[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-918":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":9,"pushedAt":9,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":15,"starSnapshotCount":15,"syncStatus":14,"lastSyncTime":29,"discoverSource":30},918,"Claude-OSINT","elementalsouls\u002FClaude-OSINT","elementalsouls","Two paired Claude skills · 90+ recon modules · 48 secret-regex patterns · 80+ dorks · 9 read-only credential validators · 27 attack-path templates · 5,500+ lines of structured tradecraft. Drop-in SKILL.md files that turn Claude into a god-mode external recon operator for authorized red-team and bug-bounty engagements.",null,"Python",1651,319,12,2,0,22,59,495,66,20.52,"Other",false,"main",true,[],"2026-06-12 02:00:20","![claude-osint banner](assets\u002Fbanner.png)\n\n# claude-osint\n\n> 2 paired Claude skills · **90+ recon modules** · 48 secret-regex patterns · 80+ dorks · 9 read-only credential validators · 27 attack-path templates · 5,500+ lines of structured tradecraft. Drop-in `SKILL.md` files that turn Claude into a god-mode external recon operator for authorized red-team and bug-bounty engagements.\n\nBuilt by **[ElementalSoul](https:\u002F\u002Fgithub.com\u002Felementalsouls)** — GenAI Security Research.\n\n---\n\n## What is this?\n\n`claude-osint` is a paired set of skills for the [Claude skills system](https:\u002F\u002Fdocs.claude.com\u002Fen\u002Fdocs\u002Fclaude-code\u002Fskills). Each skill is a structured `SKILL.md` file that primes Claude with expert-level methodology for one half of the offensive recon problem:\n\n- **`osint-methodology`** - *how to think.* Strategic + procedural. Asset-graph discipline, severity rubric, time budgeting, identity-fabric mapping, deliverable templates.\n- **`offensive-osint`** - *what to reach for.* Tactical arsenal. Probe paths, regexes, payloads, scoring rules, curl one-liners, tool URLs.\n\nDrop both into your Claude environment and it behaves like a senior recon analyst: it knows the techniques, the tooling, the edge cases, and the escalation paths — and it stays in scope.\n\n~5,500 lines of structured tradecraft · 96.9% PASS on a 32-prompt self-evaluation · ~85–90% practitioner coverage for the recon phase of authorized engagements.\n\n---\n\n## Structure\n\n```\nclaude-osint\u002F\n├── skills\u002F\n│   ├── osint-methodology\u002FSKILL.md     # how to think  (1,694 lines)\n│   └── offensive-osint\u002F\n│       ├── SKILL.md                   # what to reach for (4,168 lines)\n│       └── scripts\u002Fsecret_scan.py     # stdlib-only secret scanner\n├── docs\u002F                              # architecture · coverage · install · usage\n├── examples\u002F                          # 4 end-to-end engagement walk-throughs\n├── tests\u002Fsmoke-test-prompts.md        # 32-prompt self-evaluation\n└── assets\u002Fbanner.png\n```\n\nEach skill directory is self-contained. Drop into `~\u002F.claude\u002Fskills\u002F` and Claude auto-triggers on relevant phrases.\n\n---\n\n## Skill Index\n\n90+ capabilities across 12 domains. Categorized like Claude-Red — pick a domain to drill in.