Skills / cti expert
cti expert
CTI Expert — Cyber Threat Intelligence & OSINT analysis skill for Claude Code. 67+ commands, 35 techniques, no API keys required.
Installation
Kompatibilitaet
Beschreibung
CTI Expert
Cyber Threat Intelligence & OSINT Analysis Toolkit
Transform Claude into a trained intelligence analyst — 67+ commands, 35 techniques, zero API keys required for core functionality.
Built by Hieu Ngo • [email protected] • chongluadao.vn
What is CTI Expert?
A Claude Code skill that transforms Claude into a trained cyber threat intelligence and open-source intelligence analyst. It runs structured intelligence collection using 67+ commands across 35 techniques — no API keys required for core functionality. Some techniques offer optional enhanced access via free API keys (e.g., Wigle, VirusTotal, URLScan.io).
Core Capability
Multi-vector reconnaissance on any target type — person, domain, organization, username, email, IP, WiFi — with automated finding validation, exposure scoring, and structured intelligence delivery.
AEAD Workflow
Acquire raw data → Enrich with pivot expansion → Assess findings → Deliver structured reports (Markdown + Word with charts, diagrams, styled formatting).
Demo
Full Case Investigation
CTI Report Generation
Screenshots
| INTSUM Report | Network Topology | Risk Assessment | |:---:|:---:|:---:| | | | |
What's New in v2.2
| Category | What's New | Details | |----------|-----------|---------| | Image Forensics | Face search, reverse image, manipulation detection, AI geolocation | FaceCheck.id, TinEye, FotoForensics, Forensically, picarta.ai, GeoSpy, Pic2Map | | Blockchain | Crypto wallet tracing, transaction graphs, scam detection | Blockchair, Etherscan, WalletExplorer, OXT.me, Chainabuse, Breadcrumbs | | Transport | Aircraft tracking (unfiltered), vessel AIS, vehicle VIN lookup | ADS-B Exchange, Flightradar24, Marine Traffic, VesselFinder, NICB VINCheck | | Darknet | Tor search, ransomware monitoring, onion service discovery | Ahmia.fi, onionsearch, DarknetLive, ransomwatch | | Social Media | Reddit, Instagram, TikTok, Telegram investigation | Osintgram, instaloader, toutatis, RedditMetis, TGStat, TelegramDB, Bellingcat TikTok Timestamp | | People Search | US people search engines, free reverse lookups | TruePeopleSearch, FastPeopleSearch, IDCrawl, That's Them | | Mega-Dorks | 11 cross-platform Google dork templates covering 73 unique domains | Social, Telegram ecosystem, dev platforms, forums, paste sites, darknet, breach DBs, business, image, messaging, jobs | | IoT | Webcam directories, IoT device search | Insecam, Thingful |
| Category | New Commands | What It Does |
|----------|-------------|--------------|
| Intelligence | /cti-expert /render threat-path, /cti-expert /render attack-surface | Attack path flow + infrastructure exposure visualization |
| Intelligence | /cti-expert /snapshots, /cti-expert /diff | Wayback Machine snapshots and version diffing |
| Intelligence | /cti-expert /drift, /cti-expert /report ioc | Temporal risk tracking + IOC export (STIX 2.1) |
| UX | /cti-expert /onboard, /cti-expert /clarify, /cti-expert /quality | First-time tutorial, finding explanation, quality scoring |
| UX | /cti-expert /blind-spots, /cti-expert /source-check | Gap analysis + batch URL verification |
| UX | /cti-expert /workspace diff | Compare two saved investigation sessions |
| Data Model | Source Reliability A-F | Complements trust scores with source-level grading |
| Data Model | 4 new entity types | Device, Image, Crypto Address, Custom |
| Data Model | HIGH conflict severity | 4-level severity: CRITICAL/HIGH/NOTABLE/MINOR |
Installation
Quick Install (one command)
git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert && pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt
git clone https://github.com/7onez/cti-expert.git "$env:USERPROFILE\.claude\skills\cti-expert"; pip3 install -r "$env:USERPROFILE\.claude\skills\cti-expert\scripts\requirements.txt"
git clone https://github.com/7onez/cti-expert.git "%USERPROFILE%\.claude\skills\cti-expert" && pip3 install -r "%USERPROFILE%\.claude\skills\cti-expert\scripts\requirements.txt"
Option A — Claude Code CLI
Install the CLI first:
npm install -g @anthropic-ai/claude-code— CLI docs
# Install Claude Code CLI
npm install -g @anthropic-ai/claude-code
# Clone skill + install dependencies
git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert
pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt
# Verify
ls ~/.claude/skills/cti-expert/SKILL.md
# Install Claude Code CLI
npm install -g @anthropic-ai/claude-code
# Clone skill + install dependencies
git clone https://github.com/7onez/cti-expert.git "$env:USERPROFILE\.claude\skills\cti-expert"
pip3 install -r "$env:USERPROFILE\.claude\skills\cti-expert\scripts\requirements.txt"
# Verify
Test-Path "$env:USERPROFILE\.claude\skills\cti-expert\SKILL.md"
Option B — Claude Code Desktop (macOS / Windows)
Download: claude.ai/download — available for macOS and Windows
Step-by-step (no terminal needed):
-
Install Claude Code Desktop — Download from claude.ai/download and install the app
-
Download CTI Expert — Go to the GitHub repository, click the green "Code" button, then select "Download ZIP"
-
Extract to your skills folder — Unzip the downloaded file, then move the extracted folder to your skills directory and rename it to
