← Back to Skills Marketplace
gandli

Ctf Osint

by gandli · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
189
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install ctf-osint
Description
Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records,...
README (SKILL.md)

CTF OSINT

Quick reference for OSINT CTF challenges. Each technique has a one-liner here; see supporting files for full details.

Prerequisites

Python packages (all platforms):

pip install shodan Pillow

Linux (apt):

apt install whois dnsutils nmap libimage-exiftool-perl imagemagick curl

macOS (Homebrew):

brew install whois bind nmap exiftool imagemagick curl

Additional Resources

  • social-media.md - Twitter/X (user IDs, Snowflake timestamps, Nitter, memory.lol, Wayback CDX), Tumblr (blog checks, post JSON, avatars), BlueSky search + API, Unicode homoglyph steganography, Discord API, username OSINT (namechk, whatsmyname, Osint Industries), username metadata mining (postal codes), platform false positives, multi-platform chains, Strava fitness route OSINT
  • geolocation-and-media.md - Image analysis, reverse image search (including Baidu for China), Google Lens cropped region search, reflected/mirrored text reading, geolocation techniques (railroad signs, infrastructure maps, MGRS), Google Plus Codes, EXIF/metadata, hardware identification, newspaper archives, IP geolocation, Google Street View panorama matching, What3Words micro-landmark matching, Google Maps crowd-sourced photo verification, Overpass Turbo spatial queries, music-themed landmark geolocation with key encoding
  • web-and-dns.md - Google dorking (including TBS image filters), Google Docs/Sheets enumeration, DNS recon (TXT, zone transfers), Wayback Machine, FEC research, Tor relay lookups, GitHub repository analysis, Telegram bot investigation, WHOIS investigation (reverse WHOIS, historical WHOIS, IP/ASN lookup), fake service banner detection via nmap fingerprinting

When to Pivot

  • If you already have the files or packets locally and now need extraction or carving, switch to /ctf-forensics.
  • If the task becomes active exploitation of a live HTTP service, switch to /ctf-web.
  • If you uncover malware samples, beacons, or suspicious binaries during attribution, switch to /ctf-malware.

Quick Start Commands

# DNS recon
dig -t any target.com
dig -t txt target.com
dig axfr @ns.target.com target.com
whois target.com

# Image metadata
exiftool image.jpg
identify -verbose image.jpg | head -30

# Web archive
curl "https://web.archive.org/web/20230101*/target.com"

# Username lookup
curl -s "https://whatsmyname.app/api/lookup?username=\x3Cuser>"

# Shodan
shodan search "hostname:target.com"
shodan host \x3Cip>

String Identification

  • 40 hex chars -> SHA-1 (Tor fingerprint)
  • 64 hex chars -> SHA-256
  • 32 hex chars -> MD5

Twitter/X Account Tracking

  • Persistent numeric User ID: https://x.com/i/user/\x3Cid> works even after renames.
  • Snowflake timestamps: (id >> 22) + 1288834974657 = Unix ms.
  • Wayback CDX, Nitter, memory.lol for historical data. See social-media.md.

Tumblr Investigation

  • Blog check: curl -sI for x-tumblr-user header. Avatar at /avatar/512. See social-media.md.

Username OSINT

Image Analysis & Reverse Image Search

  • Google Lens (crop to region of interest), Google Images, TinEye, Yandex (faces). Check corners for visual stego. Twitter strips EXIF. See geolocation-and-media.md.
  • Cropped region search: Isolate distinctive elements (shop signs, building facades) and search via Google Lens for better results than full-scene search. See geolocation-and-media.md.
  • Reflected text: Flip mirrored/reflected text (water, glass) horizontally; search partial text with quoted strings. See geolocation-and-media.md.

Geolocation

  • Railroad signs, infrastructure maps (OpenRailwayMap, OpenInfraMap), process of elimination. See geolocation-and-media.md.
  • Street View panorama matching: Feature extraction + multi-metric image similarity ranking against candidate panoramas. Useful when challenge image is a crop of a Street View photo. See geolocation-and-media.md.
  • Road sign OCR: Extract text from directional signs (town names, route numbers) to pinpoint road corridors. Driving side + sign style + script identify the country. See geolocation-and-media.md.
  • Architecture + brand identification: Post-Soviet concrete = Russia/CIS; named businesses → search locations/branches → cross-reference with coastline/terrain. See geolocation-and-media.md.
  • Music-themed landmark geolocation: Multiple images of music-related landmarks worldwide; each yields a piano key number encoding one flag character. Identify all locations first, then decode the key sequence. See geolocation-and-media.md.

MGRS Coordinates

Google Plus Codes

  • Format XXXX+XXX (chars: 23456789CFGHJMPQRVWX). Drop a pin on Google Maps → Plus Code appears in details. Free, no API key needed. See geolocation-and-media.md.

Metadata Extraction

exiftool image.jpg           # EXIF data
pdfinfo document.pdf         # PDF metadata
mediainfo video.mp4          # Video metadata

Google Dorking

site:example.com filetype:pdf
intitle:"index of" password

Image TBS filters: Append &tbs=itp:face to Google Image URLs to filter for faces only (strips logos/banners). See web-and-dns.md.

Google Docs/Sheets

  • Try /export?format=csv, /pub, /gviz/tq?tqx=out:csv, /htmlview. See web-and-dns.md.

DNS Reconnaissance

dig -t txt subdomain.ctf.domain.com
dig axfr @ns.domain.com domain.com  # Zone transfer

Always check TXT, CNAME, MX for CTF domains. See web-and-dns.md.

Tor Relay Lookups

  • https://metrics.torproject.org/rs.html#simple/\x3CFINGERPRINT> -- check family, sort by "first seen". See web-and-dns.md.

