osint-recon

Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.

Quality

70%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Fix and improve this skill with Tessl

tessl review fix ./skills/osint-recon/SKILL.md

Quality

Content

50%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a competent OSINT skill that covers the domain broadly and includes some executable commands, a useful output template, and appropriate ethical guardrails. However, it leans toward being a reference catalog of sources rather than a tightly actionable workflow — many sections list what to check without providing concrete commands or code. The skill would benefit from more executable examples and a clearer step-by-step investigation workflow with explicit validation checkpoints.

Suggestions

Convert the bullet-point source lists (Organization OSINT, Email OSINT, Threat Intelligence) into concrete commands or API calls where possible — e.g., provide actual curl commands for HaveIBeenPwned API, searchsploit syntax, or VirusTotal lookups.

Add an explicit numbered workflow (Step 1: Define scope → Step 2: Infrastructure collection → Step 3: Cross-reference → Step 4: Validate findings → Step 5: Generate report) with validation checkpoints between phases.

Move the detailed output report template and the full collection techniques catalog into separate bundle files (e.g., REPORT_TEMPLATE.md, COLLECTION_TECHNIQUES.md) and reference them from the main skill to improve progressive disclosure.

Dimension	Reasoning	Score
Conciseness	Generally efficient but includes some unnecessary explanatory text (e.g., the Organization OSINT bullet list is mostly things Claude already knows how to look up, and the Ethics Check section is somewhat verbose). The cross-references paragraph at the top is useful but wordy.	2 / 3
Actionability	Provides some executable commands (whois, dig, crt.sh curl, exiftool, Google dorks) but many sections are just bullet-point lists of sources without concrete commands or code. Email/Username OSINT, Organization OSINT, and Threat Intelligence sections describe rather than instruct.	2 / 3
Workflow Clarity	The overall flow (ethics check → collection → analysis → output) is implicit but not explicitly sequenced with numbered steps or validation checkpoints. The Analysis section mentions cross-referencing and validation but lacks a concrete feedback loop or verification process for the multi-step investigation workflow.	2 / 3
Progressive Disclosure	Content is reasonably well-organized with clear section headers, but everything is inline in a single file with no bundle files to offload detailed content. The references section at the bottom is minimal and external-only. Sections like the full output template and detailed collection techniques could benefit from being split into separate files.	2 / 3
	Total	8 / 12 Passed

Description

89%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is a strong skill description with excellent trigger term coverage and a clear 'Use when...' clause that makes it highly selectable. The main weakness is that the capability description could be more specific — listing concrete actions like 'enumerate domains, harvest emails, query WHOIS, analyze social media profiles' rather than higher-level categories like 'threat intelligence' and 'attack surface assessment.'

Suggestions

Replace or supplement the high-level action phrases ('gather and correlate') with more concrete operations such as 'enumerate subdomains, harvest email addresses, query WHOIS/DNS records, analyze social media profiles' to improve specificity.

Dimension	Reasoning	Score
Specificity	The description names the domain (OSINT) and some actions ('gather and correlate,' 'investigations,' 'threat intelligence,' 'attack surface assessment'), but the actions are somewhat high-level rather than listing multiple concrete specific operations like 'enumerate subdomains, harvest email addresses, query WHOIS records.'	2 / 3
Completeness	Clearly answers both 'what' (gather and correlate open source intelligence for investigations, threat intelligence, and attack surface assessment) and 'when' (explicit 'Use when...' clause with multiple trigger scenarios).	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms: 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' and 'publicly available data' — these are terms users would naturally use when requesting this type of work.	3 / 3
Distinctiveness Conflict Risk	The OSINT domain is a clear niche with distinct terminology. The trigger terms like 'OSINT,' 'digital footprint,' and 'attack surface assessment' are highly specific and unlikely to conflict with other skills.	3 / 3
	Total	11 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
allowed_tools_field	'allowed-tools' contains unusual tool name(s)	Warning

	Total	10 / 11 Passed

Repository: briiirussell/cybersecurity-skills
Commit: c9ade03

Reviewed: 26 days ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.