Claude-OSINT takes an unconventional approach to AI-driven open-source intelligence (OSINT) by embedding deep defensive and offensive recon tradecraft directly into Claude’s prompt system. Instead of relying on external APIs or databases, it encodes the entire methodology and tactical arsenal as two extensive markdown skill files — totaling over 4,600 lines of structured instructions and scripts that transform Claude into a domain expert for authorized red-team and bug bounty recon.
what claude-osint does and how it’s built
At its core, Claude-OSINT delivers two paired Claude SKILL.md files: one focused on recon methodology, the other on offensive tactics. These skills are designed to be loaded into a Claude AI environment that supports the Claude Skills system, where they condition Claude’s behavior and responses for OSINT tasks.
The methodology skill encapsulates strategic thinking for recon engagements — it introduces an asset-graph discipline that guides how Claude correlates entities like subdomains, ASNs, CIDRs, and identities. It also includes severity rubrics for evaluating findings, and a time-budgeting framework to prioritize efforts efficiently.
The offensive skill is the tactical toolbox. It provides:
- 48 secret-regex patterns for sensitive data leaks
- Over 80 Google dorks tailored for recon
- 90+ recon modules covering various data sources and techniques
- 27 attack-path templates that encode common killchain sequences
- 9 read-only credential validators to verify leaked credentials without triggering alerts
The entire system is built in Python to manage skill content but the bulk of the intelligence lies in the markdown SKILL files, which are parsed and executed by Claude’s skills engine. The design choice to keep the logic in SKILL.md files makes the recon tradecraft transparent, version-controlled, and easily adaptable.
This repo targets authorized engagements only, such as red-team exercises or bug bounty programs. It auto-triggers on more than 50 trigger phrases related to OSINT queries, achieving a reported 96.9% pass rate on a 32-prompt self-evaluation benchmark. This coverage is estimated at 85–90% of real-world practitioner recon needs, striking a balance between depth and operational efficiency.
Notably, most modules operate without external API dependencies, reducing footprint and simplifying deployment.
technical strengths and design tradeoffs
Claude-OSINT’s standout feature is the way it encodes a graph-based asset correlation methodology into a language model prompt system. By structuring the methodology skill to maintain context across thousands of lines, it enables Claude to pivot smoothly between discovery phases — for example, moving from a simple subdomain enumeration to ASN and CIDR analysis, then to reverse-DNS lookups and WHOIS queries, all while preserving the context of the target asset graph.
The offensive skill complements this by providing an expansive tactical catalog — the secret-regex patterns and Google dorks are battle-tested for sensitive data discovery, while the recon modules cover diverse data sources like certificate transparency logs, GitHub scraping, and social media profiling.
The 27 attack-path templates encode common killchain sequences, effectively guiding Claude to string together multi-step exploitation paths. This is a notable design choice, as it models OSINT as a sequential, graph-driven process rather than isolated queries.
The code quality is surprisingly clean for a project centered on prompt engineering. The Python scripts mainly handle syncing and installing skills, while the markdown files follow a consistent, modular structure that is both human-readable and machine-parsable. This separation of concerns aids maintainability.
Tradeoffs are clear: embedding all logic in markdown SKILL files limits flexibility compared to a full-fledged dynamic recon framework with live API integrations. The lack of external API dependencies also means some real-time data or specialized sources are out of reach. Additionally, the dependency on Claude’s context window and inference limits means very large recon sessions might need to be chunked or carefully managed.
However, these tradeoffs are deliberate, favoring transparency, ease of deployment, and operational security.
quick start with claude-osint
The repo provides explicit installation commands to get started. After cloning, you sync skill content and copy the skills into your Claude skills directory:
git clone https://github.com/elementalsouls/Claude-OSINT.git
cd Claude-OSINT
chmod +x ./scripts/sync-skill-content.sh
./scripts/sync-skill-content.sh
mkdir -p ~/.claude/skills
cp -r skills/osint-methodology ~/.claude/skills/
cp -r skills/offensive-osint ~/.claude/skills/
ls ~/.claude/skills/
Once installed, in any Claude Code session, simply ask an OSINT-related question. The skills auto-load and trigger on relevant phrases — over 50 triggers per skill — seamlessly augmenting Claude’s native capabilities.
This setup requires no other dependencies or complex configuration.
verdict
Claude-OSINT is a technically ambitious project that demonstrates how to embed structured OSINT methodology and extensive tactical tradecraft directly into a Claude LLM environment using markdown skill files.
It’s especially relevant for security practitioners running authorized red-team or bug bounty engagements who want an AI assistant that can orchestrate multi-step recon workflows without reaching out to external APIs. The repo’s design prioritizes transparency, operational security, and modularity over real-time data freshness.
The primary limitation is the reliance on Claude’s inference and context window constraints, which may require careful session management for very large asset graphs. Also, the lack of dynamic integration with live external data sources means it won’t fully replace specialized OSINT platforms.
That said, the approach offers a unique blend of strategic methodology and tactical depth, making it a valuable tool for those looking to experiment with AI-driven recon or augment their OSINT toolset with a language model conditioned on expert tradecraft.
Related Articles
- ordinary-claude-skills: an extensive local-first library of Claude prompt packages for specialized AI agents — Discover ordinary-claude-skills, a local-first collection of 600+ prompt packages that specialize Claude AI with domain
- how awesome-claude-skills turns claude into a real-world action agent — Awesome Claude Skills is a modular Python framework that empowers Claude to perform real-world actions by integrating wi
- daymade/claude-code-skills: a production-hardened plugin marketplace for Claude Code skills — daymade/claude-code-skills offers a robust plugin marketplace with 51 pre-built Claude Code skills and a hardened skill-
- SkillUI: Automating design system extraction into Claude Code skills — SkillUI reverse-engineers design systems from URLs or repos into Claude Code skill packages using static and visual anal
- DSPy agent skills pack with GEPA optimization for Claude Code and Codex CLI — Explore a production-grade pack of DSPy 3.2.x agent skills with GEPA optimization, delivering up to +19.53 accuracy on R
→ GitHub Repo: elementalsouls/Claude-OSINT ⭐ 1,327 · Python