claude-osint

June 5, 2026 · View on GitHub

claude-osint

2 paired Claude skills · 90+ recon modules · 48 secret-regex patterns · 80+ dorks · 9 read-only credential validators · 27 attack-path templates · 4,600+ lines of structured tradecraft. Drop-in SKILL.md files that turn Claude into a god-mode external recon operator for authorized red-team and bug-bounty engagements.

Built by ElementalSoul — GenAI Security Research.

_{SPONSORED BY}

What is this?

claude-osint is a paired set of skills for the Claude skills system. Each skill is a structured SKILL.md file that primes Claude with expert-level methodology for one half of the offensive recon problem:

osint-methodology - how to think. Strategic + procedural. Asset-graph discipline, severity rubric, time budgeting, identity-fabric mapping, deliverable templates.
offensive-osint - what to reach for. Tactical arsenal. Probe paths, regexes, payloads, scoring rules, curl one-liners, tool URLs.

Drop both into your Claude environment and it behaves like a senior recon analyst: it knows the techniques, the tooling, the edge cases, and the escalation paths — and it stays in scope.

~4,600 lines of structured tradecraft · 96.9% PASS on a 32-prompt self-evaluation · ~85–90% practitioner coverage for the recon phase of authorized engagements.

Structure

claude-osint/
├── skills/
│   ├── osint-methodology/SKILL.md     # how to think  (455 lines)
│   └── offensive-osint/
│       ├── SKILL.md                   # what to reach for (4,168 lines)
│       ├── scripts/secret_scan.py     # stdlib-only secret scanner
│       └── scripts/h1_reference.py    # HackerOne disclosed-reports reference agent
├── docs/                              # architecture · coverage · install · usage
├── examples/                          # 4 end-to-end engagement walk-throughs
├── tests/smoke-test-prompts.md        # 32-prompt self-evaluation
└── assets/banner.png

Each skill directory is self-contained. Drop into ~/.claude/skills/ and Claude auto-triggers on relevant phrases.

Skill Index

90+ capabilities across 12 domains. Categorized like Claude-Red — pick a domain to drill in.

Reconnaissance & Asset Discovery

Capability	Skill
5-stage external recon pipeline + time-budget profiles (1h / 4h / 1d / 1w)	methodology
Subdomain-source stack (crt.sh + 7-source fallback chain when crt.sh 502s)	arsenal
Common-prefix subdomain sweep (100+ ordered prefixes, PowerShell + bash)	arsenal
Wayback CDX deep mining + legacy-app pivot (.asp/.php/.jsp/.cfm)	arsenal
WHOIS / RDAP / historical-WHOIS + reverse-WHOIS pivots	arsenal
Public records (OpenCorporates · SEC EDGAR · GSXT · Rusprofile · Companies House)	arsenal
Bulk IP → ASN (Cymru / RIPEstat / bgp.tools)	arsenal

Identity & SSO Mapping

Capability	Skill
Microsoft Entra (Azure AD) tenant fingerprint + GUID extraction	arsenal
M365 deep enum (Teams federation · SharePoint · OneDrive · OAuth · device-code phishing)	arsenal
Autodiscover IP correlation (passive M365 confirm even when MX wrapped by Mimecast/Proofpoint)	arsenal
Okta tenant slug + `/api/v1/authn` user-enum	arsenal
ADFS fingerprint + mex endpoint	arsenal
Google Workspace OIDC discovery	arsenal
Generic OIDC (Auth0 · Keycloak · Ping · OneLogin · Duo)	arsenal
SAML metadata (5 paths)	arsenal
AWS account-ID extraction from headers + ARN regex	arsenal

Web Application Attack Surface

Capability	Skill
Swagger / OpenAPI discovery (28 paths)	arsenal
GraphQL discovery + introspection POST body (13 paths)	arsenal
GraphQL field-suggestion enum (when introspection disabled) + alias batching + depth bypass	arsenal
Always-on HTTP checks (15 paths: .git/.env/actuator/heapdump/etc.)	arsenal
Missing security header audit (HSTS/CSP/XFO/etc.)	arsenal
Endpoint extraction regex tiers (3 tiers)	arsenal
Endpoint interest score (0–100 rubric)	arsenal
JS deep analysis · sourcemap leakage · internal-host regex	arsenal
Subdomain takeover fingerprints (27 providers)	arsenal

Cloud & Container

Capability	Skill
Cloud bucket arsenal (S3 / GCS / Azure · 6 prefixes × 15 suffixes × 47 stems)	arsenal
Cloud-native fingerprints (Lambda URLs · Cloud Run · Azure Functions · Vercel · Netlify · Workers)	arsenal
Kubernetes / etcd / kubelet exposure (12 ports + probes)	arsenal
Container registry leak hunting (Docker Hub · Quay · GHCR · ECR · GCR · ACR)	arsenal
CI/CD platform exposure (Jenkins · GitLab · TeamCity-KEV · Argo CD · Spinnaker · CircleCI)	arsenal