\n\n### Reconnaissance & Asset Discovery\n\n| Capability | Skill |\n|---|---|\n| 5-stage external recon pipeline + time-budget profiles (1h \u002F 4h \u002F 1d \u002F 1w) | methodology |\n| Subdomain-source stack (crt.sh + 7-source fallback chain when crt.sh 502s) | arsenal |\n| Common-prefix subdomain sweep (100+ ordered prefixes, PowerShell + bash) | arsenal |\n| Wayback CDX deep mining + legacy-app pivot (.asp\u002F.php\u002F.jsp\u002F.cfm) | arsenal |\n| WHOIS \u002F RDAP \u002F historical-WHOIS + reverse-WHOIS pivots | arsenal |\n| Public records (OpenCorporates · SEC EDGAR · GSXT · Rusprofile · Companies House) | arsenal |\n| Bulk IP → ASN (Cymru \u002F RIPEstat \u002F bgp.tools) | arsenal |\n\n### Identity & SSO Mapping\n\n| Capability | Skill |\n|---|---|\n| Microsoft Entra (Azure AD) tenant fingerprint + GUID extraction | arsenal |\n| M365 deep enum (Teams federation · SharePoint · OneDrive · OAuth · device-code phishing) | arsenal |\n| Autodiscover IP correlation (passive M365 confirm even when MX wrapped by Mimecast\u002FProofpoint) | arsenal |\n| Okta tenant slug + `\u002Fapi\u002Fv1\u002Fauthn` user-enum | arsenal |\n| ADFS fingerprint + mex endpoint | arsenal |\n| Google Workspace OIDC discovery | arsenal |\n| Generic OIDC (Auth0 · Keycloak · Ping · OneLogin · Duo) | arsenal |\n| SAML metadata (5 paths) | arsenal |\n| AWS account-ID extraction from headers + ARN regex | arsenal |\n\n### Web Application Attack Surface\n\n| Capability | Skill |\n|---|---|\n| Swagger \u002F OpenAPI discovery (28 paths) | arsenal |\n| GraphQL discovery + introspection POST body (13 paths) | arsenal |\n| GraphQL field-suggestion enum (when introspection disabled) + alias batching + depth bypass | arsenal |\n| Always-on HTTP checks (15 paths: .git\u002F.env\u002Factuator\u002Fheapdump\u002Fetc.) | arsenal |\n| Missing security header audit (HSTS\u002FCSP\u002FXFO\u002Fetc.) | arsenal |\n| Endpoint extraction regex tiers (3 tiers) | arsenal |\n| Endpoint interest score (0–100 rubric) | arsenal |\n| JS deep analysis · sourcemap leakage · internal-host regex | arsenal |\n| Subdomain takeover fingerprints (27 providers) | arsenal |\n\n### Cloud & Container\n\n| Capability | Skill |\n|---|---|\n| Cloud bucket arsenal (S3 \u002F GCS \u002F Azure · 6 prefixes × 15 suffixes × 47 stems) | arsenal |\n| Cloud-native fingerprints (Lambda URLs · Cloud Run · Azure Functions · Vercel · Netlify · Workers) | arsenal |\n| Kubernetes \u002F etcd \u002F kubelet exposure (12 ports + probes) | arsenal |\n| Container registry leak hunting (Docker Hub · Quay · GHCR · ECR · GCR · ACR) | arsenal |\n| CI\u002FCD platform exposure (Jenkins · GitLab · TeamCity-KEV · Argo CD · Spinnaker · CircleCI) | arsenal |\n\n### Secret & Credential Hunting\n\n| Capability | Skill |\n|---|---|\n| 48-pattern secret-regex catalog (29 base + 19 modern) | arsenal |\n| Modern AI API keys (Anthropic \u002F OpenAI \u002F HuggingFace \u002F Cloudflare) | arsenal (rows 30-36) |\n| Package-registry tokens (npm \u002F PyPI \u002F Docker Hub) | arsenal (rows 38-40) |\n| GitHub code-search dorks (13 templates) | arsenal |\n| 9 read-only credential validators (Postman \u002F AWS \u002F GitHub \u002F Slack \u002F Anthropic \u002F OpenAI \u002F npm \u002F Atlassian \u002F DataDog) | arsenal |\n| Post-discovery enumeration workflows (IAM enum · repo enum · workspace enum · JWT triage) | arsenal |\n| `secret_scan.py` runnable helper (stdlib-only, JSONL output) | arsenal |\n| 80+ dork corpus across 9 categories | arsenal |\n\n### Breach Intelligence\n\n| Capability | Skill |\n|---|---|\n| HudsonRock Cavalier direct API (free; FYI: web-UI wraps a public JSON endpoint) | arsenal |\n| Domain-level breach severity mapping | arsenal |\n| `SSO_EXPOSURE` finding + legacy-mail-decommissioned escalation pattern | arsenal |\n| Breach × identity