization, phishing) — these are covered in depth in offensive-osint and were creating noise and duplication. Each removed section is replaced with a 2-sentence pointer to the companion skill.

Also includes a minor fix to the confidence upgrade workflow table (bucket row had an ambiguous cell split).

---

Checklist against CONTRIBUTING.md

• OSINT-only — read-only GraphQL queries, no exploitation
• CHANGELOG.md updated under [Unreleased]
• README.md directory tree and capability table updated
• Trigger phrases added to offensive-osint frontmatter
• Smoke-test prompt #33 added with expected behavior
• Script placed in skills/offensive-osint/scripts/ matching secret_scan.py convention
• Commits follow <type>(<scope>): <subject> format