cti-expert:| Platform | How to navigate | |----------|----------------| | macOS | Open Finder → Press Cmd + Shift + G → Type
~/.claude/skills/→ Press Go → Move the folder here | | Windows | Open File Explorer → Type%USERPROFILE%\.claude\skills\in the address bar → Press Enter → Move the folder here |Note: If the
skillsfolder does not exist, create it inside the.claudefolder first. -
Install Python dependencies — Open Claude Code Desktop and send this message to Claude:
"Install the Python requirements for CTI Expert by running: pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt"
-
Restart Claude Code Desktop — Close and reopen the app
-
Verify — Type
/cti-expertin the chat to confirm the skill is loaded
Option C — Claude Code Web (Browser)
Use directly at claude.ai/code — skills load from your
~/.claude/skills/directory. Run the quick install command above first.
| Requirement | Version | Purpose |
|-------------|---------|---------|
| Claude Code CLI | Latest | Terminal runtime |
| Claude Code Desktop | Latest | GUI runtime (macOS/Windows) |
| Python | 3.8+ | DOCX report generation |
| pip packages | See requirements.txt | Charts, diagrams, styling |
| git | Any | Clone the repository |
Quick Start
How to run commands: All commands below use the
/cti-expertprefix. Type/cti-expertfollowed by the command in Claude Code.Example:
/cti-expert /case example.com— not just/case example.com
1 — Full Autonomous Case
/cti-expert /case example.com
Runs every applicable technique for the target type. Auto-generates
.mdand.docxreports.
2 — Guided Flows
/cti-expert /flow person # Person investigation workflow
/cti-expert /flow domain # Domain reconnaissance workflow
/cti-expert /flow image # Image verification workflow
3 — Targeted Reconnaissance
/cti-expert /sweep @username # Multi-vector recon on handle
/cti-expert /query example.com # 12-15 advanced search queries
/cti-expert /username johndoe # Platform enumeration (3000+)
/cti-expert /email-deep [email protected] # Deep email investigation
/cti-expert /subdomain example.com # Certificate transparency + brute-force
/cti-expert /threat-check 185.1.1.1 # IP/domain/URL threat intelligence
/cti-expert /scam-check suspicious-site.xyz # Phishing/scam domain check
/cti-expert /breach-deep [email protected] # Multi-source breach lookup
4 — Analysis & Assessment
/cti-expert /exposure domain.com # Composite risk score (0-100)
/cti-expert /threat-model # Build threat model from findings
/cti-expert /validate # Verify all findings
/cti-expert /coverage # Check investigation completeness
5 — Reporting
/cti-expert /report # Technical INTSUM report
/cti-expert /report brief # Executive summary
/cti-expert /brief # Plain-language summary
/cti-expert /workspace save # Save workspace + auto-generate .docx
Features
Identity & People
- Person lookup — 50+ data points
- Phone — carrier, reputation, associations
- Email — accounts, breaches, infrastructure
- Username — 3000+ platform enumeration
Domain & Infrastructure
- Subdomain enumeration via CT logs
- CMS, CDN, analytics fingerprinting
- DNS forensics & WHOIS deep/reverse
- Traffic analysis & audience demographics
Analysis & Verification
- Face search (FaceCheck.id) & reverse image (TinEye)
- Image forensics (FotoForensics, Forensically)
- AI photo geolocation (picarta.ai, GeoSpy)
- Document/email metadata forensics
- Google Docs identity extraction
- 100+ paste sites & breach DBs
WiFi, Geo & Transport
- SSID/BSSID lookup via Wigle.net
- W3W, Plus Codes, MGRS, Street View
- Aircraft tracking (ADS-B Exchange, Flightradar24)
- Vessel tracking (Marine Traffic, VesselFinder)
- Vehicle VIN lookup & plate recognition
Security Auditing
- Cloud audit (AWS/GCP/Azure)
- OWASP Top 10 source code review
- CVE & supply chain vulnerability checks
- LLM/agent/MCP prompt injection audit
Reporting & Export
- INTSUM, executive brief, plain-language
- DOCX with charts, diagrams, timelines
- Save/load case workspaces
- Legal, journalist, HR, threat analyst formats
AEAD Case Lifecycle
Every investigation follows four automated phases:
╭──────────────────────────────────────╮
│ AEAD CASE LIFECYCLE │
╰──────────────────────────────────────╯
┌─── ACQUIRE ────────────────────────────────────────────────────────┐
│ Collect raw data via /sweep, /query, /username, /phone, etc. │
│ Database search, enumeration, collection gap logging │
└────────────────────────────────┬───────────────────────────────────┘
▼
┌─── ENRICH ─────────────────────────────────────────────────────────┐
│ Expand leads via /branch, /crossref, /link-subjects, /signatures │
│ Shared identifier detection, relationship mapping │
└────────────────────────────────┬───────────────────────────────────┘
▼
┌─── ASSESS ─────────────────────────────────────────────────────────┐
│ Score & verify via /exposure, /threat-model, /validate, /coverage│
│ Risk scoring, completeness check, evidence chains │
└────────────────────────────────┬───────────────────────────────────┘
▼
┌─── DELIVER ────────────────────────────────────────────────────────┐
│ Package output via /report, /brief, /render, /workspace save │
│ Auto-save .md + .docx with charts & diagrams │
└────────────────────────────────────────────────────────────────────┘
Run
/progressat any point to see current phase and pending tasks.
