| name | PAI OSINT Skill | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| pack-id | pai-osint-skill-v1.3.0 | |||||||||||||
| version | 1.3.0 | |||||||||||||
| author | pai | |||||||||||||
| description | AI-powered Open Source Intelligence collection and analysis with knowledge graph integration and iterative pivot-driven investigations | |||||||||||||
| type | skill | |||||||||||||
| purpose-type |
|
|||||||||||||
| platform | claude-code | |||||||||||||
| dependencies |
|
|||||||||||||
| keywords |
|
AI-powered Open Source Intelligence collection and analysis with knowledge graph integration and iterative pivot-driven investigations
Getting Started:
- Installation Guide - Step-by-step installation wizard
- Verification Checklist - Post-installation validation
Documentation:
- User Guide - Complete usage documentation
- Quick Reference - Command cheat sheet
- Company Research Guide - Business intelligence workflows
- Changelog - Version history and release notes
Advanced:
- Image Analysis Tools - Tool requirements and setup
- Enrichment Roadmap - API integration guide
By Workflow Type:
- Person Investigation: Username enumeration, social media, entity linking
- Domain Intelligence: DNS, WHOIS, subdomains, infrastructure mapping
- Company Research: Corporate profiles, ownership, financials, risk assessment
- Digital Artifacts: Email, phone, and image analysis
Get started immediately with these common OSINT commands:
# Username enumeration
/osint username johndoe
# Domain investigation
/osint domain example.com
# Company research
/osint company "Acme Corporation"
# Email reconnaissance
/osint email john@example.com
# Full investigation with automatic pivot expansion
/osint investigate johndoe --follow-leadsTip: Use natural language instead of /osint:
- "Find all accounts for username johndoe"
- "Research company Acme Corp"
- "Investigate domain example.com"
You are receiving a PAI Pack - a modular upgrade for AI agent systems.
What is PAI? See: PAI Project Overview
What is a Pack? See: Pack System
This pack transforms your AI into an intelligence-gathering platform. The PAI OSINT Skill provides comprehensive workflows for:
- Person Investigation - Username enumeration, social media capture, entity linking
- Domain Intelligence - DNS, WHOIS, certificate transparency, subdomain discovery
- Company Research - Corporate profiles, ownership tracing, financial analysis, risk assessment
- Knowledge Persistence - All findings stored to knowledge graph via the knowledge skill
Core principle: Systematic collection, intelligent analysis, persistent storage.
No more scattered notes across sessions. Your investigations build on each other through the knowledge graph.
Please follow the installation instructions in INSTALL.md to integrate this pack into your infrastructure.
| Component | File | Purpose |
|---|---|---|
| OSINT Skill Definition | skills/osint/SKILL.md |
Intent routing and workflow dispatch |
| Investigation Orchestrator | Workflows/InvestigationOrchestrator.md |
Iterative pivot-driven investigations with parallel agents |
| Username Reconnaissance | Workflows/UsernameRecon.md |
Enumerate usernames across 400+ platforms |
| Domain Reconnaissance | Workflows/DomainRecon.md |
DNS, WHOIS, CT logs, subdomains |
| Social Media Capture | Workflows/SocialCapture.md |
Profile capture to knowledge graph |
| Infrastructure Mapping | Workflows/InfraMapping.md |
Port scanning, service fingerprinting |
| Entity Linking | Workflows/EntityLinking.md |
Cross-source identity resolution |
| Timeline Analysis | Workflows/TimelineAnalysis.md |
Temporal pattern detection |
| Target Profile | Workflows/TargetProfile.md |
Comprehensive target investigation |
| Intel Report | Workflows/IntelReport.md |
Structured intelligence reports |
| Company Profile | Workflows/CompanyProfile.md |
Comprehensive company investigation |
| Corporate Structure | Workflows/CorporateStructure.md |
Ownership, subsidiaries, directors |
| Financial Recon | Workflows/FinancialRecon.md |
SEC filings, funding, investors |
| Competitor Analysis | Workflows/CompetitorAnalysis.md |
Market position, SWOT analysis |
| Risk Assessment | Workflows/RiskAssessment.md |
Litigation, sanctions, due diligence |
| Email Reconnaissance | Workflows/EmailRecon.md |
Email investigation, breach checking |
| Phone Reconnaissance | Workflows/PhoneRecon.md |
Phone number lookup, validation |
