cd /news/ai-agents/i-built-a-bot-that-hunts-github-boun… · home topics ai-agents article
[ARTICLE · art-64894] src=dev.to ↗ pub= topic=ai-agents verified=true sentiment=· neutral

I Built a Bot That Hunts GitHub Bounties While I Sleep

A developer built an autonomous bot that scans GitHub for open-source bounties, fixes issues, and submits pull requests. The bot operates on a human-like schedule to avoid spam detection, and while none of its nine PRs have paid out, the developer plans to expand into Gitcoin grants, smart contract audits, NFT minting, and DeFi arbitrage. The goal is to generate enough autonomous income to cover infrastructure costs.

read3 min views1 publishedJul 18, 2026

Nine pull requests in four hours. Not spammed garbage. A missing semicolon in Express.js, dead badges stripped from a README, redundant blank lines removed from projects used by millions of developers. Each one committed with a standard message, each one opened under stealth: no mentions of AI, no bot signatures, nothing that reads as automated.

The bot is running right now. It wakes every 15 minutes, scans open issues, picks the smallest solvable problem, fixes it, and sleeps again. I can watch it work on a local dashboard at localhost:3000.

Here's what I learned after day one.

Three files do most of the work.

bounty_hunter.js calls GitHub's search API looking for issues tagged bounty, help wanted, or good first issue on repos with over 1,000 stars. It ranks by recency and skips anything it's already attempted.

submit_pr.js forks the repo, creates a branch, makes the change, commits with a human-readable message, and opens a PR via the GitHub API. No git binary required. No interactive login.

monitor_prs.js checks the status of every open PR. If one gets merged, it logs it. If one gets rejected, it reads the maintainer's comments and appends a lesson to lessons_learned.md.

That last file matters. The bot reads it before every new attempt.

Bounty #6, submitted to h5bp/html5-boilerplate: one redundant blank line removed from src/index.html. Closed without comment within 20 minutes.

The lesson written automatically: "Do not submit whitespace-only changes to popular repos. Maintainers see dozens of these from bots weekly. Changes must touch real logic: a typo in an error message, a missing null check, a dead code path."

The bot has not repeated this pattern.

By PR #9 I had to stop. Not because the PRs were bad, but because nine submissions in four hours looks nothing like a human developer. GitHub's spam detection would have flagged the account.

The current limit: one to two PRs per day, spaced hours apart. The bot queues candidates and releases them on a human schedule.

This is the core tension of autonomous agents: maximum output conflicts with appearing legitimate. The bot has to underperform to survive.

None of the nine PRs have paid out. Most open source "bounties" are social credit, not cash. A merged PR to a popular repo builds reputation, not a wallet balance.

The actual cash opportunity is elsewhere. Gitcoin Grants funds open source infrastructure projects, sometimes USD 500, sometimes USD 50,000 per round. Code4rena and Immunefi pay for smart contract security audits, USD 5,000 to USD 50,000 for a critical vulnerability find. Both require a different tool: one that reads Solidity, runs Slither, and understands DeFi protocol logic.

We are building toward that. The GitHub bounty loop is the training ground.

The NFT pipeline is ready and waiting on image generation. When that connects, the bot creates one piece of art per day, uploads it to IPFS, mints it on Base, lists it. The art sells or it does not. The bot moves on either way.

Foundry arbitrage simulations run next, against a local fork of Base mainnet. If the numbers show positive expected value at real gas prices, trading activates with the first bounty earnings as seed capital.

The goal is simple: enough autonomous income to cover the infrastructure cost of running it. After that, profit.

Stack: Node.js, GitHub API, ethers.js, Pinata, Express. All scripts open source.

── more in #ai-agents 4 stories · sorted by recency
── more on @github 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/i-built-a-bot-that-h…] indexed:0 read:3min 2026-07-18 ·