Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aeondave/spiderfoot

Name: spiderfoot
Author: aeondave

offensive-tools/osint/spiderfoot/SKILL.md

npx skillsauth add aeondave/malskill spiderfoot

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

SpiderFoot

Automated OSINT platform — 200+ modules, correlates all data types around a target.

Quick Start

git clone https://github.com/smicallef/spiderfoot
cd spiderfoot
pip install -r requirements.txt

# CLI scan on domain
python3 sf.py -s target.com -t INTERNET_NAME -o json -q

# Web UI (interactive)
python3 sf.py -l 127.0.0.1:5001
# → http://127.0.0.1:5001

Target Types (`-t`)

| Type | Description | Example | |------|-------------|---------| | INTERNET_NAME | Hostname / domain | target.com | | IP_ADDRESS | IPv4 address | 1.2.3.4 | | EMAILADDR | Email address | [email protected] | | USERNAME | Social username | johndoe | | PHONE_NUMBER | Phone number | +14151234567 | | HUMAN_NAME | Person's name | "John Doe" | | NETBLOCK_OWNER | ASN or CIDR | AS12345 | | BGP_AS_OWNER | ASN number | 12345 | | URL_FORM | URL to scan | https://target.com/login |

CLI Usage

# Domain scan — all passive modules
python3 sf.py -s target.com -t INTERNET_NAME -o json -q > results.json

# Email scan
python3 sf.py -s [email protected] -t EMAILADDR -o json -q

# Specific modules only
python3 sf.py -s target.com -t INTERNET_NAME -m sfp_dnsresolve,sfp_sublist3r,sfp_crtsh -o json -q

# List all modules
python3 sf.py -M

# List modules by type
python3 sf.py -M | grep -i "passive"

Key CLI Flags

| Flag | Purpose | |------|---------| | -s <target> | Target value | | -t <type> | Target type | | -m <modules> | Specific modules (comma-separated) | | -o json/csv/tab | Output format | | -q | Quiet (no progress) | | -l <host:port> | Start web UI | | -M | List all modules | | --timeout <sec> | Global timeout |

Module Categories

# List all categories
python3 sf.py -M | awk '{print $1}' | sort -u

# Useful module groups
sfp_dnsresolve      # DNS resolution
sfp_crtsh           # Certificate transparency
sfp_sublist3r       # Subdomain enumeration
sfp_shodan          # Shodan integration (API key)
sfp_virustotal      # VirusTotal (API key)
sfp_hunter          # Hunter.io emails (API key)
sfp_emailharvest    # Email harvesting
sfp_haveibeenpwned  # Breach check (API key)
sfp_linkedin        # LinkedIn profiles
sfp_twitter         # Twitter profiles
sfp_github          # GitHub user/org data
sfp_pastebin        # Pastebin leaks
sfp_darkweb         # Dark web mentions (Tor)
sfp_threatintel     # Threat intelligence feeds
sfp_whois           # WHOIS data

Web UI Workflow

python3 sf.py -l 127.0.0.1:5001

Browse to http://127.0.0.1:5001
New Scan → enter target + type
Select scan profile: Passive, Investigate, Footprint, All
Run → watch live graph of discovered entities
Browse results by data type: emails, IPs, subdomains, leaked credentials, social profiles
Export: JSON/CSV for downstream use

Scan Profiles

| Profile | Modules | Use | |---------|---------|-----| | Passive | ~50 | No direct target contact | | Investigate | ~100 | Mixed passive + active | | Footprint | ~150 | Full external footprint | | All | 200+ | Everything (loud) |

API Key Configuration

# spiderfoot.db stores settings after first run
# Or configure via web UI: Settings → API Keys

High-value API keys:

Hunter.io       → email harvest
Shodan          → port/service data
VirusTotal      → malware/domain intel
HaveIBeenPwned  → breach lookup
SecurityTrails  → DNS history
IntelX          → dark web / leaks

Parse JSON Output

import json

with open("results.json") as f:
    results = json.load(f)

# Group by data type
from collections import defaultdict
by_type = defaultdict(list)
for item in results:
    by_type[item["type"]].append(item["data"])

# Print emails found
for email in set(by_type.get("EMAILADDR", [])):
    print(email)

# Print subdomains
for sub in set(by_type.get("INTERNET_NAME", [])):
    print(sub)

Resources

| File | When to load | |------|--------------| | references/modules.md | Full module list with descriptions, API requirements, and recommended scan configurations |

aeondave/spiderfoot

offensive-tools/osint/spiderfoot/SKILL.md

Auth/lab ref: Automated OSINT platform with 200+ modules for target profiling: DNS, email, username, IP, ASN, breach data, dark web, social media, threat intel.

4 stars

development

Updated Jun 8, 2026

$ install --global

skillsauth

npx skillsauth add aeondave/malskill spiderfoot

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 8, 2026, 3:55 AM39.4s2 files scanned

SKILL.md

name:: spiderfoot
description:: Auth/lab ref: Automated OSINT platform with 200+ modules for target profiling: DNS, email, username, IP, ASN, breach data, dark web, social media, threat intel.
license:: MIT
compatibility:: Python 3.7+; Linux/macOS/Windows.
author:: AeonDave
version:: 1.0

SpiderFoot

Automated OSINT platform — 200+ modules, correlates all data types around a target.