correlation (HudsonRock + HIBP + DeHashed + IntelX) | methodology |\n\n### Vendor & Edge-Appliance Fingerprinting\n\n| Capability | Skill |\n|---|---|\n| Citrix Netscaler · F5 BIG-IP · Pulse Secure \u002F Ivanti · FortiGate | arsenal |\n| PaloAlto GlobalProtect · Cisco AnyConnect · VMware vCenter \u002F ESXi \u002F Horizon | arsenal |\n| Microsoft Exchange OWA (ProxyShell \u002F ProxyLogon \u002F ProxyNotShell) | arsenal |\n| KEV CVE enrichment + EPSS scoring + Metasploit availability | arsenal |\n| WAF \u002F CDN bypass + origin discovery (8 techniques) | methodology, arsenal |\n\n### Email Security\n\n| Capability | Skill |\n|---|---|\n| SPF \u002F DMARC \u002F DKIM \u002F BIMI \u002F MTA-STS \u002F TLS-RPT \u002F DNSSEC audit (bash + PowerShell) | arsenal |\n| DMARC reporting-vendor inference (Kratikal \u002F dmarcian \u002F Valimail \u002F Agari \u002F EasyDMARC) | arsenal |\n| TXT verification token catalog (35+ SaaS tenants) | arsenal |\n| MX → IdP \u002F mail-host inference | arsenal |\n\n### Human Intelligence\n\n| Capability | Skill |\n|---|---|\n| LinkedIn employee enumeration (P0–P5 role tiers · sock-puppet hygiene) | arsenal |\n| Job posting tech-stack analysis (Lever · Greenhouse · AshbyHQ · Workable) | arsenal |\n| Slack \u002F Discord \u002F Telegram \u002F Mattermost workspace discovery | arsenal |\n| Sat imagery for physical recon (Google Earth · NearMap · Sentinel Hub) | arsenal |\n| Email-pattern inference (8 templates) | arsenal |\n\n### Supply Chain\n\n| Capability | Skill |\n|---|---|\n| Package-registry leak hunting (npm · PyPI · RubyGems · Cargo · Packagist · NuGet · Maven) | arsenal |\n| Typosquat surveillance | arsenal |\n| Postman public-workspace search (verified endpoint) | arsenal |\n| Stack Exchange OSINT sweep (8 sites) | arsenal |\n\n### Reporting & Deliverables\n\n| Capability | Skill |\n|---|---|\n| Findings rubric (CRITICAL\u002FHIGH\u002FMED\u002FLOW\u002FINFO + escalation) | methodology |\n| Severity decision matrix (88 worked examples) | arsenal |\n| Attack-path hint patterns (27 templates) | arsenal |\n| Bug-bounty submission templates (HackerOne \u002F Bugcrowd \u002F Intigriti) | methodology |\n| Client deliverable templates (exec summary · risk-translation matrix · cadence) | methodology |\n| Reproduction package | methodology |\n\n### Sector-Specific\n\n| Capability | Skill |\n|---|---|\n| Healthcare (DICOM · HL7 v2 · FHIR · Epic \u002F Cerner \u002F Allscripts) | arsenal |\n| Finance (SWIFT · FIX · Bloomberg · Temenos \u002F Finacle \u002F FIS \u002F Fiserv) | arsenal |\n| ICS \u002F SCADA (Modbus · BACnet · Siemens S7 · DNP3 · EtherNet\u002FIP) | arsenal |\n| IoT (MQTT · CoAP · UPnP · Hikvision \u002F Dahua DVRs) | arsenal |\n| Government (`.gov` \u002F `.mil` · FedRAMP · FISMA · CUI · SAM.gov) | arsenal |\n\n---\n\n## Capability Map\n\nTwo skills, twelve capability domains. Drill into the [Skill Index](#skill-index) above for concrete sub-capabilities.