Secret & Credential Hunting

Capability	Skill
48-pattern secret-regex catalog (29 base + 19 modern)	arsenal
Modern AI API keys (Anthropic / OpenAI / HuggingFace / Cloudflare)	arsenal (rows 30-36)
Package-registry tokens (npm / PyPI / Docker Hub)	arsenal (rows 38-40)
GitHub code-search dorks (13 templates)	arsenal
9 read-only credential validators (Postman / AWS / GitHub / Slack / Anthropic / OpenAI / npm / Atlassian / DataDog)	arsenal
Post-discovery enumeration workflows (IAM enum · repo enum · workspace enum · JWT triage)	arsenal
`secret_scan.py` runnable helper (stdlib-only, JSONL output)	arsenal
`h1_reference.py` — HackerOne disclosed-reports reference agent (no API key, top-voted / top-bounty / keyword / program filter)	arsenal
80+ dork corpus across 9 categories	arsenal

Breach Intelligence

Capability	Skill
HudsonRock Cavalier direct API (free; FYI: web-UI wraps a public JSON endpoint)	arsenal
Domain-level breach severity mapping	arsenal
`SSO_EXPOSURE$ \text{finding} + \text{legacy}-\text{mail}-\text{decommissioned} \text{escalation} \text{pattern}	\text{arsenal}
\text{Breach} \times \text{identity} \text{correlation} (\text{HudsonRock} + \text{HIBP} + \text{DeHashed} + \text{IntelX})	\text{methodology}

\text{Vendor} & \text{Edge}-\text{Appliance} \text{Fingerprinting}

\text{Capability}	\text{Skill}
\text{Citrix} \text{Netscaler} · \text{F5} \text{BIG}-\text{IP} · \text{Pulse} \text{Secure} / \text{Ivanti} · \text{FortiGate}	\text{arsenal}
\text{PaloAlto} \text{GlobalProtect} · \text{Cisco} \text{AnyConnect} · \text{VMware} \text{vCenter} / \text{ESXi} / \text{Horizon}	\text{arsenal}
\text{Microsoft} \text{Exchange} \text{OWA} (\text{ProxyShell} / \text{ProxyLogon} / \text{ProxyNotShell})	\text{arsenal}
\text{KEV} \text{CVE} \text{enrichment} + \text{EPSS} \text{scoring} + \text{Metasploit} \text{availability}	\text{arsenal}
\text{WAF} / \text{CDN} \text{bypass} + \text{origin} \text{discovery} (8 \text{techniques})	\text{methodology}, \text{arsenal}

\text{Email} \text{Security}

\text{Capability}	\text{Skill}
\text{SPF} / \text{DMARC} / \text{DKIM} / \text{BIMI} / \text{MTA}-\text{STS} / \text{TLS}-\text{RPT} / \text{DNSSEC} \text{audit} (\text{bash} + \text{PowerShell})	\text{arsenal}
\text{DMARC} \text{reporting}-\text{vendor} \text{inference} (\text{Kratikal} / \text{dmarcian} / \text{Valimail} / \text{Agari} / \text{EasyDMARC})	\text{arsenal}
\text{TXT} \text{verification} \text{token} \text{catalog} (35+ \text{SaaS} \text{tenants})	\text{arsenal}
\text{MX} → \text{IdP} / \text{mail}-\text{host} \text{inference}	\text{arsenal}

\text{Human} \text{Intelligence}

\text{Capability}	\text{Skill}
\text{LinkedIn} \text{employee} \text{enumeration} (\text{P0}–\text{P5} \text{role} \text{tiers} · \text{sock}-\text{puppet} \text{hygiene})	\text{arsenal}
\text{Job} \text{posting} \text{tech}-\text{stack} \text{analysis} (\text{Lever} · \text{Greenhouse} · \text{AshbyHQ} · \text{Workable})	\text{arsenal}
\text{Slack} / \text{Discord} / \text{Telegram} / \text{Mattermost} \text{workspace} \text{discovery}	\text{arsenal}
\text{Sat} \text{imagery} \text{for} \text{physical} \text{recon} (\text{Google} \text{Earth} · \text{NearMap} · \text{Sentinel} \text{Hub})	\text{arsenal}
\text{Email}-\text{pattern} \text{inference} (8 \text{templates})	\text{arsenal}