Command Reference
Full command list: See SKILL.md for comprehensive reference.
| Command | Purpose |
|---------|---------|
| /cti-expert /case [target] | Full pipeline — every applicable technique |
| /cti-expert /sweep [target] | Multi-vector recon (person/domain/org/username/email/IP) |
| /cti-expert /query [subject] | 12-15 advanced search operator queries |
| /cti-expert /username [handle] | 3000+ platform enumeration |
| /cti-expert /phone [number] | Carrier lookup, reputation, associations |
| /cti-expert /email-deep [email] | Accounts, breaches, infrastructure |
| /cti-expert /subdomain [domain] | CT logs + passive enumeration |
| /cti-expert /threat-check [target] | IP/domain/URL/hash threat intelligence |
| /cti-expert /breach-deep [email] | Multi-source breach lookup |
| Command | Purpose |
|---------|---------|
| /cti-expert /branch [data] | Lateral expansion (email→username, username→email, etc.) |
| /cti-expert /crossref | Shared identifier detection across subjects |
| /cti-expert /link-subjects [A] [B] | Define connection between subjects |
| /cti-expert /show-connections | Display logged connections |
| /cti-expert /graph | Full ASCII subject relationship map |
| Command | Purpose |
|---------|---------|
| /cti-expert /exposure [target] | Composite risk score (0-100) |
| /cti-expert /threat-model | Build threat model from findings |
| /cti-expert /validate | Verify finding evidence chains |
| /cti-expert /coverage | Check investigation completeness |
| Command | Purpose |
|---------|---------|
| /cti-expert /report | Technical INTSUM report |
| /cti-expert /report brief | Executive summary |
| /cti-expert /brief | Plain-language summary |
| /cti-expert /workspace save | Save workspace + auto-generate .docx |
Skill Tiers
Low-jargon mode, step-by-step guidance, pre-built templates for due diligence, background checks, security reviews.
Entry: /cti-expert /flow person, /cti-expert /flow domain, /cti-expert /template list
Advanced search operators, manual pivot expansion, custom threat modeling, guided flows with explanation.
Entry: /cti-expert /query [target], /cti-expert /branch [data], /cti-expert /crossref, /cti-expert /threat-model
Raw technique access, custom evidence weighting, CONTESTED finding resolution, direct database queries.
