← Back to Skills Marketplace
114
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install ionsec-threat-intel
Description
Query multiple threat intelligence services for IOC enrichment including IP reputation, domain analysis, URL scanning, hash lookups, and malware detection. U...
README (SKILL.md)
Threat Intel
Overview
Query multiple external threat intelligence services to enrich observables (IPs, domains, URLs, hashes). Aggregates data from security vendors, open-source feeds, and specialized platforms to provide comprehensive IOC context.
Supported Observable Types:
- IP addresses - Reputation, geolocation, ASN, open ports, malicious activity
- Domains - WHOIS, DNS records, reputation, phishing detection
- URLs - Scan reports, redirects, phishing detection, screenshot analysis
- Hashes (MD5/SHA1/SHA256) - Malware detection, file analysis, known samples
Quick Start
Basic Usage
# Check an IP across multiple services
openclaw threat-intel ip 8.8.8.8 --services greynoise,abuseipdb,virustotal
# Check a domain
openclaw threat-intel domain evil.com --services all
# Check a hash
openclaw threat-intel hash a3b2c1d4e5f6... --services virustotal,otx
# Check a URL
openclaw threat-intel url http://suspicious.site/payload.exe --services urlscan
# View rate limit status
openclaw threat-intel --rate-limits
API Key Management
Most services require API keys. Configure them interactively:
openclaw threat-intel setup
Or set environment variables:
export VT_API_KEY="your_virustotal_key"
export GREYNOISE_API_KEY="your_greynoise_key"
export SHODAN_API_KEY="your_shodan_key"
export OTX_API_KEY="your_otx_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
export URLSCAN_API_KEY="your_urlscan_key"
export SPUR_API_KEY="your_spur_key"
export VALIDIN_API_KEY="your_validin_key"
See references/api-keys.md for full list of required keys per service.
Available Services
Free Services (No API Key Required)
| Service | Observable Types | Description |
|---|---|---|
| MalwareBazaar | Hash | Malware sample database |
| URLhaus | URL | Malicious URL database |
| DNS0 | Domain | DNS resolver with threat detection |
| Google DNS | Domain | Public DNS resolver |
| Cloudflare DNS | Domain | Public DNS resolver |
| Pulsedive | IP, Domain, URL | Threat intelligence with rate limits |
Services Requiring API Keys
| Service | Observable Types | Best For |
|---|---|---|
| VirusTotal v3 | IP, Domain, URL, Hash | Comprehensive malware detection |
| GreyNoise | IP | Internet background noise and scanner classification |
| Shodan | IP | Open ports, services, and exposed systems |
| AlienVault OTX | IP, Domain, URL, Hash | Threat community data |
| AbuseIPDB | IP | IP reputation and reported abuse |
| URLscan | URL | Live URL scanning and screenshot |
| Spur.us | IP | VPN, proxy, and hosting detection |
| Validin | IP, Domain, Hash | Passive DNS, subdomains, and WHOIS |
See references/services.md for complete service documentation.
Workflows
IOC Investigation
When investigating a suspicious observable, use this pattern:
-
Quick triage - Check free services first
openclaw threat-intel ip \x3Ctarget> --services pulsedive -
Deep enrichment - Add premium services for known-bad indicators
openclaw threat-intel ip \x3Ctarget> --services virustotal,greynoise,shodan -
Correlate - Cross-reference with multiple sources
openclaw threat-intel ip \x3Ctarget> --services all
Bulk Enrichment
Process multiple observables from a file:
openclaw threat-intel bulk iocs.txt --output results.json
Format: one observable per line, optionally prefixed with type:
ip:8.8.8.8
domain:evil.com
hash:a3b2c1...