| Image Reconnaissance | Workflows/ImageRecon.md |
Image metadata, forensics, reverse search |
Summary:
- Files created: 19 (1 skill + 18 workflows including InvestigationOrchestrator)
- Directories created: 2 (
skills/osint/Workflows/,history/research/osint/) - Dependencies: pai-agents-skill (required), pai-knowledge-system (required), pai-browser-skill (recommended), Bright Data MCP (recommended)
Open Source Intelligence (OSINT) investigations suffer from fragmentation:
For Individual Targets:
- Usernames scattered across 400+ platforms with no systematic enumeration
- Social media profiles captured ad-hoc, never correlated
- Timeline patterns invisible without structured analysis
- Identity links between accounts discovered by accident, not method
For Company Research:
- Corporate structures buried in registries across jurisdictions
- Beneficial ownership hidden behind shell companies
- Financial data scattered across SEC filings, funding databases, news
- Risk signals (litigation, sanctions, adverse media) require multiple searches
For Intelligence Operations:
- Each investigation starts from scratch with no institutional memory
- Findings stored in notes that can't be queried
- Relationships between entities discovered once, then forgotten
- No systematic methodology leads to inconsistent results
The Fundamental Problem:
Traditional OSINT is manual, fragmented, and ephemeral. Investigators repeat work, miss connections, and lose findings between sessions. There's no accumulation of intelligence over time.
The PAI OSINT Skill provides structured, persistent, knowledge-graph-backed intelligence collection.
Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PAI OSINT Skill β
β AI-Powered Open Source Intelligence Collection β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β osint skill β β browser skill β β knowledge skill β
β β β (Dependency) β β (Dependency) β
β β’ Intent Router β β β β β
β β’ 16 Workflows β β β’ Playwright β β β’ Entity Store β
β β’ Agents β β β’ Session Mgmt β β β’ Relationships β
β β β β’ Screenshots β β β’ Graph Queries β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β β β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β Dual Storage System β
β β
β β’ Knowledge Graph β
β (queryable, linked) β
β β
β β’ File Reports β
β (human-readable) β
βββββββββββββββββββββββββββ
The Intelligence Cycle:
Each workflow follows a consistent 5-step pattern:
- Planning - Define scope, legal/ethical boundaries, OPSEC
- Collection - Systematic acquisition from public sources
- Processing - Normalizing, enriching, correlating data
- Analysis - Identifying patterns, relationships, risk
- Storage - Persist to knowledge graph AND file reports
Design Principles:
- Workflow-Driven: 16 specialized workflows for different intelligence tasks
- Knowledge-First: Every workflow stores to knowledge graph via the knowledge skill
- Dual Storage: Both queryable graph AND human-readable file reports
- Ethical by Design: Legal considerations built into every workflow
- Progressive Enhancement: Works without dependencies, better with them
The OSINT System has 3 architectural layers:
- Intent Routing (SKILL.md) - Triggers map natural language to workflows
- Workflow Execution (Workflows/) - Structured steps with knowledge persistence
- Knowledge Storage (knowledge skill) - Entities and relationships in graph
User: "investigate company Acme Corp"
β
βΌ
βββββββββββββββββββββββββββ
β SKILL.md Intent Router β
β Match: "company" triggerβ
β Route: CompanyProfile β
βββββββββββββ¬ββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β CompanyProfile.md β
β Step 1: Registry search β
β Step 2: Ownership trace β
β Step 3: Financial data β
β Step 4: Risk assessment β
β Step 5: Store to graph β
βββββββββββββ¬ββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββ
β knowledge skill β
β Episode: Company Acme β
β Group: osint-companies β
β Relationships mapped β
βββββββββββββββββββββββββββ
Why This Architecture Matters:
- Explicit Routing: Intent β Workflow β Storage, not fuzzy matching
- Persistent Memory: Every investigation adds to the knowledge graph
- Cross-Investigation Linking: Entity discovered in one workflow appears in future searches
- Audit Trail: Full methodology documented for each collection
This sounds similar to using search engines manually which also finds public information. What makes this approach different?