\n\n```mermaid\n%%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#1e293b','primaryTextColor':'#f1f5f9','primaryBorderColor':'#475569','lineColor':'#94a3b8'}}}%%\nflowchart LR\n    Root([\"🦅 claude-osint\"])\n\n    Root --> M[\"📘 osint-methodology\u003Cbr\u002F>\u003Ci>how to think\u003C\u002Fi>\"]\n    Root --> A[\"🛠️ offensive-osint\u003Cbr\u002F>\u003Ci>what to reach for\u003C\u002Fi>\"]\n\n    M --> M1[Recon Pipeline]\n    M --> M2[Asset Graph]\n    M --> M3[Identity Fabric]\n    M --> M4[Findings Rubric]\n    M --> M5[Reporting Templates]\n    M --> M6[OpSec & Detectability]\n\n    A --> A1[Probe Wordlists]\n    A --> A2[Vendor Fingerprints]\n    A --> A3[Cloud · K8s · CI-CD]\n    A --> A4[Secret Catalog]\n    A --> A5[Read-Only Validators]\n    A --> A6[Email Security]\n    A --> A7[Human Intel]\n    A --> A8[Sector Notes]\n\n    style Root fill:#dc2626,stroke:#7f1d1d,color:#fff\n    style M fill:#1e293b,stroke:#475569,color:#f1f5f9\n    style A fill:#7c2d12,stroke:#9a3412,color:#fef3c7\n    style M1 fill:#0f172a,stroke:#334155,color:#cbd5e1\n    style M2 fill:#0f172a,stroke:#334155,color:#cbd5e1\n    style M3 fill:#0f172a,stroke:#334155,color:#cbd5e1\n    style M4 fill:#0f172a,stroke:#334155,color:#cbd5e1\n    style M5 fill:#0f172a,stroke:#334155,color:#cbd5e1\n    style M6 fill:#0f172a,stroke:#334155,color:#cbd5e1\n    style A1 fill:#1c1917,stroke:#44403c,color:#fed7aa\n    style A2 fill:#1c1917,stroke:#44403c,color:#fed7aa\n    style A3 fill:#1c1917,stroke:#44403c,color:#fed7aa\n    style A4 fill:#1c1917,stroke:#44403c,color:#fed7aa\n    style A5 fill:#1c1917,stroke:#44403c,color:#fed7aa\n    style A6 fill:#1c1917,stroke:#44403c,color:#fed7aa\n    style A7 fill:#1c1917,stroke:#44403c,color:#fed7aa\n    style A8 fill:#1c1917,stroke:#44403c,color:#fed7aa\n```\n\n---\n\n## Engagement Flow\n\n```mermaid\n%%{init: {'theme':'base', 'themeVariables': {'primaryColor':'#1e293b','primaryTextColor':'#f1f5f9','primaryBorderColor':'#475569','lineColor':'#94a3b8'}}}%%\nflowchart TD\n    A[\"🎯 Target authorized\u003Cbr\u002F>\u003Ci>RoE \u002F BB scope \u002F ASM contract\u003C\u002Fi>\"] --> B[methodology\u003Cbr\u002F>scope check]\n    B --> C[methodology\u003Cbr\u002F>5-stage pipeline]\n\n    C --> D1[\"🔍 Stage 1\u003Cbr\u002F>Seed Discovery\"]\n    C --> D2[\"🌐 Stage 2\u003Cbr\u002F>Asset Expansion\"]\n    C --> D3[\"📊 Stage 3\u003Cbr\u002F>Enrichment\"]\n    C --> D4[\"⚠️ Stage 4\u003Cbr\u002F>Exposure Analysis\"]\n    C --> D5[\"📋 Stage 5\u003Cbr\u002F>Reporting\"]\n\n    D1 --> E1[DNS catalog\u003Cbr\u002F>WHOIS \u002F RDAP\u003Cbr\u002F>public records]\n    D2 --> E2[subdomain stack\u003Cbr\u002F>prefix sweep\u003Cbr\u002F>Wayback CDX]\n    D3 --> E3[vendor fingerprint\u003Cbr\u002F>identity fabric\u003Cbr\u002F>infrastructure OSINT]\n    D4 --> E4[secret catalog\u003Cbr\u002F>always-on HTTP checks\u003Cbr\u002F>K8s exposure\u003Cbr\u002F>read-only validators\u003Cbr\u002F>breach × identity]\n    D5 --> E5[severity rubric\u003Cbr\u002F>BB submission\u003Cbr\u002F>client deliverable]\n\n    E1 --> F[methodology\u003Cbr\u002F>asset graph]\n    E2 --> F\n    E3 --> F\n    E4 --> G[\"📋 Findings\u003Cbr\u002F>severity + confidence + evidence\"]\n    E5 --> H[\"📦 Deliverable\u003Cbr\u002F>exec summary + repro package\"]\n\n    F --> G\n\n    style A fill:#3b82f6,color:#fff\n    style B fill:#7c2d12,color:#fef3c7\n    style C fill:#1e293b,color:#f1f5f9\n    style F fill:#7c3aed,color:#fff\n    style G fill:#dc2626,color:#fff\n    style H fill:#14532d,color:#dcfce7\n```\n\n---\n\n## Usage\n\n### With Claude Code\n\n```bash\n# Install both skills (one-time, after clone)\ngit clone https:\u002F\u002Fgithub.com\u002Felementalsouls\u002FClaude-OSINT.git\nmkdir -p ~\u002F.claude\u002Fskills\ncp -r Claude-OSINT\u002Fskills\u002F* ~\u002F.claude\u002Fskills\u002F\n```\n\nThen in any Claude Code session, ask an OSINT question — both skills auto-load and trigger on relevant phrases (50+ trigger phrases each).