Entry: /cti-expert /username [handle], /cti-expert /email-deep [email], /cti-expert /secrets [target], /cti-expert /threat-check [target]
Technique Catalog
| Technique | Coverage | API Key Required? |
|-----------|----------|-------------------|
| fx-metadata-parsing.md | EXIF, email headers, document forensics | No |
| fx-image-verification.md | Image authenticity, provenance, reverse search | No |
| fx-breach-discovery.md | Breach database + paste site enumeration | Optional (HIBP bulk, DeHashed paid) |
| fx-http-fingerprint.md | HTTP signature analysis, server fingerprinting | No |
| fx-leak-monitoring.md | Leak and breach monitoring automation | Mixed (IntelligenceX/Shodan paid) |
| fx-dns-cert-history.md | Historical DNS + SSL/TLS certificate timeline | No |
| fx-document-forensics.md | PDF/Office authorship, creation chain, hidden content | No |
| fx-network-mapping.md | Network topology, entity graph construction | No |
| username-osint.md | 3000+ platform enumeration | No |
| phone-osint.md | Carrier lookup, VoIP, FreeCNAM, WhoCalld | No |
| email-osint.md | Deep email investigation, breach history | No |
| threat-intel.md | GreyNoise, AbuseIPDB, OTX, VirusTotal, CIRCL CVE, NVD | Optional (VT/URLScan free keys) |
| web-traffic-analysis.md | SimilarWeb, Semrush estimation | No |
| domain-advanced.md | CT logs, Amass, Subfinder, passive enum | No |
| social-media-platforms.md | Twitter/X, Discord, Strava, BlueSky, ShareTrace, Reddit, Instagram, TikTok, Telegram | Partial (Discord needs token) |
| image-forensics-and-face-search.md | FaceCheck.id, TinEye, FotoForensics, Forensically, picarta.ai, GeoSpy, Pic2Map | No |
| blockchain-investigation.md | Blockchair, Etherscan, WalletExplorer, OXT.me, Chainabuse, Breadcrumbs | Optional (Etherscan API for bulk) |
| transport-tracking.md | ADS-B Exchange, Flightradar24, Marine Traffic, VesselFinder, VIN decode | No |
| darknet-investigation.md | Ahmia.fi, onionsearch, DarknetLive, ransomwatch | No |
| advanced-geolocation-techniques.md | W3W, Plus Codes, MGRS, Overpass Turbo | No |
| wifi-ssid-osint.md | Wigle.net SSID/BSSID geolocation | Free account (Wigle API) |
| web-dns-forensics.md | Zone transfers, GitHub, Telegram, WHOIS | Optional (WHOIS API) |
| scam-check.md | Phishing/scam domain verification | No |
| ioc-export.md | IOC export (STIX 2.1, flat list) | No |
| cloud-audit.md | AWS/GCP/Azure IAM, network, compute audit | No |
| dependency-audit.md | CVE, supply chain, CI/CD security | No |
| disk-forensics.md | Sleuth Kit, file carving, artifact recovery | No |
| incident-triage.md | NIST 800-61, containment, IOC extraction | No |
| owasp-audit.md | OWASP Top 10 source code review | No |
| prompt-injection-audit.md | LLM/agent/MCP security assessment | No |
| fx-visitor-intelligence.md | Visitor stats, tech stack, geo analysis | No |
| fx-social-topology.md | Social graph construction and analysis | No |
| fx-geolocation.md | GPS, W3W, Plus Codes, MGRS, Street View | No |
| secret-scanning.md | Credential/secret detection in code | Optional (GitHub token for GitDorker) |
| fx-email-header-analysis.md | Email header analysis, SPF/DKIM | No |
Report Formats
Every /report, /brief, and /case auto-saves two files:
Markdown Report
- INTSUM format (technical)
- Executive brief (decision-makers)
- Plain-language summary (non-technical)
- Legal evidence format (attorneys)
Word Document (.docx)
- Cover page with classification
- Table of contents & styled finding cards
- Charts: pie, bar, gauge, timeline
- Entity relationship & network topology diagrams
- Source attribution table with page numbers
Generated by scripts/generate-cti-docx.py
Architecture
cti-expert/
├── SKILL.md Command reference & skill definition
├── README.md This file
│
├── engine/ Case data model & state management
│ ├── subject-registry.md How subjects are tracked
│ ├── finding-framework.md Finding lifecycle & evidence chains
│ ├── workspace-format.md Workspace serialization spec
│ └── conflict-resolver.md CONTESTED finding resolution
│
├── techniques/ Collection techniques (29 files)
│ ├── fx-metadata-parsing.md, fx-image-verification.md, ...
│ ├── username-osint.md, phone-osint.md, email-osint.md
│ ├── cloud-audit.md, dependency-audit.md, disk-forensics.md
│ └── ...
│
├── experience/ UX, tiers, guided flows
│ ├── guided-flows/ Interactive workflows
│ ├── case-templates/ Pre-built case templates
│ └── accessibility/ Glossary, low-jargon mode
│
├── analysis/ Pattern detection & intelligence engines
│ ├── deviation-detector.md Behavioral anomaly detection
│ ├── cross-reference-engine.md Shared identifier detection
│ └── exposure-model.md Risk score calculation
│
├── output/ Report & visualization specs
│ ├── reports/ Report templates
│ └── visuals/ Chart & render engine specs
│
├── scripts/ DOCX report generation
│ ├── generate-cti-docx.py Main generator
│ ├── cti_docx_charts.py Chart rendering
│ ├── cti_docx_diagrams.py Entity relationship diagrams
│ └── requirements.txt Python dependencies
│
├── workflows/ Professional use-case guides
│ ├── wf-journalist.md Journalist source verification
│ ├── wf-threat-analyst.md Cyber threat intelligence
│ └── wf-hr-screening.md Background checks
│
├── guides/walkthroughs/ Worked case examples
│ ├── walkthrough-person-lookup.md
│ ├── walkthrough-domain-sweep.md
│ └── walkthrough-username-trace.md
│
└── validation/ Quality assurance
├── coverage-matrix.md Investigation area coverage
├── quality-scoring.md Finding scoring methodology
└── verification-checklist.md Evidence chain validation
Professional Workflows
| Workflow | Audience | File |
|----------|----------|------|
| Journalist Source Verification | Reporters, fact-checkers | workflows/wf-journalist.md |
| HR Screening | HR professionals, recruiters | workflows/wf-hr-screening.md |
| Cyber Threat Intelligence | Security analysts, IR teams | workflows/wf-threat-analyst.md |
| Private Investigator | Licensed PIs, legal teams | workflows/wf-private-investigator.md |
Activate with
/cti-expert /flow [type]for interactive guided prompts.
