OSINT Investigator
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent OSINT skill, but it enables very broad investigations of people and sensitive identifiers and includes a helper script that can automatically install an unpinned Python package into the local environment.
Use this skill only for lawful, authorized OSINT work. Before installing, be comfortable with broad person-focused searches and third-party lookups, and avoid running the PDF helper unless you accept its automatic pip installation behavior or have reviewed and sandboxed it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may collect and correlate personal information, public records, images, account profiles, and contact details at a scale that can create privacy, legal, or harassment risks.
The skill directs broad, multi-source investigation of people and sensitive identifiers, with an explicit instruction to run all applicable modules rather than requiring narrow user approval per sensitive source.
Use when the user wants to research, find, or investigate any person... phone number, image... Run ALL applicable modules in parallel. Never stop after one source.
Require explicit user confirmation for sensitive targets and modules, especially people, phone numbers, email addresses, images, breach/leak checks, face search, and location searches.
Running the report generator could change the user's Python environment and introduce supply-chain risk from an unpinned dependency.
If the PDF wrapper is run, it automatically installs an unpinned package from pip and first attempts to bypass system package protections.
pip3 install fpdf2 -q --break-system-packages 2>/dev/null \
|| pip3 install fpdf2 -q \
|| pip3 install fpdf2 -q --userPin the dependency version, declare it in the install metadata, install inside a virtual environment, and ask the user before installing packages.
If the user supplies API keys, the agent may use account-linked services, consume quotas, and send target identifiers to those providers.
The playbook anticipates optional provider API keys for services such as Google Maps and HaveIBeenPwned. This is purpose-aligned, but the metadata does not declare credentials.
https://maps.googleapis.com/maps/api/geocode/json?address=<address>&key=<key> ... curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/<email>" -H "hibp-api-key: <key>"
Use least-privileged keys, avoid sharing unnecessary credentials, and confirm provider terms before running API-backed lookups.
Sensitive images or identifiers may be disclosed to external OSINT providers during the investigation.
The OSINT workflow sends target images, image URLs, and metadata checks to third-party services. This is disclosed and aligned with reverse-image investigation, but data-sharing boundaries are not explained.
Feed to Yandex imageview and TinEye ... Online tools: `web_fetch https://www.metadata2go.com` or `https://www.pic2map.com`
Ask the user before sending images, emails, addresses, or other sensitive identifiers to third-party sites, and disclose which services will receive the data.