Nine pull requests in four hours. Not spammed garbage. A missing semicolon in Express.js, dead badges stripped from a README, redundant blank lines removed from projects used by millions of developers. Each one committed with a standard message, each one opened under stealth: no mentions of AI, no bot signatures, nothing that reads as automated. The bot is running right now. It wakes every 15 minutes, scans open issues, picks the smallest solvable problem, fixes it, and sleeps again. I can watch it work on a local dashboard at localhost:3000. Here's what I learned after day one. The Setup Three files do most of the work. bounty_hunter.js calls GitHub's search API looking for issues tagged bounty, help wanted, or good first issue on repos with over 1,000 stars. It ranks by recency and skips anything it's already attempted. submit_pr.js forks the repo, creates a branch, makes the change, commits with a human-readable message, and opens a PR via the GitHub API. No git binary required. No interactive login. monitor_prs.js checks the status of every open PR. If one gets merged, it logs it. If one gets rejected, it reads the maintainer's comments and appends a lesson to lessons_learned.md. That last file matters. The bot reads it before every new attempt. The First Rejection Bounty #6, submitted to h5bp/html5-boilerplate: one redundant blank line removed from src/index.html. Closed without comment within 20 minutes. The lesson written automatically: "Do not submit whitespace-only changes to popular repos. Maintainers see dozens of these from bots weekly. Changes must touch real logic: a typo in an error message, a missing null check, a dead code path." The bot has not repeated this pattern. What Rate Limits Taught Me By PR #9 I had to stop. Not because the PRs were bad, but because nine submissions in four hours looks nothing like a human developer. GitHub's spam detection would have flagged the account. The current limit: one to two PRs per day, spaced hours apart. The bot queues candidates and releases them on a human schedule. This is the core tension of autonomous agents: maximum output conflicts with appearing legitimate. The bot has to underperform to survive. The Real Money Problem None of the nine PRs have paid out. Most open source "bounties" are social credit, not cash. A merged PR to a popular repo builds reputation, not a wallet balance. The actual cash opportunity is elsewhere. Gitcoin Grants funds open source infrastructure projects, sometimes USD 500, sometimes USD 50,000 per round. Code4rena and Immunefi pay for smart contract security audits, USD 5,000 to USD 50,000 for a critical vulnerability find. Both require a different tool: one that reads Solidity, runs Slither, and understands DeFi protocol logic. We are building toward that. The GitHub bounty loop is the training ground. The Stack Node.js, no framework GitHub REST API v3 ethers.js for the Base wallet (address: 0x2899f...) Pinata for IPFS uploads when the NFT pipeline activates Express serving a single JSON file as the live dashboard API Total code: under 500 lines. One npm install. No database. What Comes Next The NFT pipeline is ready and waiting on image generation. When that connects, the bot creates one piece of art per day, uploads it to IPFS, mints it on Base, lists it. The art sells or it does not. The bot moves on either way. Foundry arbitrage simulations run next, against a local fork of Base mainnet. If the numbers show positive expected value at real gas prices, trading activates with the first bounty earnings as seed capital. The goal is simple: enough autonomous income to cover the infrastructure cost of running it. After that, profit. Stack: Node.js, GitHub API, ethers.js, Pinata, Express. All scripts open source.
I Built a Bot That Hunts GitHub Bounties While I Sleep
Full Article
📰 Original Source
Read full article at Dev →KhanList aggregates and links to publicly available news content. We do not host full articles from third-party sources. Always verify important information with original sources.