Ethics & Responsible Use
This skill is for lawful research and professional security investigation only.
- Journalist fact-checking & source verification
- HR background screening (with consent)
- Corporate security research & threat intelligence
- Authorized penetration testing & security audits
- Legal/compliance investigation
- Personal reputation monitoring (self-search)
- Doxxing, harassment, or stalking
- Unauthorized surveillance
- Social engineering or fraud
- Privacy violations
- Criminal activity
You are responsible for all use of this skill. Comply with local laws, regulations, and platform terms of service. Always respect privacy and consent boundaries.
Contributing
We welcome research contributions, new techniques, and workflow improvements.
Adding techniques:
- Create
techniques/fx-[name].mdwith method description, free tool lists, limitations
Workflow improvements:
- Document in
workflows/with success criteria
Pull request process:
- Fork and create feature branch:
git checkout -b feature/technique-name - Document changes in SKILL.md and README.md
- Test on at least 3 real-world targets
- Submit PR with description
Bug reports: File issues with command output, environment, and target type.
License
MIT License + Ethical Use Addendum
You are free to use, modify, and distribute this skill under the MIT license, provided that you include original attribution, comply with the ethical use guidelines above, and clearly mark any derivatives.
See LICENSE for full text.
Made with purpose by Hieu Ngo
If this tool helps your work, consider giving it a star. It helps others find it.
:vietnam: CTI Expert — Tình Báo Mối Đe Dọa Mạng & OSINT
CTI Expert là gì?
Một kỹ năng của Claude Code biến Claude thành một nhà phân tích tình báo mối đe dọa mạng và tình báo nguồn mở chuyên nghiệp. Chạy thu thập tình báo có cấu trúc sử dụng 67+ lệnh trên 35 kỹ thuật — không cần API key cho chức năng cốt lõi. Một số kỹ thuật hỗ trợ API key miễn phí tùy chọn để truy cập nâng cao (VD: Wigle, VirusTotal, URLScan.io).
Mới trong v2.2: Pháp y hình ảnh & tìm kiếm khuôn mặt (FaceCheck.id, TinEye, FotoForensics, picarta.ai AI geolocation), điều tra blockchain (Blockchair, Etherscan, WalletExplorer, Chainabuse), theo dõi vận tải (ADS-B Exchange theo dõi máy bay, Marine Traffic theo dõi tàu, VIN decoder), điều tra darknet (Ahmia.fi tìm kiếm Tor, ransomwatch), mạng xã hội mở rộng (Reddit, Instagram, TikTok, Telegram), tra cứu người (TruePeopleSearch, IDCrawl), 11 mẫu Google mega-dork bao phủ 73 domain.
Mới trong v2.1: Trực quan hóa đường tấn công (/cti-expert /render threat-path), bề mặt tấn công (/cti-expert /render attack-surface), xuất IOC STIX 2.1 (/cti-expert /report ioc), theo dõi rủi ro theo thời gian (/cti-expert /drift), ảnh chụp Wayback (/cti-expert /snapshots, /cti-expert /diff), hướng dẫn người mới (/cti-expert /onboard), giải thích phát hiện (/cti-expert /clarify), phân tích khoảng trống (/cti-expert /blind-spots), kiểm tra nguồn (/cti-expert /source-check), so sánh phiên (/cti-expert /workspace diff), điểm chất lượng (/cti-expert /quality), thang độ tin cậy nguồn A-F, 4 loại thực thể mới.
Khả năng cốt lõi: Trinh sát đa vector trên mọi loại mục tiêu (cá nhân, tên miền, tổ chức, tên người dùng, email, IP, WiFi) với xác thực phát hiện tự động, chấm điểm rủi ro phơi bày, và báo cáo tình báo có cấu trúc ở nhiều định dạng.
Quy trình: Vòng đời AEAD — Thu thập dữ liệu thô → Làm giàu bằng mở rộng pivot → Đánh giá phát hiện → Phân phối báo cáo có cấu trúc (Markdown + Word với biểu đồ, sơ đồ, định dạng chuyên nghiệp).
