← 返回 Skills 市场
114
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install ionsec-threat-intel
功能描述
Query multiple threat intelligence services for IOC enrichment including IP reputation, domain analysis, URL scanning, hash lookups, and malware detection. U...
使用说明 (SKILL.md)
Threat Intel
Overview
Query multiple external threat intelligence services to enrich observables (IPs, domains, URLs, hashes). Aggregates data from security vendors, open-source feeds, and specialized platforms to provide comprehensive IOC context.
Supported Observable Types:
- IP addresses - Reputation, geolocation, ASN, open ports, malicious activity
- Domains - WHOIS, DNS records, reputation, phishing detection
- URLs - Scan reports, redirects, phishing detection, screenshot analysis
- Hashes (MD5/SHA1/SHA256) - Malware detection, file analysis, known samples
Quick Start
Basic Usage
# Check an IP across multiple services
openclaw threat-intel ip 8.8.8.8 --services greynoise,abuseipdb,virustotal
# Check a domain
openclaw threat-intel domain evil.com --services all
# Check a hash
openclaw threat-intel hash a3b2c1d4e5f6... --services virustotal,otx
# Check a URL
openclaw threat-intel url http://suspicious.site/payload.exe --services urlscan
# View rate limit status
openclaw threat-intel --rate-limits
API Key Management
Most services require API keys. Configure them interactively:
openclaw threat-intel setup
Or set environment variables:
export VT_API_KEY="your_virustotal_key"
export GREYNOISE_API_KEY="your_greynoise_key"
export SHODAN_API_KEY="your_shodan_key"
export OTX_API_KEY="your_otx_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
export URLSCAN_API_KEY="your_urlscan_key"
export SPUR_API_KEY="your_spur_key"
export VALIDIN_API_KEY="your_validin_key"
See references/api-keys.md for full list of required keys per service.
Available Services
Free Services (No API Key Required)
| Service | Observable Types | Description |
|---|---|---|
| MalwareBazaar | Hash | Malware sample database |
| URLhaus | URL | Malicious URL database |
| DNS0 | Domain | DNS resolver with threat detection |
| Google DNS | Domain | Public DNS resolver |
| Cloudflare DNS | Domain | Public DNS resolver |
| Pulsedive | IP, Domain, URL | Threat intelligence with rate limits |
Services Requiring API Keys
| Service | Observable Types | Best For |
|---|---|---|
| VirusTotal v3 | IP, Domain, URL, Hash | Comprehensive malware detection |
| GreyNoise | IP | Internet background noise and scanner classification |
| Shodan | IP | Open ports, services, and exposed systems |
| AlienVault OTX | IP, Domain, URL, Hash | Threat community data |
| AbuseIPDB | IP | IP reputation and reported abuse |
| URLscan | URL | Live URL scanning and screenshot |
| Spur.us | IP | VPN, proxy, and hosting detection |
| Validin | IP, Domain, Hash | Passive DNS, subdomains, and WHOIS |
See references/services.md for complete service documentation.
Workflows
IOC Investigation
When investigating a suspicious observable, use this pattern:
-
Quick triage - Check free services first
openclaw threat-intel ip \x3Ctarget> --services pulsedive -
Deep enrichment - Add premium services for known-bad indicators
openclaw threat-intel ip \x3Ctarget> --services virustotal,greynoise,shodan -
Correlate - Cross-reference with multiple sources
openclaw threat-intel ip \x3Ctarget> --services all
Bulk Enrichment
Process multiple observables from a file:
openclaw threat-intel bulk iocs.txt --output results.json
Format: one observable per line, optionally prefixed with type:
ip:8.8.8.8
domain:evil.com
hash:a3b2c1...