The OSINT System transforms ad-hoc searching into systematic intelligence collection. Each workflow follows a repeatable methodology, stores findings to a queryable knowledge graph, and builds institutional memory across investigations. Future queries automatically surface past findings.
- Structured workflows replace random searching with methodology
- Knowledge graph stores entities and relationships permanently
- Cross-investigation linking surfaces connections automatically
- Dual storage provides both queryable and human-readable outputs
See INSTALL.md for step-by-step wizard-style installation.
Quick Install:
- Run the analysis commands to check prerequisites
- Answer questions about your OSINT needs
- Copy skill files to
$PAI_DIR/skills/osint/ - Verify with
VERIFY.mdchecklist
The OSINT system triggers on natural language or /osint commands:
| Trigger | Workflow | Description |
|---|---|---|
| "deep dive on X" | InvestigationOrchestrator | Iterative pivot-driven investigation |
| "investigate X, follow the leads" | InvestigationOrchestrator | Auto-expand as intel discovered |
| "find accounts for username X" | UsernameRecon | Enumerate across platforms |
| "investigate domain X" | DomainRecon | DNS, WHOIS, CT logs |
| "capture social profile for @X" | SocialCapture | Store profile to graph |
| "map infrastructure for X" | InfraMapping | Port scan, fingerprint |
| "link entities X and Y" | EntityLinking | Cross-reference identities |
| "analyze timeline for X" | TimelineAnalysis | Temporal patterns |
| "full profile for X" | TargetProfile | Comprehensive investigation |
| "generate report for X" | IntelReport | Structured output |
| "company profile X" | CompanyProfile | Business investigation |
| "corporate structure X" | CorporateStructure | Ownership tracing |
| "financials for X" | FinancialRecon | SEC filings, funding |
| "competitors of X" | CompetitorAnalysis | Market landscape |
| "risk assessment X" | RiskAssessment | Due diligence |
| "email lookup X" | EmailRecon | Email investigation, breach check |
| "phone lookup X" | PhoneRecon | Phone number validation |
| "analyze image X" | ImageRecon | Image metadata, forensics |
User: "Deep dive on username johndoe"
System executes InvestigationOrchestrator workflow:
PHASE 1: Initial Collection (Parallel Agents)
βββ UsernameRecon Agent β Found 15 accounts
βββ SocialCapture Agent β Captured 8 profiles
βββ DomainRecon Agent β Found personal domain
PHASE 2: Pivot Detection
βββ Email discovered: john@example.com (HIGH priority)
βββ Company discovered: Acme Corp (MEDIUM priority)
βββ Domain discovered: johndoe.dev (MEDIUM priority)
PHASE 3: User Approval (Interactive Mode)
"Found 3 pivot opportunities. Pursue 1,2,3 or defer?"
PHASE 4: Expansion (Depth 1)
βββ EmailRecon Agent β 2 breach exposures
βββ CompanyProfile Agent β Corporate structure mapped
βββ DomainRecon Agent β WHOIS, hosting analyzed
PHASE 5: Synthesis & Report
βββ Comprehensive dossier with 27 entities, 45 relationships
Output: Investigation complete. Deferred pivots saved to Knowledge Graph.
