← Back to Skills Marketplace
maxjia

Hs Ti

by maxjia · GitHub ↗ · v2.2.5 · MIT-0
cross-platform ⚠ suspicious
229
Downloads
1
Stars
0
Active Installs
21
Versions
Install in OpenClaw
/install hs-ti
Description
Hillstone Threat Intelligence Skill. Query IP addresses, domains, URLs, and file hashes in Hillstone threat intelligence database.
README (SKILL.md)

Hillstone Threat Intelligence Skill

Features: Query IP addresses, domains, URLs, and file hashes in the Hillstone threat intelligence database.

New Features (v2.2.4)

  • English Only: Simplified to pure English version for better international compatibility
  • Automatic IOC Type Detection: Automatically detect IP, domain, URL, hash, and other IOC types
  • Smart Caching: Built-in LRU cache with statistics and size limits, significantly improved query performance (40-60%)
  • Connection Pool Management: HTTP connection pool for efficient connection reuse, reduced network latency (30%)
  • Batch Operations: Import IOC lists from CSV, TXT, JSON files, support batch queries with progress tracking
  • Exponential Backoff Retry: Intelligent retry mechanism for better handling of temporary network failures
  • Circuit Breaker Pattern: Prevent cascading failures, improve system stability
  • Result Formatting: Support for text, JSON, table, and other formats
  • Result Export: Support for exporting to CSV, JSON, HTML, Markdown, and other formats
  • Logging: Complete operation logging with automatic sensitive data masking
  • Error Handling: Comprehensive error handling and retry mechanisms
  • Type Hints: Full type annotations for better code maintainability
  • API Key Management: Support for HILLSTONE_API_KEY environment variable, priority over config file
  • Security Enhancements: Sensitive data masking, log security, file permission management
  • Search Optimization: 70+ keywords covering brand, security, features, and more

Configuration

You need to create a config.json file and configure a valid API Key:

  1. Copy config.example.json to config.json

  2. Fill in your API Key in config.json:

{
  "api_key": "your-api-key-here",
  "api_url": "https://ti.hillstonenet.com.cn",
  "timeout": 30,
  "max_retries": 3,
  "retry_delay": 1,
  "cache_enabled": true,
  "cache_ttl": 3600
}

Configuration Parameters:

  • api_key: Hillstone Threat Intelligence API Key (required)
  • api_url: API URL (optional, default: https://ti.hillstonenet.com.cn)
  • timeout: Request timeout in seconds (optional, default: 30)
  • max_retries: Maximum retry attempts (optional, default: 3)
  • retry_delay: Retry delay in seconds (optional, default: 1)
  • cache_enabled: Enable cache (optional, default: true)
  • cache_ttl: Cache time-to-live in seconds (optional, default: 3600)

Usage Examples

/threat-check 45.74.17.165
/threat-check deli.ydns.eu  
/threat-check 45.74.17.165,deli.ydns.eu,www.blazingelectricz.com
/threat-check -a 45.74.17.165
/threat-check -a deli.ydns.eu

Advanced API

Use -a parameter to call the advanced API and get more detailed threat intelligence:

/threat-check -a 45.74.17.165

Advanced API provides:

  • Basic Info: Network, carrier, location, country, province, city, coordinates
  • ASN Info: Autonomous System information
  • Threat Type: Malicious type classification
  • Tags: Threat-related tags
  • DNS Records: Reverse DNS records (up to 10)
  • Domain Info: Current and historical domains (up to 10)
  • File Associations: Downloaded, referenced, and related file hashes (malicious only)
  • Port Info: Open ports, application protocols, application names, versions

Supported IOC Types

  • IP Address: Automatically detect and query /api/ip/reputation
  • Domain: Automatically detect and query /api/domain/reputation
  • URL: Automatically detect and query /api/url/reputation
  • File Hash: Supports MD5/SHA1/SHA256, query /api/file/reputation

Response Time Statistics

Each query displays detailed performance statistics:

  • Single Query: Display response time for current call
  • Batch Query: Display statistics for current batch (avg/max/min/median)
  • Cumulative Statistics: Display cumulative statistics and total call count for all historical queries

Dependencies

  • Python 3.8+
  • Hillstone Threat Intelligence API access permission
  • This skill uses Python standard library, no additional dependencies required

API Endpoints

Reputation API

  • IP Query: /api/ip/reputation?key={ip}
  • Domain Query: /api/domain/reputation?key={domain}
  • URL Query: /api/url/reputation?key={url}
  • File Hash Query: /api/file/reputation?key={hash}

