CTI Expert

Trust Score 72/100

Comprehensive CTI/OSINT analyst skill that turns an agent into a multi-technique investigator for domain, email, username, phone, and image forensics without pa

triggers:ctiosint/case/sweep/breach-deepthreat intelligencetimeline/reportm365 recon

GitHub SKILL.md

What it does

CTI Expert provides a full cyber threat intelligence and open-source intelligence workflow: multi-vector collection, enrichment, assessment, and report delivery. It exposes 60+ commands for recon (sweep, subdomain, breach-deep), enrichment (branch, timeline, crossref), assessment (exposure, threat-model, validate), and delivery (/report, /brief) with strict output and export rules (MD + DOCX). The skill emphasizes collection method tagging, trust scoring, and ASCII-first visual outputs.

When to use it

Use for investigative tasks requiring automated OSINT pipelines: domain or person reconnaissance, breach analysis, incident triage, vulnerability checks, M365 tenant enumeration, and producing evidence-grade reports. Good for security teams, journalists, and analysts performing due diligence without external paid services.

What's included

Scripts: repository includes report generation scripts under scripts/ (DOCX hybrid generator, JSON generators) though has_scripts=false in fetch output for this item — still contains substantive tooling and many technique docs.
References: extensive technique docs, workflows, and architecture references are included.
Instructions: detailed command reference, lifecycle (Acquire, Enrich, Assess, Deliver), and activation matrices.

Compatible agents

Best for Claude Code-style agents that can run browser fetchers, shell commands, and Python scripts; also usable by other advanced assistants that support script execution and file IO.

Audit Summary

CTI Expert is a comprehensive OSINT/CTI analyst skill with 40+ slash commands for domain recon, username enumeration, breach analysis, and report generation. It includes 10 scripts — 6 Python modules for DOCX report generation (charts, diagrams, sections, styles, postprocessing) plus a hybrid pandoc+python-docx pipeline, an install.sh for tool provisioning, and a sample data file. All Python scripts failed on import due to missing dependencies (python-docx, matplotlib, networkx). The generate scripts auto-install deps via subprocess pip at import time, which is a security concern. The install.sh is a thorough but aggressive installer using sudo apt, git clone from external repos, and pipx/pip installs.

Watch Out

Auto-pip-installs dependencies at import time via subprocess.check_call -- runs pip install --break-system-packages without user confirmation
install.sh uses sudo apt-get, git clone from external URLs, and pipx install for OSINT tools like maigret, sherlock, blackbird
install.sh references 'bash <(curl -sL ...)' pattern for ASN tool (manual-only, not auto-executed)
install.sh requires a specific venv path ($HOME/.claude/skills/.venv) — won't work without it
Scripts require python-docx, matplotlib, networkx, numpy to run — heavy dependency chain
generate-cti-docx-hybrid.py also requires pandoc installed and auto-installs it via apt

Missing Dependencies

python-docxmatplotlibnetworkxnumpyscraplingwhoisdomainpandoc

Notes

Well-structured CTI/OSINT skill with extensive command set and professional DOCX report generation pipeline. Main security concern is auto-installing Python packages at import time without user consent. The install.sh is comprehensive but invasive (sudo, git clones from external repos). No data exfiltration or destructive commands. The skill itself is a legitimate OSINT tool — its recon instructions are its stated purpose, not malicious behavior.

Information

Repository: cti-expert
Stars: 77
Installs: 0

Trust Score

Overall72

Security70

Code Quality72

Architecture75

Usefulness62

Related Skills

CTF Write-up Generator

Generate a concise, reproducible submission-style CTF writeup with a one-path solution script, metadata, and a short checklist for fast verification.

Minimal Run & Audit (repro reporting)

Execute a README-first smoke test and produce standardized reproducibility outputs (`repro_outputs/`) and PATCHES.md — trusted reporting for repo reproduction r

Audit Agents/Skills/Commands

Run a quantitative quality audit on agents, skills, and commands to check production readiness and get prioritized recommendations.

Analyzing Ransomware Leak Site Intelligence

Collect and analyze ransomware data-leak site (DLS) posts to extract victim, group, sector and geographic trends for threat intelligence and proactive defense.

Analyzing Ransomware Leak Site Intelligence

Collect and analyze ransomware data-leak site (DLS) postings to extract victim, group, sector, and timeline intelligence for threat hunting and risk assessment.

Dune Analytics (MoonPay Integration)

Run Dune SQL and saved queries via the Dune REST API for on-chain analytics; pairs with MoonPay CLI to create/fund wallets for analysis.

IGF (Grapefruit) CLI

CLI skill to control the IGF (Grapefruit) dynamic instrumentation server for mobile security testing: enumerate Frida devices, inspect apps, run hooks, access f

Evaluating Threat Intelligence Platforms

Guides procurement, evaluation, and proof-of-concept testing for Threat Intelligence Platforms (MISP, OpenCTI, ThreatConnect, Anomali, EclecticIQ) based on inte

Back to Skills