Quick Start

git clone https://github.com/smicallef/spiderfoot
cd spiderfoot
pip install -r requirements.txt

# CLI scan on domain
python3 sf.py -s target.com -t INTERNET_NAME -o json -q

# Web UI (interactive)
python3 sf.py -l 127.0.0.1:5001
# → http://127.0.0.1:5001

Target Types (`-t`)

CLI Usage

# Domain scan — all passive modules
python3 sf.py -s target.com -t INTERNET_NAME -o json -q > results.json

# Email scan
python3 sf.py -s [email protected] -t EMAILADDR -o json -q

# Specific modules only
python3 sf.py -s target.com -t INTERNET_NAME -m sfp_dnsresolve,sfp_sublist3r,sfp_crtsh -o json -q

# List all modules
python3 sf.py -M

# List modules by type
python3 sf.py -M | grep -i "passive"

Key CLI Flags

Module Categories

# List all categories
python3 sf.py -M | awk '{print $1}' | sort -u

# Useful module groups
sfp_dnsresolve      # DNS resolution
sfp_crtsh           # Certificate transparency
sfp_sublist3r       # Subdomain enumeration
sfp_shodan          # Shodan integration (API key)
sfp_virustotal      # VirusTotal (API key)
sfp_hunter          # Hunter.io emails (API key)
sfp_emailharvest    # Email harvesting
sfp_haveibeenpwned  # Breach check (API key)
sfp_linkedin        # LinkedIn profiles
sfp_twitter         # Twitter profiles
sfp_github          # GitHub user/org data
sfp_pastebin        # Pastebin leaks
sfp_darkweb         # Dark web mentions (Tor)
sfp_threatintel     # Threat intelligence feeds
sfp_whois           # WHOIS data

Web UI Workflow

python3 sf.py -l 127.0.0.1:5001

Browse to http://127.0.0.1:5001
New Scan → enter target + type
Select scan profile: Passive, Investigate, Footprint, All
Run → watch live graph of discovered entities
Browse results by data type: emails, IPs, subdomains, leaked credentials, social profiles
Export: JSON/CSV for downstream use

Scan Profiles

API Key Configuration

# spiderfoot.db stores settings after first run
# Or configure via web UI: Settings → API Keys

High-value API keys:

Hunter.io       → email harvest
Shodan          → port/service data
VirusTotal      → malware/domain intel
HaveIBeenPwned  → breach lookup
SecurityTrails  → DNS history
IntelX          → dark web / leaks

Parse JSON Output

import json

with open("results.json") as f:
    results = json.load(f)

# Group by data type
from collections import defaultdict
by_type = defaultdict(list)
for item in results:
    by_type[item["type"]].append(item["data"])

# Print emails found
for email in set(by_type.get("EMAILADDR", [])):
    print(email)

# Print subdomains
for sub in set(by_type.get("INTERNET_NAME", [])):
    print(sub)

Resources

| File | When to load | |------|--------------| | references/modules.md | Full module list with descriptions, API requirements, and recommended scan configurations |

Related Skills

aeondave/vibe-audit-technique

development

VerifiedTrustedCommunity

White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).

4SKILL.mdUpdated Jun 12, 2026

aeondave/vibe-audit-technique

aeondave/source-review-technique

development

VerifiedTrustedCommunity

Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.

4SKILL.mdUpdated Jun 12, 2026

aeondave/source-review-technique

aeondave/hardware-technique

development

VerifiedTrustedCommunity

Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.

4SKILL.mdUpdated Jun 12, 2026

aeondave/hardware-technique

aeondave/container-technique

devops

VerifiedTrustedCommunity

Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.

4SKILL.mdUpdated Jun 12, 2026

aeondave/container-technique

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aeondave/malskill.git

# Copy into Claude Code skills folder (global)
cp -r malskill/offensive-tools/osint/spiderfoot ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aeondave/malskill

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

Adoption

aeondave/spiderfoot

$ install --global

Security Scan Results

SKILL.md

SpiderFoot

Quick Start

Target Types (-t)

CLI Usage

Key CLI Flags

Module Categories

Web UI Workflow

Scan Profiles

API Key Configuration

Parse JSON Output

Resources

Related Skills

aeondave/vibe-audit-technique

aeondave/source-review-technique

aeondave/hardware-technique

aeondave/container-technique

aeondave/spiderfoot

$ install --global

Security Scan Results

SKILL.md

SpiderFoot

Quick Start

Target Types (-t)

CLI Usage

Key CLI Flags

Module Categories

Web UI Workflow

Scan Profiles

API Key Configuration

Parse JSON Output

Resources

Related Skills

aeondave/vibe-audit-technique

aeondave/source-review-technique

aeondave/hardware-technique

aeondave/container-technique

Target Types (`-t`)

Target Types (`-t`)