OSINT Daily Brief

v1.0.0

Generate a daily OSINT intelligence brief on any target — domain, company, IP, person, or keyword — using Tavily web search, WHOIS, DNS recon, and Shodan. De...

⭐ 0· 86·0 current·0 all-time

by@infectit007

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for infectit007/osint-daily-brief.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "OSINT Daily Brief" (infectit007/osint-daily-brief) from ClawHub.
Skill page: https://clawhub.ai/infectit007/osint-daily-brief
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install osint-daily-brief

ClawHub CLI

Package manager switcher

npx clawhub@latest install osint-daily-brief

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md clearly requires a TAVILY_API_KEY (and optionally SHODAN_API_KEY) to function, but the registry metadata lists no required environment variables or primary credential — that mismatch is incoherent. The use of dig/whois/shodan is reasonable for an OSINT brief, but the missing declaration of required credentials is a configuration/metadata problem that affects trust and automated permission checks.

Instruction Scope

Instructions are explicit about calling external APIs (Tavily, Shodan) and running local binaries (dig, whois) via subprocess. Those actions are within expected OSINT scope, but the workflow also demonstrates scheduling reports to Telegram without declaring the Telegram token or how to deliver reports safely, which is an undeclared outbound endpoint/requirement. The code reads environment variables directly (os.environ['TAVILY_API_KEY']) and will fail or crash if missing — the agent could also transmit collected data to the external services it depends on (expected for the function, but important to note).

✓

Install Mechanism

No install spec and no code files beyond SKILL.md — lowest install risk. The SKILL.md notes that dig and whois are required system utilities and suggests apt installs; that is reasonable and transparent. There are no downloads or archive extraction steps.

Credentials

The skill requires at minimum TAVILY_API_KEY (required) and optionally SHODAN_API_KEY, but the registry metadata did not declare these. This mismatch prevents automated reviewers from knowing what secrets will be accessed. The number and type of env vars is itself modest and appropriate for the task, but the lack of declared primaryEnv/required envs is the main issue. The SKILL.md also references potential Tor/SOCKS use and sending to Telegram, but does not declare how those credentials/proxies are supplied.

ℹ

Persistence & Privilege

always:false and user-invocable:true (defaults) — no elevated persistence requested. The SKILL.md shows how to schedule runs via openclaw cron, which is a user-level action; the skill does not request system modifications or cross-skill config changes. Because the skill can be invoked autonomously by the agent (disable-model-invocation:false, the default), an installed API key could be used by the agent when it decides to run the skill — consider limiting autonomous invocation if you don't trust that behavior.

What to consider before installing

This appears to be a legitimate OSINT recipe, but metadata and instructions disagree about required credentials. Before installing: (1) insist the publisher update the registry metadata to list TAVILY_API_KEY (and optionally SHODAN_API_KEY) so automated permission checks are accurate; (2) only provide API keys you trust and that are scoped/minimized; (3) verify Tavily and Shodan endpoints and their privacy/retention policies (collected data will be sent to them); (4) be cautious about scheduling automated runs that send reports to external destinations (Telegram example uses an undeclared token); and (5) if you want extra safety, run first in a sandboxed environment or request the author add explicit configuration options and a preview mode that does not exfiltrate results. If the publisher cannot clarify the missing env var declarations and the Telegram delivery details, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk973m2485xmvcpx7sv9qhaejv984r31c

86downloads

0stars

1versions

Updated 2w ago

v1.0.0

MIT-0

OSINT Daily Brief

Automated open-source intelligence report for any target.

Pulls from Tavily AI search, DNS records, WHOIS, and optionally Shodan. Structures findings into a daily brief you can read in under 2 minutes.

Use for: competitive intel, brand monitoring, pre-engagement recon, daily threat feeds.