Scripts
Use these scripts directly for programmatic access:
scripts/threat_intel.py- Main CLI toolscripts/check_ip.py- IP-focused helper scriptscripts/bulk_check.py- Bulk processingscripts/setup.py- Explicit interactive API key configuration
Output Formats
Default (Table)
Service | Result | Score | Details
---------------|--------|-------|--------
VirusTotal | ⚠️ Suspicious | 12/71 | 12 vendors flagged
GreyNoise | ✅ Benign | 0% | Classified as benign
AbuseIPDB | ⚠️ Suspicious | 85% | 12 reports
JSON (for automation)
openclaw threat-intel ip 8.8.8.8 --format json
Markdown (for reports)
openclaw threat-intel ip 8.8.8.8 --format markdown
References
Usage Guidance
This skill appears to do what it claims: aggregate threat-intel from many public and API-key services. Before installing, consider: (1) API keys you provide may be saved to the skill's config.json in the skill directory (you can prefer environment variables instead to avoid writing keys to disk); (2) the skill will create a .cache directory and a rate_limits.json state file next to the skill to store cached responses and rate-limit state; (3) the code contains some bugs/typos (e.g., variable name mistakes in AbuseIPDB classification) which may cause runtime errors — expect occasional failures and check logs; (4) the skill makes network requests to the listed third-party endpoints (VirusTotal, Shodan, GreyNoise, URLScan, etc.), which may have privacy, rate-limit, or billing implications when you enable API keys; (5) run in a controlled environment if you are concerned about storing keys or creating files. If you want higher assurance, review the bundled scripts (they are included) or run the skill in an isolated container before giving it production access.
Capability Analysis
Type: OpenClaw Skill
Name: ionsec-threat-intel
Version: 1.0.1
The IONSEC Threat Intel skill bundle is a legitimate tool designed for enriching security observables (IPs, domains, hashes, URLs) using over 14 third-party threat intelligence services. The implementation is modular and professional, utilizing a base service class (`scripts/services/base.py`) to handle rate limiting, caching, and authenticated requests. API keys are stored locally in `config.json` and are only transmitted to the respective official service endpoints (e.g., VirusTotal, Shodan, GreyNoise). No evidence of data exfiltration, malicious execution, or prompt injection was found across the code or documentation.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (IOC enrichment) match the implemented code. All required API keys and services (VirusTotal, GreyNoise, Shodan, etc.) are relevant to threat-intel functionality. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent and user to query external TI services and to run an interactive setup that writes keys to a skill-local config.json. The runtime instructions and scripts only reference service endpoints and skill-local files; they do not attempt to read system-wide credentials or unexpected host files. Note: the skill will create and use a .cache directory and a config.json next to the skill to store rate-limit state, cached responses, and optionally saved API keys.
Install Mechanism
No install spec or external downloads; code is bundled with the skill. Nothing is fetched from arbitrary URLs during install. No installer creates system-wide binaries or writes outside the skill directory.
Credentials
The environment variables and API keys mentioned (VT_API_KEY, GREYNOISE_API_KEY, SHODAN_API_KEY, etc.) correspond directly to the external services the skill integrates with. Keys are optional for free-service fallback; using env vars is supported and takes precedence over the local config file.
Persistence & Privilege
always:false (not forced into every agent run). The skill writes only to its own skill-local files (config.json and a .cache directory) and does not modify other skills or global agent configuration. It may exec the included setup script when explicitly invoked.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ionsec-threat-intel - After installation, invoke the skill by name or use
/ionsec-threat-intel - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Updated API key setup instructions to include additional supported environment variables.
- Adjusted and simplified the lists of available free and paid threat intelligence services.
- Refined service descriptions and observable type mappings for clarity.
- Streamlined workflow recommendations and script references.
- Improved consistency in output format instructions.
v1.0.0
**Initial release of IONSEC-threat-intel.**
- Query multiple threat intelligence services for IPs, domains, URLs, and file hashes.
- Aggregates enrichment data from sources like VirusTotal, GreyNoise, Shodan, AbuseIPDB, AlienVault OTX, and several Abuse.ch services.
- Supports both free and API-key-protected services with easy API key setup.
- Provides IOC investigation workflows, bulk enrichment, and multiple output formats (table, JSON, markdown).
- Includes command-line scripts for manual and automated use.
Metadata
Frequently Asked Questions
What is IONSEC Threat Intel?
Query multiple threat intelligence services for IOC enrichment including IP reputation, domain analysis, URL scanning, hash lookups, and malware detection. U... It is an AI Agent Skill for Claude Code / OpenClaw, with 114 downloads so far.
How do I install IONSEC Threat Intel?
Run "/install ionsec-threat-intel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is IONSEC Threat Intel free?
Yes, IONSEC Threat Intel is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does IONSEC Threat Intel support?
IONSEC Threat Intel is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created IONSEC Threat Intel?
It is built and maintained by nirhalfon (@nirhalfon); the current version is v1.0.1.
More Skills