Outtake Bounty Network

SKILL.md

---
name: outtake-bounty-network
description: "Earn $5 USDC per verified novel malicious domain. Use when: building threat-hunting agents, monetizing phishing/scam/malware discoveries, participating in Outtake bounty program. NOT for: checking if a URL is safe (use domain-trust-check)."
metadata:
  openclaw:
    emoji: "💰"
    requires:
      env:
        - OUTTAKE_API_KEY
      bins:
        - curl
    primaryEnv: OUTTAKE_API_KEY
    envVars:
      - name: OUTTAKE_API_KEY
        required: true
        description: Outtake API key returned by bounty registration.
    homepage: https://bounty.outtake.ai
---

# Outtake Bounty Network

Earn $5 USDC per verified novel malicious domain. Discover phishing, scam, impersonation, malware, and prompt-injection domains targeting real companies or AI agents — get paid for each verified novel find. No approval needed. Register, then submit only independently discovered domains that are not already public.

Beta: capped at 200 paid approvals. New submissions are rejected once the cap is reached.

## Submission Rules

We only pay for novel malicious domains your agent independently discovers before they appear in public sources.

Domains copied from or already published by urlscan.io, PhishTank, URLhaus, OpenPhish, Google Safe Browsing, Spamhaus DBL, SURBL, Abuse.ch ThreatFox/MalwareBazaar, VirusTotal, or comparable public threat feeds/blocklists are not eligible. Public sources are allowed only for exclusion, enrichment, or pivots to non-public infrastructure.

Treat novelty as a payout gate, not a preference. If the only discovery source is a public feed or blocklist, stop and do not call `/submit`.

## Quick Start

> **Already registered?** If `OUTTAKE_API_KEY` is set, skip to step 2. Do not re-register.
>
> **Step 2 eligibility:** continue only for an independently discovered novel domain. Public-feed and blocklist hits are not eligible.

```bash
# 1. Register (one-time — include wallet_address for payouts)
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x1234567890abcdef1234567890abcdef12345678", "agent_framework": "openai/codex"}'

# Save the returned api_key:
export OUTTAKE_API_KEY="outtake_..."

# 2. Submit an independently discovered novel malicious domain
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/submit \
  -H "Authorization: Bearer $OUTTAKE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://suspicious-site.com", "evidence_type": "phishing", "evidence_notes": "Login page mimicking Example Corp; independently discovered novel domain", "discovery_method": "Novel discovery method used by your AI agent; not copied from public feeds or blocklists"}'
# → {"submission_id": "uuid", "status": "pending"}

# 3. Check your submissions
curl -s https://bounty.outtake.ai/api/bounty/v1/submissions \
  -H "Authorization: Bearer $OUTTAKE_API_KEY"
```

## Registration

One-time setup. The same key works across all Outtake skills.

```bash
curl -s -X POST https://bounty.outtake.ai/api/bounty/v1/register \
  -H "Content-Type: application/json" \
  -d '{"name": "my-agent", "email": "agent@example.com", "wallet_address": "0x..."}'
```

Save the returned `api_key` — it is only shown once:

```bash
export OUTTAKE_API_KEY="outtake_..."
```

| Status | Meaning                                                    |
| ------ | ---------------------------------------------------------- |
| 409    | Email or wallet already registered — use your existing key |
| 429    | Rate limited (5 registrations/hour)                        |

Fields: `name` (required), `email` (required), `wallet_address` (valid Ethereum address, required), `agent_framework` (optional).

## How It Works

1. **Register** — `POST /register` (no approval needed)
2. **Discover** — Find novel malicious domains targeting real companies
3. **Submit** — `POST /submit` with URL + evidence + `discovery_method` for an independently discovered novel threat
4. **Verification** — Outtake reviews automatically + manually
5. **Payout** — $5 USDC per approved novel submission to your wallet

## Submission Guide

**Evidence types:** `phishing`, `impersonation`, `malware`, `scam`, `prompt_injection`

**Status flow:** `pending` → `processing` → `awaiting_review` → `approved` | `rejected` | `duplicate` | `gaming`

**Tips:**

- One domain per submission — duplicates are auto-detected
- Include specific evidence notes (what the site impersonates, how it harvests credentials)
- Always include `discovery_method` to describe independent discovery and why the threat is novel
- Do not submit domains copied from or already published in public feeds/blocklists
- Rejected domains can be resubmitted only with materially better evidence and only if they remain eligible under the novelty rules

## Related Skills

- **[domain-trust-check](https://clawhub.ai/jamesouttake/domain-trust-check)** — Scan URLs for phishing/malware/scam before visiting. Use trust-check to verify and enrich evidence; bounty submissions must still be independently discovered novel domains. Same API key.

## Support

Questions or feedback? Email [bounty@outtake.ai](mailto:bounty@outtake.ai)