Advanced Detail API

  • IP Advanced Query: /api/ip/detail?key={ip}
  • Domain Advanced Query: /api/domain/detail?key={domain}
  • URL Advanced Query: /api/url/detail?key={url}
  • File Hash Advanced Query: /api/file/detail?key={hash}

Troubleshooting

  • Invalid API Key: Ensure you are using a valid Hillstone API Key
  • Network Connection Issues: Check if you can access https://ti.hillstonenet.com.cn
  • Query Timeout: Default timeout is 30 seconds, can be adjusted in config.json
  • Encoding Issues: Ensure your system supports UTF-8 encoding
  • Log Viewing: Log file is located at ~/.openclaw/logs/hs_ti.log

Security Best Practices

API Key Management

Recommended Approach:

  • Use environment variable for API key (recommended) 
    export HILLSTONE_API_KEY="your-api-key-here"
  • Ensure environment variable is not logged to history 
    # In bash
export HISTCONTROL=ignorespace
export HILLSTONE_API_KEY="your-api-key-here"

# In PowerShell
$env:HILLSTONE_API_KEY="your-api-key-here"

Configuration File Approach:

  • If configuration file must be used, ensure:
    • File permissions are set to owner-only read: chmod 600 config.json
    • Configuration file is not committed to version control
    • Configuration file is added to .gitignore

File Permissions

Configuration File:

# Set configuration file permissions
chmod 600 ~/.openclaw/skills/hs-ti/config.json

# Ensure directory permissions are correct
chmod 700 ~/.openclaw/skills/hs-ti/

Log File:

# Set log file permissions
chmod 600 ~/.openclaw/logs/hs_ti.log

# Ensure log directory permissions are correct
chmod 700 ~/.openclaw/logs/

Version History

[2.2.4] - 2026-04-02

  • Changed to pure English version
  • Removed all Chinese content for better international compatibility
  • Simplified documentation structure

[2.2.3] - 2026-04-01

  • Added environment variable support (HILLSTONE_API_KEY)
  • Enhanced log security with automatic sensitive data masking
  • Added comprehensive security documentation (SECURITY.md)
  • Improved transparency in package.json

[2.2.2] - 2026-03-31

  • Added LRU cache mechanism
  • Implemented HTTP connection pool
  • Added batch operations support
  • Implemented exponential backoff retry
  • Added circuit breaker pattern
  • Enhanced error handling
  • Added comprehensive type hints
  • Optimized search keywords