Cài đặt
Cài đặt nhanh (một lệnh)
git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert && pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt
git clone https://github.com/7onez/cti-expert.git "$env:USERPROFILE\.claude\skills\cti-expert"; pip3 install -r "$env:USERPROFILE\.claude\skills\cti-expert\scripts\requirements.txt"
git clone https://github.com/7onez/cti-expert.git "%USERPROFILE%\.claude\skills\cti-expert" && pip3 install -r "%USERPROFILE%\.claude\skills\cti-expert\scripts\requirements.txt"
Tùy chọn A — Claude Code CLI
Cài CLI trước:
npm install -g @anthropic-ai/claude-code— Tài liệu CLI
# Cài Claude Code CLI
npm install -g @anthropic-ai/claude-code
# Clone skill + cài dependencies
git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert
pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt
# Xác nhận
ls ~/.claude/skills/cti-expert/SKILL.md
# Cài Claude Code CLI
npm install -g @anthropic-ai/claude-code
# Clone skill + cài dependencies
git clone https://github.com/7onez/cti-expert.git "$env:USERPROFILE\.claude\skills\cti-expert"
pip3 install -r "$env:USERPROFILE\.claude\skills\cti-expert\scripts\requirements.txt"
# Xác nhận
Test-Path "$env:USERPROFILE\.claude\skills\cti-expert\SKILL.md"
Tùy chọn B — Claude Code Desktop (macOS / Windows)
Tải về: claude.ai/download — hỗ trợ macOS và Windows
Hướng dẫn từng bước (không cần terminal):
-
Cài đặt Claude Code Desktop — Tải từ claude.ai/download và cài đặt ứng dụng
-
Tải CTI Expert — Vào kho GitHub, nhấn nút "Code" màu xanh, sau đó chọn "Download ZIP"
-
Giải nén vào thư mục skills — Giải nén file đã tải, sau đó di chuyển thư mục vào thư mục skills và đổi tên thành
cti-expert:| Hệ điều hành | Cách điều hướng | |-------------|----------------| | macOS | Mở Finder → Nhấn Cmd + Shift + G → Nhập
~/.claude/skills/→ Nhấn Go → Di chuyển thư mục vào đây | | Windows | Mở File Explorer → Nhập%USERPROFILE%\.claude\skills\vào thanh địa chỉ → Nhấn Enter → Di chuyển thư mục vào đây |Lưu ý: Nếu thư mục
skillschưa tồn tại, hãy tạo nó bên trong thư mục.claudetrước. -
Cài đặt thư viện Python — Mở Claude Code Desktop và gửi tin nhắn sau cho Claude:
"Install the Python requirements for CTI Expert by running: pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt"
-
Khởi động lại Claude Code Desktop — Đóng và mở lại ứng dụng
-
Xác nhận — Gõ
/cti-experttrong chat để xác nhận skill đã được tải
Tùy chọn C — Claude Code Web (Trình duyệt)
Sử dụng trực tiếp tại claude.ai/code — skills được tải từ thư mục
~/.claude/skills/của bạn. Chạy lệnh cài đặt nhanh ở trên trước.
| Yêu cầu | Phiên bản | Mục đích |
|----------|-----------|----------|
| Claude Code CLI | Mới nhất | Runtime terminal |
| Claude Code Desktop | Mới nhất | Runtime giao diện (macOS/Windows) |
| Python | 3.8+ | Tạo báo cáo DOCX |
| pip packages | Xem requirements.txt | Biểu đồ, sơ đồ, định dạng |
| git | Bất kỳ | Clone repository |
Bắt đầu nhanh
/cti-expert /case example.com # Chạy case tự động hoàn toàn
/cti-expert /flow person # Quy trình điều tra cá nhân
/cti-expert /flow domain # Quy trình trinh sát tên miền
/cti-expert /sweep @username # Trinh sát đa vector trên handle
/cti-expert /query example.com # 12-15 truy vấn tìm kiếm nâng cao
/cti-expert /username johndoe # Liệt kê nền tảng (3000+)
/cti-expert /email-deep [email protected] # Điều tra email chuyên sâu
/cti-expert /exposure domain.com # Điểm rủi ro tổng hợp (0-100)
/cti-expert /report # Báo cáo kỹ thuật INTSUM
/cti-expert /workspace save # Lưu workspace + tự động tạo .docx
Tính năng theo lĩnh vực
| Lĩnh vực | Khả năng | |-----------|----------| | Danh tính & Con người | Tra cứu cá nhân (50+ điểm dữ liệu), điều tra số điện thoại, email chuyên sâu, liệt kê tên người dùng (3000+ nền tảng) | | Tên miền & Hạ tầng | Liệt kê subdomain, fingerprint kỹ thuật, pháp y DNS, phân tích lưu lượng | | Phân tích & Xác minh | Xác minh hình ảnh, pháp y metadata, pháp y web, cơ sở dữ liệu rò rỉ | | WiFi & Định vị | Định vị WiFi qua Wigle.net, định vị nâng cao (W3W, Plus Codes, MGRS) | | Kiểm tra bảo mật | Kiểm tra đám mây (AWS/GCP/Azure), kiểm tra OWASP, kiểm tra dependency, kiểm tra prompt injection | | Báo cáo & Xuất | Báo cáo Markdown, DOCX với biểu đồ, workspace case, định dạng chuyên nghiệp |
Đạo đức & Sử dụng có trách nhiệm
Kỹ năng này chỉ dành cho nghiên cứu hợp pháp và điều tra bảo mật chuyên nghiệp.