User: "Find all accounts for username johndoe"
System executes UsernameRecon workflow:
1. Searches 400+ platforms for "johndoe"
2. Validates discovered accounts
3. Extracts profile metadata
4. Stores to knowledge graph (group: osint-usernames)
5. Saves report to $PAI_DIR/history/research/osint/
Output: Found 15 accounts, stored to knowledge graph
User: "Do a risk assessment on Vendor LLC"
System executes RiskAssessment workflow:
1. Searches litigation databases (PACER, state courts)
2. Checks sanctions lists (OFAC, EU, UK)
3. Scans adverse media
4. Reviews regulatory filings
5. Stores findings to knowledge graph (group: osint-risk)
Output: Risk profile generated with 3 litigation cases identified
User: "Full profile for target johndoe scope comprehensive"
System executes TargetProfile workflow:
1. Runs UsernameRecon
2. Runs DomainRecon (if domains found)
3. Runs SocialCapture
4. Runs EntityLinking
5. Runs TimelineAnalysis
6. Generates consolidated report
7. Stores complete profile to knowledge graph
Output: Comprehensive dossier with 23 entities, 45 relationships
Environment Variables:
Option 1: .env file (recommended):
# $PAI_DIR/.env
PAI_DIR="$HOME/.claude"
# Optional API keys for enhanced capabilities
SHODAN_API_KEY="your_key_here"
SECURITYTRAILS_API_KEY="your_key_here"
HUNTER_API_KEY="your_key_here"Option 2: Shell profile:
# Add to ~/.zshrc or ~/.bashrc
export PAI_DIR="$HOME/.claude"What to Customize: Create investigation templates for your common use cases
Why: Pre-configured investigation parameters speed up repeated tasks
Process:
- Identify your most common OSINT tasks
- Create custom workflow variations in
$PAI_DIR/skills/osint/Workflows/ - Add trigger phrases to SKILL.md
Expected Outcome: One-command investigations for your standard cases
| Customization | File | Impact |
|---|---|---|
| Add API keys | $PAI_DIR/.env |
Enhanced data sources |
| Custom report templates | Workflows/IntelReport.md |
Branded output format |
| Investigation categories | history/research/osint/ |
Organized by case type |
- agents skill - Agent delegation and parallel spawning (required)
- Without this: Cannot execute OSINT workflows
- knowledge skill - Knowledge graph for entity storage (required)
- Without this: Findings stored to files only, no cross-investigation linking
- browser skill - Browser automation for web scraping (recommended)
- Without this: Limited web scraping, some workflows will fail
- Bright Data MCP - Enhanced web scraping and search (recommended)
- Without this: Uses standard search, may hit rate limits on some sites
Required: pai-agents-skill, pai-knowledge-system Recommended: pai-browser-skill, Bright Data MCP (see MCP servers)
See docs/ directory for detailed user guides:
docs/USER_GUIDE.md- Complete usage documentationdocs/COMPANY_RESEARCH.md- Business intelligence workflowsdocs/QUICK_REFERENCE.md- Command cheat sheet
IMPORTANT: This system is designed for authorized investigations only.
- Only collect publicly available information
- Respect privacy laws and platform ToS
- Maintain operational security (OPSEC)
- Document collection methods for audit trails
- Never use for harassment or unauthorized surveillance
- Original concept: Developed as part of PAI personal AI infrastructure
- Methodology: Based on standard OSINT intelligence cycle practices
- Inspired by: Sherlock, theHarvester, Maltego, and professional OSINT frameworks
- pai-browser-skill - Required for JavaScript-heavy sites and authentication
- pai-knowledge-system - Required for knowledge graph persistence
- pai-history-system - Automatically captures investigation sessions
See docs/CHANGELOG.md for full version history.
- Mandatory Agent Delegation - All OSINT workflows now require specialized agents
- Workflow β Agent Trait Mapping - Each workflow has specific recommended traits
- Multi-Agent Orchestration - Complex investigations support parallel agents
- pai-agents-skill is now a required dependency
- Company & Business Research Module - 5 new workflows for corporate intelligence
- Digital Artifact Analysis Module - Email, phone, and image reconnaissance
- Added explicit knowledge skill integration to all 16 workflows
- Added user documentation under
docs/
- Initial release with 8 core workflows
- Browser and knowledge skill integration
- Username enumeration, domain recon, social capture, intelligence reporting