License

MIT License

Support

Usage Guidance
This skill implements a Hillstone Threat Intelligence client and needs a Hillstone API key (HILLSTONE_API_KEY or config.json). Before installing: - Confirm the API endpoint (https://ti.hillstonenet.com.cn) and the publisher (maxjia) are legitimate for your use. If you don't recognize the endpoint/publisher, verify independently. - Provide the API key via environment variable (HILLSTONE_API_KEY) rather than a file when possible; SKILL.md recommends this. If you use config.json, set file permissions to owner-only (chmod 600) and avoid committing it to version control. - Note the registry metadata omitted the required env/config declaration — this is a packaging inconsistency. Ask the publisher to correct metadata so required credentials are explicit. - The skill will write logs to ~/.openclaw/logs/hs_ti.log and can export reports to local files. If that is a concern, run the skill in a restricted/sandboxed environment or audit the code (scripts/hs_ti_plugin.py and result_formatter.py) yourself. The repository files are present in the package; review them for any extra endpoints or data-exfil patterns. - If you plan to allow autonomous agent invocation, remember the skill can perform network calls using your API key; only enable autonomous execution if you trust the skill and the key's permissions. If you want higher assurance, request updated registry metadata that declares HILLSTONE_API_KEY as required, and/or run the provided tests/examples in an isolated environment to observe behavior before enabling the skill in production.
Capability Analysis
Type: OpenClaw Skill Name: hs-ti Version: 2.2.5 The hs-ti skill bundle is a well-architected tool for querying Hillstone Threat Intelligence. It follows professional software patterns, implementing a circuit breaker, LRU caching, and a connection pool using only the Python standard library to minimize supply chain risks. Security is a primary focus, evidenced by the inclusion of a comprehensive SECURITY.md, automatic masking of sensitive IOCs in log files (scripts/hs_ti_plugin.py), and clear instructions for secure API key management via environment variables. No evidence of malicious intent, data exfiltration, or prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description (Hillstone TI queries) align with the code and SKILL.md: the code implements IOC detection, query, caching, exports and logging against the Hillstone TI endpoints. However the registry metadata earlier listed 'required env vars: none' while SKILL.md/package.json and the code all expect an API key (HILLSTONE_API_KEY or config.json). That mismatch is a packaging/metadata inconsistency that should be resolved.
Instruction Scope
Runtime instructions stay within the stated purpose: they instruct creating config.json or setting HILLSTONE_API_KEY, calling the Hillstone API endpoints, and exporting/logging results. The skill reads config.json, may write export files and a log at ~/.openclaw/logs/hs_ti.log, and may create export directories; these are expected for a client that writes reports and logs.
Install Mechanism
No install spec is present (instruction-only in registry), which is low risk; but the package includes Python code files (scripts/hs_ti_plugin.py, result_formatter.py, tests, examples). Because there is no formal install step, the skill will rely on those files being available in the agent runtime; this is normal but worth noting (there's code to execute even though there's no separate install/download stage). No external download URLs or unknown installers are used.
Credentials
The skill legitimately requires a Hillstone API key (SKILL.md, package.json env HILLSTONE_API_KEY, and config.json). However the registry metadata at the top says 'Required env vars: none' — an incoherence. The request for an API key is proportionate to the purpose, but the metadata omission is misleading. Also the skill writes logs and export files to the user's home directory (~/ .openclaw/logs and example exports), so you should ensure file-permission handling (SKILL.md suggests chmod 600 for config.json).
Persistence & Privilege
The skill does not request always:true and does not request system-wide privileged persistence. It writes its own logs and export files under user home/.openclaw and example export directories, which is expected. It does not appear to modify other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install hs-ti
  3. After installation, invoke the skill by name or use /hs-ti
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.2.5
- Removed language.json and tests/test_language.py files, cleaning up unused resources. - Updated documentation in SKILL.md for version 2.2.5. - Updated package.json version and metadata to reflect current release.
v2.2.4
- Switched documentation to English only; removed all Chinese content for better international compatibility - Updated aliases and commands to match English-only usage - Simplified and reorganized documentation structure - Clarified configuration instructions and security best practices in English - No changes to core functionality; documentation and metadata updates only
v2.2.3
## hs-ti v2.2.3 - Updated documentation in SKILL.md: clarified features and batch operation capabilities, improved security and configuration instructions. - No code changes; this is a documentation and metadata maintenance release. - Version bump in package.json to 2.2.3.
v2.2.2
Enhanced searchability with comprehensive keywords Added 70+ keywords for better discoverability: - Brand names: 山石网科, 山石, 网科, Hillstone, 云瞻 - Security terms: 威胁情报, 网络安全, network-security, cybersecurity - IOC types: ioc, ioc-query, indicators, compromise, ip, domain, url, hash - Threat types: malware, phishing, c2, apt, malicious, benign - Threat operations: threat-hunting, threat-detection, threat-assessment, threat-response, threat-monitoring - API features: threat-intel-api, ti-api, threat-database, api-key, api-management - Performance: performance, optimization, connection-pool, circuit-breaker, retry, batch-query - Features: file-import, progress-tracking, statistics, monitoring, caching - Security: security, sensitive-data, data-masking, log-security, file-security, permissions, audit, compliance - Configuration: environment-variable, bilingual, multilingual, auto-detection, export, logging Benefits: - Users can search using 山石网科, Hillstone, 威胁情报, 云瞻 - Network security professionals can find it using IOC, cybersecurity, network-security - All major security and threat intelligence terms are covered - Maximum searchability across different user groups and use cases