Được phép: Xác minh nguồn báo chí, sàng lọc nhân sự (có sự đồng ý), nghiên cứu bảo mật doanh nghiệp, kiểm tra xâm nhập được ủy quyền, điều tra pháp lý/tuân thủ, giám sát danh tiếng cá nhân.
Cấm: Doxxing, quấy rối, theo dõi, giám sát trái phép, kỹ thuật xã hội, gian lận, vi phạm quyền riêng tư, hoạt động tội phạm.
Tác giả: Hieu Ngo • [email protected] • Phiên bản: 2.2 • Giấy phép: MIT
:cn: CTI Expert — 网络威胁情报与开源情报
什么是 CTI Expert?
一个 Claude Code 技能,将 Claude 转变为���练有素的网络威胁情报和开源情报分析师。使用 67+ 个命令、35 种技术进行结构化情报收集——核心功能无需 API 密钥。部分技术支持可选的免费 API 密钥以获取增强访问(如 Wigle、VirusTotal、URLScan.io)。
v2.2 新功能: 图像取证与人脸搜索(FaceCheck.id、TinEye、FotoForensics、picarta.ai AI地理定位)、区块链调查(Blockchair、Etherscan、WalletExplorer、Chainabuse)、交通追踪(ADS-B Exchange飞机追踪、Marine Traffic船舶追踪、VIN解码器)、暗网调查(Ahmia.fi Tor搜索、ransomwatch)、社交媒体扩展(Reddit、Instagram、TikTok、Telegram)、人员搜索(TruePeopleSearch、IDCrawl)、11个跨平台Google mega-dork模板覆盖73个域名。
v2.1 新功能: 攻击路径可视化(/cti-expert /render threat-path)、攻击面映射(/cti-expert /render attack-surface)、STIX 2.1 IOC 导出(/cti-expert /report ioc)、时间风险追踪(/cti-expert /drift)、Wayback 快照(/cti-expert /snapshots、/cti-expert /diff)、新手引导(/cti-expert /onboard)、发现解释(/cti-expert /clarify)、盲点分析(/cti-expert /blind-spots)、来源检查(/cti-expert /source-check)、会话比较(/cti-expert /workspace diff)、质量评分(/cti-expert /quality)、来源可靠性 A-F 等级、4 种新实体类型。
核心能力: 对任何目标类型(个人、域名、组织、用户名、电子邮件、IP、WiFi)进行多向量侦察,具备自动发现验证、暴露风险评分,以及多格式结构化情报交付。
工作流程: AEAD 生命周期——获取原始数据 → 通过枢轴扩展丰富 → 评估发现 → 交付结构化报告(Markdown + 带图表、图形、专业格式的 Word 文档)。
安装
快速安装(一条命令)
git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert && pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt
git clone https://github.com/7onez/cti-expert.git "$env:USERPROFILE\.claude\skills\cti-expert"; pip3 install -r "$env:USERPROFILE\.claude\skills\cti-expert\scripts\requirements.txt"
git clone https://github.com/7onez/cti-expert.git "%USERPROFILE%\.claude\skills\cti-expert" && pip3 install -r "%USERPROFILE%\.claude\skills\cti-expert\scripts\requirements.txt"
选项 A — Claude Code CLI
先安装 CLI:
npm install -g @anthropic-ai/claude-code— CLI 文档
# 安装 Claude Code CLI
npm install -g @anthropic-ai/claude-code
# 克隆技能 + 安装依赖
git clone https://github.com/7onez/cti-expert.git ~/.claude/skills/cti-expert
pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt
# 验证
ls ~/.claude/skills/cti-expert/SKILL.md
# 安装 Claude Code CLI
npm install -g @anthropic-ai/claude-code
# 克隆技能 + 安装依赖
git clone https://github.com/7onez/cti-expert.git "$env:USERPROFILE\.claude\skills\cti-expert"
pip3 install -r "$env:USERPROFILE\.claude\skills\cti-expert\scripts\requirements.txt"
# 验证
Test-Path "$env:USERPROFILE\.claude\skills\cti-expert\SKILL.md"
选项 B — Claude Code 桌面版(macOS / Windows)
下载:claude.ai/download — 支持 macOS 和 Windows
分步指南(无需终端):
-
安装 Claude Code 桌面版 — 从 claude.ai/download 下载并安装应用
-
下载 CTI Expert — 访问 GitHub 仓库,点击绿色 "Code" 按钮,然后选择 "Download ZIP"
-