Prerequisites

# Required
TAVILY_API_KEY=your_key_here        # tavily.com → free: 1,000 searches/month

# Optional — for richer results
SHODAN_API_KEY=your_key_here        # shodan.io → free tier available

Workflow

1. Web intelligence (Tavily)

import os, requests

def tavily_search(query: str, max_results: int = 5) -> list[dict]:
    """AI-optimized web search — returns full page content, not just snippets."""
    r = requests.post(
        "https://api.tavily.com/search",
        json={
            "api_key":     os.environ["TAVILY_API_KEY"],
            "query":       query,
            "max_results": max_results,
            "search_depth": "advanced",
        },
        timeout=15,
    )
    return r.json().get("results", [])

# Example: monitor a target
target = "example.com"
news   = tavily_search(f"{target} security breach data leak 2026")
tech   = tavily_search(f"{target} technology stack infrastructure")

2. DNS recon

import subprocess

def dns_recon(domain: str) -> dict:
    results = {}
    for record_type in ["A", "MX", "NS", "TXT"]:
        try:
            r = subprocess.run(
                ["dig", "+short", record_type, domain],
                capture_output=True, text=True, timeout=5
            )
            results[record_type] = r.stdout.strip().split("\n")
        except Exception:
            results[record_type] = []
    return results

3. WHOIS

def whois_lookup(domain: str) -> str:
    try:
        r = subprocess.run(
            ["whois", domain],
            capture_output=True, text=True, timeout=10
        )
        # Extract key fields only
        lines = r.stdout.split("\n")
        relevant = [l for l in lines if any(k in l.lower() for k in
            ["registrar", "created", "expires", "registrant", "name server"])]
        return "\n".join(relevant[:15])
    except Exception as e:
        return f"WHOIS error: {e}"

4. Shodan (optional)

def shodan_lookup(ip_or_domain: str) -> dict:
    key = os.environ.get("SHODAN_API_KEY")
    if not key:
        return {"error": "SHODAN_API_KEY not set"}
    try:
        r = requests.get(
            f"https://api.shodan.io/shodan/host/{ip_or_domain}",
            params={"key": key},
            timeout=10
        )
        data = r.json()
        return {
            "ports":   data.get("ports", []),
            "org":     data.get("org", ""),
            "country": data.get("country_name", ""),
            "vulns":   list(data.get("vulns", {}).keys())[:5],
        }
    except Exception as e:
        return {"error": str(e)}

5. Format the brief

OSINT DAILY BRIEF — [target] — YYYY-MM-DD
─────────────────────────────────────────
THREAT INDICATORS
  ⚠️  [finding] — [source]
  ✅  No breach mentions in last 30 days

DNS PROFILE
  A:   [IPs]
  MX:  [mail servers]
  NS:  [nameservers]
  TXT: [SPF/DKIM/verification records]

WHOIS
  Registrar: [name]
  Created:   [date]
  Expires:   [date]
  Name Servers: [list]

EXPOSED ASSETS (Shodan)
  Open ports: [list]
  Org:        [org name]
  CVEs:       [list or "none detected"]

NEWS & WEB MENTIONS (last 30 days)
  1. [title] — [source] — [url]
  2. ...

SUMMARY
  Risk level: [LOW/MEDIUM/HIGH]
  Key concern: [one sentence]
  Recommended: [1–2 actions]
─────────────────────────────────────────
Sources: Tavily, WHOIS, DNS, Shodan

Scheduling — daily brand/target monitoring

# Monitor your own domain daily
openclaw cron add \
  --name "osint-brief:daily-self" \
  --cron "0 6 * * *" \
  --prompt "Run osint-daily-brief skill on target: yourdomain.com. Send report to Telegram."

# Monitor a competitor
openclaw cron add \
  --name "osint-brief:daily-competitor" \
  --cron "0 6 * * *" \
  --prompt "Run osint-daily-brief skill on target: competitor.com. Flag any new exposed ports, CVEs, or breach mentions."

Use cases

Use case	Target	Frequency
Brand monitoring	your domain	daily
Competitive intel	competitor domains	weekly
Pre-engagement recon	client domain	one-time
Threat actor tracking	IP ranges	daily
Dark web mentions	brand keywords	weekly

Privacy & ethics

Only investigate targets you own or have explicit authorization to research
All data comes from public sources (Tavily, DNS, WHOIS, Shodan)
No social engineering, credential testing, or active probing
WHOIS and Shodan data is public by design — this skill reads it, does not generate it
Comply with applicable laws in your jurisdiction

Notes

Tavily free tier: 1,000 searches/month. Each run uses ~3–5 searches.
Shodan free tier: limited to 1 result per query on some endpoints
DNS recon requires dig installed: sudo apt install dnsutils
WHOIS requires whois installed: sudo apt install whois
For dark web mentions, pair with Tor proxy (Ahmia search via SOCKS5)

Comments

Loading comments...