v2.2.1
Security fixes - Enhanced security and provenance Security Improvements: - Added homepage field to package.json for provenance verification - Unified author and publisher fields to 'maxjia' - Added support for HILLSTONE_API_KEY environment variable - Implemented sensitive data masking in logs (_mask_sensitive_value) - Added comprehensive SECURITY.md documentation Configuration Changes: - Environment variable HILLSTONE_API_KEY takes priority over config file - Backward compatible with existing config.json approach - Updated test expectations for missing config files Documentation: - Added SECURITY.md with security best practices - API key management recommendations - Logging and data privacy guidelines - Network and file system security - Operational security and incident response - Quick security checklist for production Testing: - Updated test_load_config_missing_file to expect None - All 43 tests passing
v2.2.0
Performance optimizations and enhanced features Performance Optimizations: - Enhanced LRU caching with statistics tracking and size limits - Implemented HTTP connection pool management - Added exponential backoff retry mechanism - Implemented circuit breaker pattern for fault tolerance Batch Operations: - Added IOC import from CSV, TXT, and JSON files - Implemented progress callback for batch operations - Added comprehensive system statistics monitoring Code Architecture: - Refactored API request handling with connection pool and circuit breaker - Enhanced batch query with thread-safe progress tracking Configuration: - Added max_cache_size, max_connections, circuit_breaker settings - Updated config.example.json with new parameters - Updated package.json schema with new configuration options Expected Performance Improvements: - 40-60% improvement in query speed - 30% reduction in network latency - 80% improvement in batch operation efficiency - 70% improvement in error recovery rate
v2.1.2
Fix: Add publisher field to SKILL.md frontmatter - Added publisher: maxjia to SKILL.md YAML frontmatter - Ensures compliance with ClawHub frontmatter requirements - Updated version to 2.1.2
v2.1.1
Fix: Add version number to SKILL.md frontmatter - Now properly displays version in QQ and other platforms - Resolves 'version not specified' issue
v2.1.0
Release v2.1.0 - Performance and concurrency improvements Major enhancements: - Concurrent batch queries with ThreadPoolExecutor (3-5x faster) - Thread-safe caching with locks - IOC type detection LRU cache - Enhanced error handling and logging - New max_workers configuration option - Improved code organization and maintainability All tests passing (43/43)
v1.1.9
- Added and updated example scripts for querying threat intelligence via API (examples/batch_query_ips.py, examples/query_ioc.py). - Updated CHANGELOG.md with recent changes. - Updated package.json configuration. - No changes to core logic or API functionality.
v1.1.8
- Added new test file: `tests/test_hs_ti.py` - Removed obsolete test: `tests/test_yunzhan.py` - Updated configuration instructions in documentation to use `config.example.json` as a template for `config.json` - Improved SKILL.md documentation clarity regarding API Key configuration steps
v1.1.7
## hs-ti 1.1.7 Changelog - Added `scripts/hs_ti_plugin.py`. - Removed `scripts/yunzhan_plugin.py` and `test_api.py`. - Updated core files (`CHANGELOG.md`, `language.json`, `package.json`, and tests) to reflect plugin module restructuring. - General code and test adjustments to match the new plugin structure.
v1.1.6
**Advanced API support added for richer threat intelligence queries.** - New: Added support for advanced detail queries via the `-a` parameter, returning additional threat intelligence details. - Usage examples and documentation updated to show advanced API features. - New API endpoints for advanced queries documented in SKILL.md. - Added initial test file: `test_api.py`.
v1.1.5
- Improved: Updated dependencies in package.json for better compatibility. - Fixed: Corrected and updated CHANGELOG.md with latest changes. - Enhanced: Made minor code and metadata improvements in scripts/yunzhan_plugin.py for reliability and maintenance.
v1.1.4
hs-ti v1.1.4 - Added sample configuration file: `config.example.json` for easier setup. - Updated documentation in `README.md` and `CHANGELOG.md`. - Updated metadata and version in `package.json`. - No code logic changes.
v1.1.3
- Added metadata.title ("Hillstone Threat Intelligence") for enhanced discoverability and clarity. - No changes to core functionality or usage. - Updated SKILL.md to include the new title in metadata.
v1.1.2
hs-ti 1.1.2 Changelog - Updated CHANGELOG.md and package.json for the new release version. - No user-facing functional or feature changes in this update.
v1.1.1
- Added explicit mention of Chinese/English bilingual support in the skill description. - No functional or API changes; documentation now highlights bilingual usage clearly for all users. - Updated SKILL.md to clarify language support and better describe supported features.
v1.1.0
**Multi-language support and usability enhancements:** - Added Chinese and English language support for all commands and documentation. - Introduced /hs-ti cn and /hs-ti en commands for language switching. - Updated metadata to include new commands for language selection. - Added language resource files and related tests for language functionality. - Improved documentation with bilingual sections for configuration, features, usage, and troubleshooting.
v1.0.1
安全更新:在package.json中声明配置文件和网络端点要求,符合clawhub安全规范
Metadata
Slug hs-ti
Version 2.2.5
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 21
Frequently Asked Questions

What is Hs Ti?

Hillstone Threat Intelligence Skill. Query IP addresses, domains, URLs, and file hashes in Hillstone threat intelligence database. It is an AI Agent Skill for Claude Code / OpenClaw, with 229 downloads so far.

How do I install Hs Ti?

Run "/install hs-ti" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Hs Ti free?

Yes, Hs Ti is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Hs Ti support?

Hs Ti is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Hs Ti?

It is built and maintained by maxjia (@maxjia); the current version is v2.2.5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments