h1-brain
h1-brain is an MCP server that connects an AI assistant to HackerOne. It syncs a user’s rewarded reports, programs, and scopes via the HackerOne API into a local SQLite database, queries a pre-bundled database of public disclosed bounty reports, and exposes MCP tools (notably hack(handle)) to search/analyze that data and generate structured attack briefings.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Uses a HackerOne API token via environment variables. README does not discuss secure secret storage practices beyond env vars, does not document whether tokens/logs are sanitized, and provides no explicit rate-limit, retry, or threat-model guidance. The app also stores personal bounty data locally in SQLite; ensure local machine security and backups, and avoid running on shared/multi-user systems.
⚡ Reliability
Best When
You want an offline/local, agent-driven research assistant for bug bounty triage that can reuse your past HackerOne data and compare it to public disclosed reports.
Avoid When
You need a hardened, multi-tenant hosted service with strong operational guarantees, or you cannot handle storing/processing bug bounty content locally.
Use Cases
- • Searching and summarizing a researcher’s own HackerOne bounty history
- • Querying public disclosed HackerOne reports for vulnerability/weakness patterns by program and asset
- • Generating personalized bug bounty “briefings” that combine personal findings, scope data, and cross-referenced public disclosures
- • Building an agent workflow via MCP tools (e.g., Claude Desktop/Code) to iterate on target selection and vulnerability hypotheses
Not For
- • Automated exploitation against real targets without authorization
- • Security-critical compliance or legal decision support
- • A production-grade, publicly hosted API service (it appears designed for local use with an MCP client)
- • Use in environments that require strict data residency guarantees
Interface
Authentication
Authentication is token-based for HackerOne API access, configured via env vars. The README does not mention fine-grained scopes or token permissions.
Pricing
The project itself is MIT-licensed and appears self-hosted/local; costs depend on HackerOne API usage and your compute.
Agent Metadata
Known Gotchas
- ⚠ hack(handle) likely triggers multiple API/database operations; agents should be careful with repeated calls to avoid unnecessary sync/API usage
- ⚠ Attachment URLs may expire (~1 hour) so agents should fetch/download promptly
- ⚠ Disclosed public reports DB is bundled and may be out-of-date relative to current HackerOne disclosures
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for h1-brain.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.