GitHub Repository Analysis

  • Check issue comments, PR reviews, commit messages, wiki edits via gh api. See web-and-dns.md.

Telegram Bot Investigation

  • Find bot references in browser history, interact via /start, answer verification questions. See web-and-dns.md.

FEC Political Donation Research

  • FEC.gov for committee receipts; 501(c)(4) orgs obscure original funders. See web-and-dns.md.

IP Geolocation

curl "http://ip-api.com/json/103.150.68.150"

See geolocation-and-media.md.

Unicode Homoglyph Steganography

Pattern: Visually-identical Unicode characters from different blocks (Cyrillic, Greek, Math) encode binary data in social media posts. ASCII = 0, homoglyph = 1. Group bits into bytes for flag. See social-media.md.

BlueSky Public API

No auth needed. Endpoints: public.api.bsky.app/xrpc/app.bsky.feed.searchPosts?q=..., app.bsky.actor.searchActors, app.bsky.feed.getAuthorFeed. Check all replies to official posts. See social-media.md.

Fake Service Banner Detection

Pattern: Port appears open on a standard service port (22/SSH, 80/HTTP) but runs a fake service. nmap -sV or nc host port reveals the flag in the banner. Never trust port numbers alone -- always fingerprint the service. See web-and-dns.md.

Shodan SSH Fingerprint Lookup

Search Shodan by SSH host key fingerprint to identify servers: shodan search "fingerprint:AA:BB:CC:...". See web-and-dns.md.

Gaming Platform OSINT

Lookup usernames across gaming platforms (Steam, Xbox, PSN, MMOs) for character profiles, activity, and linked accounts. See social-media.md.

Resources

  • Shodan - Internet-connected devices
  • Censys - Certificate and host search
  • VirusTotal - File/URL reputation
  • WHOIS - Domain registration
  • Wayback Machine - Historical snapshots
Usage Guidance
This is a documentation-only OSINT skill that appears to do what it says. Before installing or running it: (1) verify the skill source/owner if you require provenance; (2) be cautious if you plan to execute example commands — active scans (nmap, dig axfr, ssh-keyscan) can be intrusive and may be illegal or violate terms; (3) the guide includes examples that read local artifacts (e.g., browser History), which can leak private data — ensure your agent/runtime has appropriate sandboxing and you consent to that access; (4) several examples reference third-party API keys (Shodan, SecurityTrails, Google) even though the skill does not declare env vars — only provide such keys if you trust the runtime and need those features; and (5) note the minor metadata inconsistency about the skill being user-invocable in one place and not in another — consider confirming expected invocation behavior with the publisher or by testing in a safe environment.
Capability Assessment
Purpose & Capability
The name/description (CTF OSINT) matches the files and runtime instructions: DNS, web, social media, reverse image, geolocation, and related tooling. The SKILL.md's prerequisites (bash, Python 3, internet, and optional packages like shodan/exiftool) are proportional to the documented techniques. One minor inconsistency: the SKILL.md metadata sets "user-invocable: \"false\"" while the registry metadata lists the skill as user-invocable; this is an administrative mismatch but does not change the capability footprint.
Instruction Scope
Instructions stick to OSINT/CTF tasks (dig, whois, exiftool, reverse-image searches, feature-matching code examples). They also contain examples that access local forensic artifacts (e.g., opening a browser History SQLite file) and recommend active network probing (nmap, zone transfers, ssh-keyscan). Those actions are plausible for CTFs but are sensitive: local file reads expose private data and active scans can be intrusive or disallowed against third-party targets. The SKILL.md also uses examples referencing API keys (Shodan, SecurityTrails) even though no env vars are declared.
Install Mechanism
This is instruction-only (no install spec, no external downloads). The file lists suggested package installs (pip/apt/brew) as prerequisites rather than performing hidden installs. That is low risk compared with skills that download and execute archives, but users should review any package commands before running them.
Credentials
The skill declares no required environment variables or credentials, which is reasonable for a documentation-only OSINT guide. However, multiple examples demonstrate use of third-party APIs (Shodan, SecurityTrails, Google Street View API) that require API keys. The skill does not declare or request those keys explicitly; if you provide keys to the agent/runtime, they would be useful but are optional. Also, instructions that read local files (browser History) require filesystem access and may expose sensitive secrets unrelated to public OSINT.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or global agent settings. The default ability for the model to invoke the skill autonomously (disable-model-invocation:false) is unchanged and not, by itself, a red flag in this context.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ctf-osint
  3. After installation, invoke the skill by name or use /ctf-osint
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Quick reference for open source intelligence (OSINT) CTF techniques. - Covers reconnaissance across public sources: social media, geolocation, usernames, DNS records, reverse image search, Google dorking, Wayback Machine, Tor, FEC, and more. - Includes ready-to-use command examples and platform-specific installation instructions. - Offers guidance for identifying unknown data (hashes, coordinates) and pivoting between related CTF skill sets. - Extensive supplementary resource links for in-depth OSINT tasks. - Concise workflows for social media analysis, image and metadata extraction, web archives, DNS research, and technical artifact identification.
Metadata
Slug ctf-osint
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Ctf Osint?

Provides open source intelligence techniques for CTF challenges. Use when gathering information from public sources, social media, geolocation, DNS records,... It is an AI Agent Skill for Claude Code / OpenClaw, with 189 downloads so far.

How do I install Ctf Osint?

Run "/install ctf-osint" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Ctf Osint free?

Yes, Ctf Osint is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Ctf Osint support?

Ctf Osint is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Ctf Osint?

It is built and maintained by gandli (@gandli); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments