Exploit for VulnPilot

Name: Exploit for VulnPilot
Rating: 5 (6 reviews)
2026-06-14 | CVSS 0.0
## https://sploitus.com/exploit?id=1D940885-262E-5384-8817-131B4DFEDE9E
# VulnPilot

VulnPilot is an automation framework for vulnerability disclosure workflows. It coordinates target scouting, environment deployment, code audit, reproduction, report generation, disclosure-route selection, optional Notion synchronization, and final vendor submission.

The project was extracted from an OpenClaw-based local workflow. This repository contains only source code, tests, templates, and documentation. Runtime state, logs, reports, evidence archives, browser profiles, credentials, and real disclosure material are intentionally excluded.

## Components

- `scripts/vuln_pipeline.py` - main state machine.
- `tools/mcp/target_scout_runner.py` - GitHub and HackerOne backed target scouting.
- `tools/mcp/hackerone_*.py` - local HackerOne MCP client/server/wrapper layer.
- `tools/mcp/github_*.py` - GitHub MCP helper and repository intelligence wrappers.
- `scripts/vuln_reprove.py` - reproduction executor.
- `scripts/disclosure_route.py` - disclosure route resolver.
- `scripts/notion_vuln_sync.py` - optional Notion synchronization.
- `scripts/proton_send_mail.py` - optional Proton Mail UI automation through OpenClaw browser control.
- `scripts/vuln_pipeline_queue_guard.py`, `scripts/watchdog_runtime_monitor.py`, and the retired `scripts/task_watchdog.py` compatibility entrypoint - guard and runtime monitor scripts.
- `runtime_logging.py` - structured runtime logging helper.

## Workflow

The default pipeline stages are:

```text
PRE_CLEAN -> DEPLOY -> HEALTHCHECK -> AUDIT -> REPROVE -> MARKET_REVIEW
-> NOTION_SYNC -> MARKET_SUBMISSION_PREP -> DISCLOSURE_ROUTE -> REPORT
-> WAIT_MAIL_APPROVAL -> SEND_MAIL -> DONE
```

Self-iteration and recovery stages are also present for repairing stalled pipeline work.

## Setup

Use Python 3.10 or newer.

```bash
git clone git@github.com:lalalala5678/VulnPilot.git
cd VulnPilot
python3 -m unittest discover -s tests
```

Copy `.env.example` or export only the variables required for the integrations you use:

```bash
export VULNPILOT_WORKSPACE="$PWD"
export OPENAI_API_KEY="..."
export HACKERONE_API_USERNAME="..."
export HACKERONE_API_TOKEN="..."
export GITHUB_PERSONAL_ACCESS_TOKEN="..."
```

The Python code itself uses only the standard library. Optional integrations expect local tools such as `codex`, `git`, `gh`, `mcporter`, `node`, OpenClaw, and macOS `launchctl`.

## Basic Commands

Initialize local pipeline state:

```bash
python3 scripts/vuln_pipeline.py init
```

Run target scouting:

```bash
bash scripts/run_latest_target_scout.sh
```

Start a pipeline run for a selected repository:

```bash
python3 scripts/vuln_pipeline.py approve-deploy owner/repo
```

Advance one pipeline tick:

```bash
python3 scripts/vuln_pipeline.py tick
```

Inspect status:

```bash
python3 scripts/vuln_pipeline.py status
```

## Sensitive Data Policy

Do not commit local runtime data. The repository ignores:

- `state/`
- `reports/`
- `exports/`
- `output/`
- `targets/`
- `memory/`
- `.openclaw/`
- `.playwright-cli/`
- credentials, browser profiles, logs, screenshots, archives, and temporary files

Before pushing changes, run tests and a secret scan over the repository.

## Documentation

- Pipeline details: `docs/VULN_PIPELINE.md`
- GitHub MCP skill: `skills/github-mcp/`
- HackerOne MCP skill: `skills/hackerone-mcp/`