osint-recon
Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.
60
70%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/osint-recon/SKILL.mdQuality
Discovery
89%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong skill description with excellent trigger term coverage and a clear 'Use when...' clause that makes it highly selectable. The main weakness is that the capability description could be more specific — listing concrete actions like 'enumerate domains, harvest emails, query WHOIS, analyze social media profiles' rather than higher-level categories like 'threat intelligence' and 'attack surface assessment.'
Suggestions
Replace or supplement the high-level action phrases ('gather and correlate') with more concrete operations such as 'enumerate subdomains, harvest email addresses, query WHOIS/DNS records, analyze social media profiles' to improve specificity.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description names the domain (OSINT) and some actions ('gather and correlate,' 'investigations,' 'threat intelligence,' 'attack surface assessment'), but the actions are somewhat high-level rather than listing multiple concrete specific operations like 'enumerate subdomains, harvest email addresses, query WHOIS records.' | 2 / 3 |
Completeness | Clearly answers both 'what' (gather and correlate open source intelligence for investigations, threat intelligence, and attack surface assessment) and 'when' (explicit 'Use when...' clause with multiple trigger scenarios). | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' and 'publicly available data' — these are terms users would naturally use when requesting this type of work. | 3 / 3 |
Distinctiveness Conflict Risk | The OSINT domain is a clear niche with distinct terminology. The trigger terms like 'OSINT,' 'digital footprint,' and 'attack surface assessment' are highly specific and unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a competent OSINT skill that covers the domain broadly and includes some executable commands, a useful output template, and appropriate ethical guardrails. However, it leans toward being a reference catalog of sources rather than a tightly actionable workflow — many sections list what to check without providing concrete commands or code. The skill would benefit from more executable examples and a clearer step-by-step investigation workflow with explicit validation checkpoints.
Suggestions
Convert the bullet-point source lists (Organization OSINT, Email OSINT, Threat Intelligence) into concrete commands or API calls where possible — e.g., provide actual curl commands for HaveIBeenPwned API, searchsploit syntax, or VirusTotal lookups.
Add an explicit numbered workflow (Step 1: Define scope → Step 2: Infrastructure collection → Step 3: Cross-reference → Step 4: Validate findings → Step 5: Generate report) with validation checkpoints between phases.
Move the detailed output report template and the full collection techniques catalog into separate bundle files (e.g., REPORT_TEMPLATE.md, COLLECTION_TECHNIQUES.md) and reference them from the main skill to improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient but includes some unnecessary explanatory text (e.g., the Organization OSINT bullet list is mostly things Claude already knows how to look up, and the Ethics Check section is somewhat verbose). The cross-references paragraph at the top is useful but wordy. | 2 / 3 |
Actionability | Provides some executable commands (whois, dig, crt.sh curl, exiftool, Google dorks) but many sections are just bullet-point lists of sources without concrete commands or code. Email/Username OSINT, Organization OSINT, and Threat Intelligence sections describe rather than instruct. | 2 / 3 |
Workflow Clarity | The overall flow (ethics check → collection → analysis → output) is implicit but not explicitly sequenced with numbered steps or validation checkpoints. The Analysis section mentions cross-referencing and validation but lacks a concrete feedback loop or verification process for the multi-step investigation workflow. | 2 / 3 |
Progressive Disclosure | Content is reasonably well-organized with clear section headers, but everything is inline in a single file with no bundle files to offload detailed content. The references section at the bottom is minimal and external-only. Sections like the full output template and detailed collection techniques could benefit from being split into separate files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
allowed_tools_field | 'allowed-tools' contains unusual tool name(s) | Warning |
Total | 10 / 11 Passed | |
- Repository
- briiirussell/cybersecurity-skills
- Commit
c9ade03
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.