\text{Supply} \text{Chain}

\text{Capability}	\text{Skill}
\text{Package}-\text{registry} \text{leak} \text{hunting} (\text{npm} · \text{PyPI} · \text{RubyGems} · \text{Cargo} · \text{Packagist} · \text{NuGet} · \text{Maven})	\text{arsenal}
\text{Typosquat} \text{surveillance}	\text{arsenal}
\text{Postman} \text{public}-\text{workspace} \text{search} (\text{verified} \text{endpoint})	\text{arsenal}
\text{Stack} \text{Exchange} \text{OSINT} \text{sweep} (8 \text{sites})	\text{arsenal}

\text{Reporting} & \text{Deliverables}

\text{Capability}	\text{Skill}
\text{Findings} \text{rubric} (\text{CRITICAL}/\text{HIGH}/\text{MED}/\text{LOW}/\text{INFO} + \text{escalation})	\text{methodology}
\text{Severity} \text{decision} \text{matrix} (88 \text{worked} \text{examples})	\text{arsenal}
\text{Attack}-\text{path} \text{hint} \text{patterns} (27 \text{templates})	\text{arsenal}
\text{Bug}-\text{bounty} \text{submission} \text{templates} (\text{HackerOne} / \text{Bugcrowd} / \text{Intigriti})	\text{methodology}
\text{Client} \text{deliverable} \text{templates} (\text{exec} \text{summary} · \text{risk}-\text{translation} \text{matrix} · \text{cadence})	\text{methodology}
\text{Reproduction} \text{package}	\text{methodology}

\text{Sector}-\text{Specific}

\text{Capability}	\text{Skill}
\text{Healthcare} (\text{DICOM} · \text{HL7} \text{v2} · \text{FHIR} · \text{Epic} / \text{Cerner} / \text{Allscripts})	\text{arsenal}
\text{Finance} (\text{SWIFT} · \text{FIX} · \text{Bloomberg} · \text{Temenos} / \text{Finacle} / \text{FIS} / \text{Fiserv})	\text{arsenal}
\text{ICS} / \text{SCADA} (\text{Modbus} · \text{BACnet} · \text{Siemens} \text{S7} · \text{DNP3} · \text{EtherNet}/\text{IP})	\text{arsenal}
\text{IoT} (\text{MQTT} · \text{CoAP} · \text{UPnP} · \text{Hikvision} / \text{Dahua} \text{DVRs})	\text{arsenal}
\text{Government} ($.gov`/`.mil` · FedRAMP · FISMA · CUI · SAM.gov)	arsenal

Capability Map

Two skills, twelve capability domains. Drill into the Skill Index above for concrete sub-capabilities.

%%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#1e293b','primaryTextColor':'#f1f5f9','primaryBorderColor':'#475569','lineColor':'#94a3b8'}}}%%
flowchart LR
    Root(["🦅 claude-osint"])

    Root --> M["📘 osint-methodology<br/><i>how to think</i>"]
    Root --> A["🛠️ offensive-osint<br/><i>what to reach for</i>"]

    M --> M1[Recon Pipeline]
    M --> M2[Asset Graph]
    M --> M3[Identity Fabric]
    M --> M4[Findings Rubric]
    M --> M5[Reporting Templates]
    M --> M6[OpSec & Detectability]

    A --> A1[Probe Wordlists]
    A --> A2[Vendor Fingerprints]
    A --> A3[Cloud · K8s · CI-CD]
    A --> A4[Secret Catalog]
    A --> A5[Read-Only Validators]
    A --> A6[Email Security]
    A --> A7[Human Intel]
    A --> A8[Sector Notes]

    style Root fill:#dc2626,stroke:#7f1d1d,color:#fff
    style M fill:#1e293b,stroke:#475569,color:#f1f5f9
    style A fill:#7c2d12,stroke:#9a3412,color:#fef3c7
    style M1 fill:#0f172a,stroke:#334155,color:#cbd5e1
    style M2 fill:#0f172a,stroke:#334155,color:#cbd5e1
    style M3 fill:#0f172a,stroke:#334155,color:#cbd5e1
    style M4 fill:#0f172a,stroke:#334155,color:#cbd5e1
    style M5 fill:#0f172a,stroke:#334155,color:#cbd5e1
    style M6 fill:#0f172a,stroke:#334155,color:#cbd5e1
    style A1 fill:#1c1917,stroke:#44403c,color:#fed7aa
    style A2 fill:#1c1917,stroke:#44403c,color:#fed7aa
    style A3 fill:#1c1917,stroke:#44403c,color:#fed7aa
    style A4 fill:#1c1917,stroke:#44403c,color:#fed7aa
    style A5 fill:#1c1917,stroke:#44403c,color:#fed7aa
    style A6 fill:#1c1917,stroke:#44403c,color:#fed7aa
    style A7 fill:#1c1917,stroke:#44403c,color:#fed7aa
    style A8 fill:#1c1917,stroke:#44403c,color:#fed7aa