解压到 skills 文件夹 — 解压下载的文件,将解压后的文件夹移动到 skills 目录并重命名为
cti-expert:| 操作系统 | 导航方法 | |---------|---------| | macOS | 打开 Finder → 按 Cmd + Shift + G → 输入
~/.claude/skills/→ 点击 前往 → 将文件夹移动到此处 | | Windows | 打开 文件资源管理器 → 在地址栏输入%USERPROFILE%\.claude\skills\→ 按 回车 → 将文件夹移动到此处 |注意: 如果
skills文件夹不存在,请先在.claude文件夹内创建它。 -
安装 Python 依赖 — 打开 Claude Code 桌面版,发送以下消息给 Claude:
"Install the Python requirements for CTI Expert by running: pip3 install -r ~/.claude/skills/cti-expert/scripts/requirements.txt"
-
重启 Claude Code 桌面版 — 关闭并重新打开应用
-
验证 — 在聊天中输入
/cti-expert确认技能已加载
选项 C — Claude Code 网页版(浏览器)
直接访问 claude.ai/code 使用 — 技能从您的
~/.claude/skills/目录加载。请先运行上面的快速安装命令。
| 要求 | 版本 | 用途 |
|------|------|------|
| Claude Code CLI | 最新版 | 终端运行时 |
| Claude Code 桌面版 | 最新版 | 图形界面运行时(macOS/Windows) |
| Python | 3.8+ | DOCX 报告生成 |
| pip 包 | 见 requirements.txt | 图表、图形、样式 |
| git | 任意版本 | 克隆仓库 |
快速入门
/cti-expert /case example.com # 完全自动案例
/cti-expert /flow person # 人员调查流程
/cti-expert /flow domain # 域名侦察流程
/cti-expert /sweep @username # 对账号进行多向量侦察
/cti-expert /query example.com # 12-15 个高级搜索查询
/cti-expert /username johndoe # 平台枚举(3000+)
/cti-expert /email-deep [email protected] # 深度电子邮件调查
/cti-expert /exposure domain.com # 综合风险评分(0-100)
/cti-expert /report # 技术 INTSUM 报告
/cti-expert /workspace save # 保存工作空间 + 自动生成 .docx
功能领域
| 领域 | 能力 | |------|------| | 身份与人员 | 人员查询(50+ 数据点)、电话调查、深度邮件分析、用户名枚举(3000+ 平台) | | 域名与基础设施 | 子域枚举、技术指纹、DNS 取证、流量分析 | | 分析与验证 | 图像验证、元数据取证、网页取证、泄露数据库 | | WiFi 与地理定位 | 通过 Wigle.net WiFi 定位、高级地理定位(W3W、Plus Codes、MGRS) | | 安全审计 | 云审计(AWS/GCP/Azure)、OWASP 审计、依赖审计、提示注入审计 | | 报告与导出 | Markdown 报告、带图表的 DOCX、案例工作空间、专业格式 |
道德与负责任使用
此技能仅用于合法研究和专业安全调查。
允许: 新闻事实核查、人力资源筛选(需征得同意)、企业安全研究、授权渗透测试、法律/合规调查、个人声誉监控。
禁止: 人肉搜索、骚扰、跟踪、未授权监控、社会工程、欺诈、隐私侵犯、犯罪活动。
作者: Hieu Ngo • [email protected] • 版本: 2.2 • 许可证: MIT
Aehnliche Skills
last30days skill
AI agent skill that researches any topic across Reddit, X, YouTube, HN, Polymarket, and the web - then synthesizes a grounded summary
context mode
Context window optimization for AI coding agents. Sandboxes tool output, 98% reduction. 12 platforms
claude seo
Universal SEO skill for Claude Code. 19 sub-skills, 12 subagents, 3 extensions (DataForSEO, Firecrawl, Banana). Technical SEO, E-E-A-T, schema, GEO/AEO, backlinks, local SEO, maps intelligence, Google APIs, and PDF/Excel reporting.
pinme
Deploy Your Frontend in a Single Command. Claude Code Skills supported.
claude ads
Comprehensive paid advertising audit & optimization skill for Claude Code. 250+ checks across Google, Meta, YouTube, LinkedIn, TikTok, Microsoft & Apple Ads with weighted scoring, parallel agents, industry templates, and AI creative generation.
claude code
Claude Code is an agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster by executing routine tasks, explaining complex code, and handling git workflows - all through natural language commands.