IONSEC Threat Intel
v1.0.1Query multiple threat intelligence services for IOC enrichment including IP reputation, domain analysis, URL scanning, hash lookups, and malware detection. U...
⭐ 0· 79·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (IOC enrichment) match the implemented code. All required API keys and services (VirusTotal, GreyNoise, Shodan, etc.) are relevant to threat-intel functionality. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent and user to query external TI services and to run an interactive setup that writes keys to a skill-local config.json. The runtime instructions and scripts only reference service endpoints and skill-local files; they do not attempt to read system-wide credentials or unexpected host files. Note: the skill will create and use a .cache directory and a config.json next to the skill to store rate-limit state, cached responses, and optionally saved API keys.
Install Mechanism
No install spec or external downloads; code is bundled with the skill. Nothing is fetched from arbitrary URLs during install. No installer creates system-wide binaries or writes outside the skill directory.
Credentials
The environment variables and API keys mentioned (VT_API_KEY, GREYNOISE_API_KEY, SHODAN_API_KEY, etc.) correspond directly to the external services the skill integrates with. Keys are optional for free-service fallback; using env vars is supported and takes precedence over the local config file.
Persistence & Privilege
always:false (not forced into every agent run). The skill writes only to its own skill-local files (config.json and a .cache directory) and does not modify other skills or global agent configuration. It may exec the included setup script when explicitly invoked.
Assessment
This skill appears to do what it claims: aggregate threat-intel from many public and API-key services. Before installing, consider: (1) API keys you provide may be saved to the skill's config.json in the skill directory (you can prefer environment variables instead to avoid writing keys to disk); (2) the skill will create a .cache directory and a rate_limits.json state file next to the skill to store cached responses and rate-limit state; (3) the code contains some bugs/typos (e.g., variable name mistakes in AbuseIPDB classification) which may cause runtime errors — expect occasional failures and check logs; (4) the skill makes network requests to the listed third-party endpoints (VirusTotal, Shodan, GreyNoise, URLScan, etc.), which may have privacy, rate-limit, or billing implications when you enable API keys; (5) run in a controlled environment if you are concerned about storing keys or creating files. If you want higher assurance, review the bundled scripts (they are included) or run the skill in an isolated container before giving it production access.Like a lobster shell, security has layers — review code before you run it.
latest
Threat Intel
Overview
Query multiple external threat intelligence services to enrich observables (IPs, domains, URLs, hashes). Aggregates data from security vendors, open-source feeds, and specialized platforms to provide comprehensive IOC context.
Supported Observable Types:
- IP addresses - Reputation, geolocation, ASN, open ports, malicious activity
- Domains - WHOIS, DNS records, reputation, phishing detection
- URLs - Scan reports, redirects, phishing detection, screenshot analysis
- Hashes (MD5/SHA1/SHA256) - Malware detection, file analysis, known samples
Quick Start
Basic Usage
# Check an IP across multiple services
openclaw threat-intel ip 8.8.8.8 --services greynoise,abuseipdb,virustotal
# Check a domain
openclaw threat-intel domain evil.com --services all
# Check a hash
openclaw threat-intel hash a3b2c1d4e5f6... --services virustotal,otx
# Check a URL
openclaw threat-intel url http://suspicious.site/payload.exe --services urlscan
# View rate limit status
openclaw threat-intel --rate-limits
API Key Management
Most services require API keys. Configure them interactively:
openclaw threat-intel setup
Or set environment variables:
export VT_API_KEY="your_virustotal_key"
export GREYNOISE_API_KEY="your_greynoise_key"
export SHODAN_API_KEY="your_shodan_key"
export OTX_API_KEY="your_otx_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
export URLSCAN_API_KEY="your_urlscan_key"
export SPUR_API_KEY="your_spur_key"
export VALIDIN_API_KEY="your_validin_key"
See references/api-keys.md for full list of required keys per service.
Available Services
Free Services (No API Key Required)
| Service | Observable Types | Description |
|---|---|---|
| MalwareBazaar | Hash | Malware sample database |
| URLhaus | URL | Malicious URL database |
| DNS0 | Domain | DNS resolver with threat detection |
| Google DNS | Domain | Public DNS resolver |
| Cloudflare DNS | Domain | Public DNS resolver |
| Pulsedive | IP, Domain, URL | Threat intelligence with rate limits |
Services Requiring API Keys
| Service | Observable Types | Best For |
|---|---|---|
| VirusTotal v3 | IP, Domain, URL, Hash | Comprehensive malware detection |
| GreyNoise | IP | Internet background noise and scanner classification |
| Shodan | IP | Open ports, services, and exposed systems |
| AlienVault OTX | IP, Domain, URL, Hash | Threat community data |
| AbuseIPDB | IP | IP reputation and reported abuse |
| URLscan | URL | Live URL scanning and screenshot |
| Spur.us | IP | VPN, proxy, and hosting detection |
| Validin | IP, Domain, Hash | Passive DNS, subdomains, and WHOIS |
See references/services.md for complete service documentation.
Workflows
IOC Investigation
When investigating a suspicious observable, use this pattern:
-
Quick triage - Check free services first
openclaw threat-intel ip <target> --services pulsedive -
Deep enrichment - Add premium services for known-bad indicators
openclaw threat-intel ip <target> --services virustotal,greynoise,shodan -
Correlate - Cross-reference with multiple sources
openclaw threat-intel ip <target> --services all
Bulk Enrichment
Process multiple observables from a file:
openclaw threat-intel bulk iocs.txt --output results.json
Format: one observable per line, optionally prefixed with type:
ip:8.8.8.8
domain:evil.com
hash:a3b2c1...
Scripts
Use these scripts directly for programmatic access:
scripts/threat_intel.py- Main CLI toolscripts/check_ip.py- IP-focused helper scriptscripts/bulk_check.py- Bulk processingscripts/setup.py- Explicit interactive API key configuration
Output Formats
Default (Table)
Service | Result | Score | Details
---------------|--------|-------|--------
VirusTotal | ⚠️ Suspicious | 12/71 | 12 vendors flagged
GreyNoise | ✅ Benign | 0% | Classified as benign
AbuseIPDB | ⚠️ Suspicious | 85% | 12 reports
JSON (for automation)
openclaw threat-intel ip 8.8.8.8 --format json
Markdown (for reports)
openclaw threat-intel ip 8.8.8.8 --format markdown
References
Comments
Loading comments...