Engagement Flow

%%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#1e293b','primaryTextColor':'#f1f5f9','primaryBorderColor':'#475569','lineColor':'#94a3b8'}}}%%
flowchart TD
    A["🎯 Target authorized<br/><i>RoE / BB scope / ASM contract</i>"] --> B[methodology<br/>scope check]
    B --> C[methodology<br/>5-stage pipeline]

    C --> D1["🔍 Stage 1<br/>Seed Discovery"]
    C --> D2["🌐 Stage 2<br/>Asset Expansion"]
    C --> D3["📊 Stage 3<br/>Enrichment"]
    C --> D4["⚠️ Stage 4<br/>Exposure Analysis"]
    C --> D5["📋 Stage 5<br/>Reporting"]

    D1 --> E1[DNS catalog<br/>WHOIS / RDAP<br/>public records]
    D2 --> E2[subdomain stack<br/>prefix sweep<br/>Wayback CDX]
    D3 --> E3[vendor fingerprint<br/>identity fabric<br/>infrastructure OSINT]
    D4 --> E4[secret catalog<br/>always-on HTTP checks<br/>K8s exposure<br/>read-only validators<br/>breach × identity]
    D5 --> E5[severity rubric<br/>BB submission<br/>client deliverable]

    E1 --> F[methodology<br/>asset graph]
    E2 --> F
    E3 --> F
    E4 --> G["📋 Findings<br/>severity + confidence + evidence"]
    E5 --> H["📦 Deliverable<br/>exec summary + repro package"]

    F --> G

    style A fill:#3b82f6,color:#fff
    style B fill:#7c2d12,color:#fef3c7
    style C fill:#1e293b,color:#f1f5f9
    style F fill:#7c3aed,color:#fff
    style G fill:#dc2626,color:#fff
    style H fill:#14532d,color:#dcfce7

Usage

With Claude Code

# Install both skills (one-time, after clone)
git clone https://github.com/elementalsouls/Claude-OSINT.git
cd Claude-OSINT
chmod +x ./scripts/sync-skill-content.sh
./scripts/sync-skill-content.sh
mkdir -p ~/.claude/skills
cp -r skills/osint-methodology ~/.claude/skills/
cp -r skills/offensive-osint   ~/.claude/skills/
ls ~/.claude/skills/

Then, in any Claude Code session, ask an OSINT question — both skills auto-load and trigger on relevant phrases (50+ trigger phrases each).

With the Claude Skills System

# Point Claude at a single skill before starting your session
cat skills/offensive-osint/SKILL.md | claude --system-file -

Manual (Claude.ai / Claude API)

Paste the contents of any SKILL.md into a Project's system prompt or prepend it to your conversation. Both files are plain Markdown — also usable as a personal cheat-sheet without Claude.

Authorization

These skills are intended for assets you own or have written authorization to assess (red-team rules of engagement, bug-bounty in-scope assets, ASM contracts).

Both skills include a soft scope-check when you ask Claude to act against an unverified third-party target. They explicitly exclude active exploitation, post-exploitation, malware development, and other activities beyond OSINT-driven reconnaissance. See SECURITY.md for the full posture.

Documentation

Doc	Contents
`docs/architecture.md`	Design philosophy · asset-graph model · confidence/severity/detectability models · sidecar coordination · diagrams
`docs/coverage.md`	Honest practitioner-coverage breakdown by archetype + engagement phase
`docs/installation.md`	Symlink installs and multi-environment install patterns
`docs/usage.md`	Trigger-phrase reference and prompt templates
`examples/`	4 end-to-end engagement walk-throughs (quick recon · bug-bounty · M365 deep · secret hunting)
`tests/smoke-test-prompts.md`	32-prompt self-evaluation suite (current grade: 31/32 PASS)
`CHANGELOG.md`	Version history
`CONTRIBUTING.md`	Pull-request guidelines

About

Operational tradecraft accumulated across external attack-surface engagements, codified into Claude skills. Engagement-platform agnostic - slot into any ASM / ticketing / asset-graph platform you already use, or none.

Author: ElementalSoul

Original framework: SnailSploit/offensive-checklist (v1.x)

Inspired by: Bellingcat's Online Investigations Toolkit · IntelTechniques · OSINT Framework

Tool inventory: . ProjectDiscovery · Six2dez reconftw · SecLists · Assetnote Wordlists

License: MIT — use freely, attribution appreciated.

"Give Claude the right skill and it stops being a chatbot. It becomes an operator."