Scripts
Use these scripts directly for programmatic access:
scripts/threat_intel.py- Main CLI toolscripts/check_ip.py- IP-focused helper scriptscripts/bulk_check.py- Bulk processingscripts/setup.py- Explicit interactive API key configuration
Output Formats
Default (Table)
Service | Result | Score | Details
---------------|--------|-------|--------
VirusTotal | ⚠️ Suspicious | 12/71 | 12 vendors flagged
GreyNoise | ✅ Benign | 0% | Classified as benign
AbuseIPDB | ⚠️ Suspicious | 85% | 12 reports
JSON (for automation)
openclaw threat-intel ip 8.8.8.8 --format json
Markdown (for reports)
openclaw threat-intel ip 8.8.8.8 --format markdown
References
安全使用建议
This skill appears to do what it claims: aggregate threat-intel from many public and API-key services. Before installing, consider: (1) API keys you provide may be saved to the skill's config.json in the skill directory (you can prefer environment variables instead to avoid writing keys to disk); (2) the skill will create a .cache directory and a rate_limits.json state file next to the skill to store cached responses and rate-limit state; (3) the code contains some bugs/typos (e.g., variable name mistakes in AbuseIPDB classification) which may cause runtime errors — expect occasional failures and check logs; (4) the skill makes network requests to the listed third-party endpoints (VirusTotal, Shodan, GreyNoise, URLScan, etc.), which may have privacy, rate-limit, or billing implications when you enable API keys; (5) run in a controlled environment if you are concerned about storing keys or creating files. If you want higher assurance, review the bundled scripts (they are included) or run the skill in an isolated container before giving it production access.
功能分析
Type: OpenClaw Skill
Name: ionsec-threat-intel
Version: 1.0.1
The IONSEC Threat Intel skill bundle is a legitimate tool designed for enriching security observables (IPs, domains, hashes, URLs) using over 14 third-party threat intelligence services. The implementation is modular and professional, utilizing a base service class (`scripts/services/base.py`) to handle rate limiting, caching, and authenticated requests. API keys are stored locally in `config.json` and are only transmitted to the respective official service endpoints (e.g., VirusTotal, Shodan, GreyNoise). No evidence of data exfiltration, malicious execution, or prompt injection was found across the code or documentation.
能力标签
能力评估
Purpose & Capability
Name/description (IOC enrichment) match the implemented code. All required API keys and services (VirusTotal, GreyNoise, Shodan, etc.) are relevant to threat-intel functionality. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent and user to query external TI services and to run an interactive setup that writes keys to a skill-local config.json. The runtime instructions and scripts only reference service endpoints and skill-local files; they do not attempt to read system-wide credentials or unexpected host files. Note: the skill will create and use a .cache directory and a config.json next to the skill to store rate-limit state, cached responses, and optionally saved API keys.
Install Mechanism
No install spec or external downloads; code is bundled with the skill. Nothing is fetched from arbitrary URLs during install. No installer creates system-wide binaries or writes outside the skill directory.
Credentials
The environment variables and API keys mentioned (VT_API_KEY, GREYNOISE_API_KEY, SHODAN_API_KEY, etc.) correspond directly to the external services the skill integrates with. Keys are optional for free-service fallback; using env vars is supported and takes precedence over the local config file.
Persistence & Privilege
always:false (not forced into every agent run). The skill writes only to its own skill-local files (config.json and a .cache directory) and does not modify other skills or global agent configuration. It may exec the included setup script when explicitly invoked.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ionsec-threat-intel - 安装完成后,直接呼叫该 Skill 的名称或使用
/ionsec-threat-intel触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Updated API key setup instructions to include additional supported environment variables.
- Adjusted and simplified the lists of available free and paid threat intelligence services.
- Refined service descriptions and observable type mappings for clarity.
- Streamlined workflow recommendations and script references.
- Improved consistency in output format instructions.
v1.0.0
**Initial release of IONSEC-threat-intel.**
- Query multiple threat intelligence services for IPs, domains, URLs, and file hashes.
- Aggregates enrichment data from sources like VirusTotal, GreyNoise, Shodan, AbuseIPDB, AlienVault OTX, and several Abuse.ch services.
- Supports both free and API-key-protected services with easy API key setup.
- Provides IOC investigation workflows, bulk enrichment, and multiple output formats (table, JSON, markdown).
- Includes command-line scripts for manual and automated use.
元数据
常见问题
IONSEC Threat Intel 是什么?
Query multiple threat intelligence services for IOC enrichment including IP reputation, domain analysis, URL scanning, hash lookups, and malware detection. U... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 114 次。
如何安装 IONSEC Threat Intel?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ionsec-threat-intel」即可一键安装,无需额外配置。
IONSEC Threat Intel 是免费的吗?
是的,IONSEC Threat Intel 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
IONSEC Threat Intel 支持哪些平台?
IONSEC Threat Intel 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 IONSEC Threat Intel?
由 nirhalfon(@nirhalfon)开发并维护,当前版本 v1.0.1。
推荐 Skills