Skillget

huntkit

mcp
Security Audit
Fail
Health Pass
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 14 GitHub stars
Code Fail
  • rm -rf — Recursive force deletion command in skills/osint/scripts/capture-evidence.sh
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This project is an investigation toolkit for Claude Code that provides a full workflow for OSINT, case management, and digital forensics. It includes commands for evidence capture, structured analysis using Heuer's ACH methodology, and reporting.

Security Assessment
The tool operates in a highly sensitive domain (OSINT, evidence collection) and inherently relies on executing shell commands and making network requests. A positive note is that no hardcoded secrets or dangerous permission requests were found, but there is a specific code-level concern. The automated scan flagged a `rm -rf` recursive force deletion command inside the evidence capture script (`skills/osint/scripts/capture-evidence.sh`). While potentially standard for cleaning up temporary files during forensic capture, any recursive deletion command requires careful human review to ensure it cannot be accidentally exploited to delete critical system files. Overall risk is rated as Medium due to the combination of shell script execution, network activity, and system-level file modifications.

Quality Assessment
The project appears to be actively maintained, with its most recent code push occurring just today. It is properly licensed under the permissive MIT license. However, community trust and adoption are currently very low, as indicated by only 14 GitHub stars.

Verdict
Use with caution. While actively maintained and open-source, the tool should be thoroughly reviewed by a security professional before deploying, specifically to audit the shell execution and file deletion logic.
SUMMARY

Investigation toolkit for Claude Code: case management, OSINT, structured analytic techniques, chain-of-custody evidence capture, and bundled threat-intel MCP servers.

README.md

huntkit

License: MIT
Claude Code
GitHub stars
Topics

Investigation toolkit for Claude Code. Case management, OSINT, structured analytic techniques, chain-of-custody evidence capture, and bundled MCP servers for infrastructure recon and threat intel.

Not just a scraper wrapper. A full investigation workflow — from case intake to evidence-grade dossier.

Use it for: OSINT, due diligence, threat intelligence, incident response, digital forensics, journalistic research, competitive intel, security research, CTF challenges.

How it works

Investigation lifecycle

flowchart LR
    Start([New case]) --> NewCase[/q-new-case/]
    NewCase --> Scope[/q-scope/]
    Scope --> Begin[/q-begin/]

    Begin --> Collect{Collection}
    Collect --> Intake[/q-intake<br/>client docs/]
    Collect --> OSINT[/q-osint<br/>platform-targeted/]
    Collect --> Sweep[/q-collect<br/>broad sweep/]
    Collect --> Target[/q-target<br/>profile/]

    Intake --> Evidence[(EV-NNNN<br/>evidence items<br/>Wayback + archive.today<br/>+ Chrome PDF + SHA-256)]
    OSINT --> Evidence
    Sweep --> Evidence
    Target --> Evidence

    Evidence --> Analyze{Analysis}
    Analyze --> Timeline[/q-timeline/]
    Analyze --> Link[/q-link<br/>graph edges/]
    Analyze --> ACH[/q-analyze<br/>Heuer's ACH/]
    Analyze --> Challenge[/q-challenge<br/>red team/]
    Analyze --> Reality[/q-reality-check/]

    Timeline --> Report{Report}
    Link --> Report
    ACH --> Report
    Challenge --> Report
    Reality --> Report

    Report --> Brief[/q-brief<br/>evidence-cited/]
    Report --> Debrief[/q-debrief<br/>internal/]
    Brief --> Export[/q-export/]
    Debrief --> Export
    Export --> End([Dossier delivered])

    style Evidence fill:#fef3c7,stroke:#d97706,stroke-width:2px
    style Start fill:#dbeafe,stroke:#2563eb
    style End fill:#dcfce7,stroke:#16a34a

Every URL routes through capture-evidence.sh. Every finding cites [EV-NNNN]. Every claim has an A-F reliability grade.

Architecture

graph TB
    subgraph Claude[Claude Code]
        CC[/Claude Code session/]
    end

    subgraph huntkit[huntkit plugin]
        direction TB
        subgraph Skills
            OSINT_S[osint<br/>6-phase workflow]
            SA_S[structured-analysis<br/>Heuer's ACH + tradecraft primer]
        end

        subgraph Commands[22 commands]
            CM[case mgmt]
            CL[collection]
            AN[analysis]
            RP[reporting]
        end

        subgraph Rules[Enforced rules]
            EC[evidence-capture-protocol]
            QI[q-investigation]
            TD[token-discipline]
            SY[sycophancy]
        end

        subgraph Templates
            NI[new-investigation]
            SS[sec-stack-case]
        end
    end

    subgraph MCP[Bundled MCP servers]
        OI[osint-infra<br/>whois, dns, wayback]
        TI[threat-intel<br/>VT, URLhaus, ThreatFox, crt.sh]
    end

    subgraph External[Optional external APIs]
        PPL[Perplexity]
        EXA[Exa]
        TAV[Tavily]
        APF[Apify<br/>55+ scrapers]
        JIN[Jina]
        BD[Bright Data]
    end

    subgraph Case[Case workspace]
        EVD[(investigations/case/<br/>evidence/ findings/<br/>targets/ timelines/)]
    end