\n\n### With the Claude Skills System\n\n```bash\n# Point Claude at a single skill before starting your session\ncat skills\u002Foffensive-osint\u002FSKILL.md | claude --system-file -\n```\n\n### Manual (Claude.ai \u002F Claude API)\n\nPaste the contents of any `SKILL.md` into a Project's system prompt or prepend it to your conversation. Both files are plain Markdown — also usable as a personal cheat-sheet without Claude.\n\n---\n\n## Authorization\n\nThese skills are intended for assets you **own** or have **written authorization to assess** (red-team rules of engagement, bug-bounty in-scope assets, ASM contracts).\n\nBoth skills include a soft scope-check when you ask Claude to act against an unverified third-party target. They explicitly **exclude** active exploitation, post-exploitation, malware development, and other activities beyond OSINT-driven reconnaissance. See [`SECURITY.md`](SECURITY.md) for the full posture.\n\n---\n\n## Documentation\n\n| Doc | Contents |\n|---|---|\n| [`docs\u002Farchitecture.md`](docs\u002Farchitecture.md) | Design philosophy · asset-graph model · confidence\u002Fseverity\u002Fdetectability models · sidecar coordination · diagrams |\n| [`docs\u002Fcoverage.md`](docs\u002Fcoverage.md) | Honest practitioner-coverage breakdown by archetype + engagement phase |\n| [`docs\u002Finstallation.md`](docs\u002Finstallation.md) | Symlink installs and multi-environment install patterns |\n| [`docs\u002Fusage.md`](docs\u002Fusage.md) | Trigger-phrase reference and prompt templates |\n| [`examples\u002F`](examples\u002F) | 4 end-to-end engagement walk-throughs (quick recon · bug-bounty · M365 deep · secret hunting) |\n| [`tests\u002Fsmoke-test-prompts.md`](tests\u002Fsmoke-test-prompts.md) | 32-prompt self-evaluation suite (current grade: 31\u002F32 PASS) |\n| [`CHANGELOG.md`](CHANGELOG.md) | Version history |\n| [`CONTRIBUTING.md`](CONTRIBUTING.md) | Pull-request guidelines |\n\n---\n\n## About\n\nOperational tradecraft accumulated across external attack-surface engagements, codified into Claude skills. Engagement-platform agnostic - slot into any ASM \u002F ticketing \u002F asset-graph platform you already use, or none.\n\n**Author:** [ElementalSoul](https:\u002F\u002Fgithub.com\u002Felementalsouls)\n\n**Original framework:** [SnailSploit\u002Foffensive-checklist](https:\u002F\u002Fgithub.com\u002FSnailSploit\u002Foffensive-checklist) (v1.x)\n\n**Inspired by:** [Bellingcat's Online Investigations Toolkit](https:\u002F\u002Fwww.bellingcat.com\u002Fresources\u002F2024\u002F09\u002F24\u002Fbellingcat-online-investigations-toolkit\u002F) \n· [IntelTechniques](https:\u002F\u002Finteltechniques.com\u002Ftools\u002F) \n· [OSINT Framework](https:\u002F\u002Fosintframework.com\u002F)\n\n**Tool inventory:** \n. [ProjectDiscovery](https:\u002F\u002Fgithub.com\u002Fprojectdiscovery) \n· [Six2dez reconftw](https:\u002F\u002Fgithub.com\u002Fsix2dez\u002Freconftw) \n· [SecLists](https:\u002F\u002Fgithub.com\u002Fdanielmiessler\u002FSecLists) \n· [Assetnote Wordlists](https:\u002F\u002Fwordlists.assetnote.io\u002F)\n\n**License:** [MIT](LICENSE) — use freely, attribution appreciated.\n\n---\n\n> *\"Give Claude the right skill and it stops being a chatbot. It becomes an operator.\"*\n","claude-osint 是一套为 Claude 技能系统设计的开源情报（OSINT）和进攻性侦察技能。它包含两个核心技能文件，通过 90 多个侦察模块、48 种秘密正则表达式模式等，使 Claude 能够像资深侦察分析师一样工作，适用于授权的红队测试和漏洞赏金项目。该项目采用 Python 编写，具有结构化的侦察方法论和战术工具库，涵盖从资产发现到身份映射等多个领域，能够帮助用户高效地进行信息收集与分析。","2026-06-11 02:40:15","CREATED_QUERY"]