    CC --> huntkit
    huntkit --> MCP
    huntkit --> External
    huntkit --> Case
    Rules -.enforces.-> Commands
    Commands -.uses.-> Skills

    style Case fill:#fef3c7,stroke:#d97706
    style MCP fill:#e0e7ff,stroke:#6366f1
    style Rules fill:#fee2e2,stroke:#dc2626

What you get

Skills

  • osint — 6-phase investigation: tooling check → seed collection → optional internal intel → platform extraction → cross-reference → psychoprofile → completeness scoring → dossier.
  • structured-analysis — CIA tradecraft primer library (Heuer's ACH, key assumptions check, quality of information check, red team, premortem, 66-technique taxonomy). Apache 2.0, upstream Blevene/structured-analysis-skill.

Commands (22)

Case management: /q-new-case, /q-scope, /q-begin, /q-status, /q-checkpoint, /q-handoff, /q-end

Collection: /q-intake, /q-collect, /q-osint, /q-target, /q-screenshots

Analysis: /q-analyze, /q-challenge, /q-reality-check, /q-client-questions, /q-timeline, /q-link

Reporting: /q-brief, /q-debrief, /q-export

Specialized: /q-sec-stack (SaaS security stack intel)

MCP servers (bundled)

  • osint-infra — WHOIS, DNS, reverse DNS, Wayback snapshots / fetch.
  • threat-intel — VirusTotal, URLhaus, ThreatFox, crt.sh certificate transparency.

Rules (enforced)

  • evidence-capture-protocol — every URL routes through capture-evidence.sh (Wayback + archive.today + Chrome PDF + SHA-256 + metadata). Atomic EV-NNNN-<slug>/ folders. Reports cite by ID.
  • q-investigation — fail-stop on errors, token discipline, state-vs-session file authority, source reliability A-F scale.
  • token-discipline — stop conditions, retry limits.
  • sycophancy — anti-RLHF drift, decision origin tagging.

Templates

  • new-investigation/ — full case scaffold (canonical/, investigation/evidence|findings|targets|timelines/, memory/, output/).
  • sec-stack-case/ — SaaS security stack investigation template.

Install

# In Claude Code
/plugin install assafkip/huntkit

Or clone:

git clone https://github.com/assafkip/huntkit.git

MCP server setup

cp .mcp.json.template .mcp.json

osint-infra (no keys required)

cd mcp-servers/osint-infra
python3.13 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

threat-intel

Get free keys:

export VT_API_KEY=...
export ABUSE_CH_AUTH_KEY=...

Optional search / scrape APIs

All optional — the skill degrades gracefully. Run bash skills/osint/scripts/diagnose.sh to see what's active.

Env var Service Get key
PERPLEXITY_API_KEY Perplexity Sonar / Deep https://perplexity.ai
EXA_API_KEY Exa semantic search https://exa.ai
TAVILY_API_KEY Tavily agent search https://tavily.com
APIFY_TOKEN Apify scrapers (LinkedIn, IG, TikTok, YouTube, FB pages) https://apify.com
JINA_API_KEY Jina reader / deepsearch https://jina.ai
PARALLEL_API_KEY Parallel AI search https://parallel.ai
BRIGHTDATA_MCP_URL Bright Data MCP (Facebook, LinkedIn, geo-blocked) https://brightdata.com

Optional: Telegram recon

Not bundled — install separately if needed:

git clone https://github.com/Darksight-Analytics/tgspyder.git
cd tgspyder && pip install -r requirements.txt && pip install -e .

Typical workflow

/q-new-case acme-breach
/q-scope          # define question, targets, constraints
/q-begin          # resume session
/q-intake <file>  # ingest client-provided docs
/q-osint linkedin https://linkedin.com/in/someone
/q-collect domain acme.com
/q-target acme-ceo
/q-timeline       # reconstruct event sequence
/q-analyze ach    # analysis of competing hypotheses
/q-challenge      # red team own conclusions
/q-brief          # generate evidence-grounded report
/q-export         # final package

Every URL captured routes through the evidence protocol. Every report cites [EV-NNNN]. Every claim has an A-F reliability grade.

Ethics

For:

  • Authorized security testing and due diligence
  • Journalistic and academic research on public figures
  • Defensive threat intelligence and incident response
  • CTF / educational contexts

Do not use on private individuals without consent, for harassment, doxxing, or stalking. You are responsible for compliance with local laws and platform terms of service.

Contributing

Issues and PRs welcome. Backward-compatible additions preferred.

For LLM agents

See llms.txt for a machine-readable capability summary with a decision matrix for when to use each skill, command, and MCP server.

License

MIT. See LICENSE.

The skills/structured-analysis/ subdirectory is Apache 2.0 (see skills/structured-analysis/LICENSE and NOTICE.md).

Reviews (0)

No results found