assafkip/huntkit

GitHub: assafkip/huntkit

一个面向 Claude Code 的调查工作流工具，集成 OSINT、结构化分析与证据捕获，用于规范化的威胁情报与数字取证。

Stars: 14 | Forks: 0

# huntkit [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) [![Claude Code](https://img.shields.io/badge/Claude_Code-plugin-orange)](https://claude.com/claude-code) [![GitHub stars](https://img.shields.io/github/stars/assafkip/huntkit?style=social)](https://github.com/assafkip/huntkit) [![Topics](https://img.shields.io/badge/topics-osint%20%7C%20threat--intel%20%7C%20investigation-brightgreen)](https://github.com/topics/osint) Investigation toolkit for [Claude Code](https://claude.com/claude-code). Case management, OSINT, structured analytic techniques, chain-of-custody evidence capture, and bundled MCP servers for infrastructure recon and threat intel. Not just a scraper wrapper. A full investigation workflow — from case intake to evidence-grade dossier. **Use it for:** OSINT, due diligence, threat intelligence, incident response, digital forensics, journalistic research, competitive intel, security research, CTF challenges. ## 如何工作 ### 调查生命周期 ``` flowchart LR Start([New case]) --> NewCase[/q-new-case/] NewCase --> Scope[/q-scope/] Scope --> Begin[/q-begin/] Begin --> Collect{Collection} Collect --> Intake[/q-intake
client docs/] Collect --> OSINT[/q-osint
platform-targeted/] Collect --> Sweep[/q-collect
broad sweep/] Collect --> Target[/q-target
profile/] Intake --> Evidence[(EV-NNNN
evidence items
Wayback + archive.today
+ Chrome PDF + SHA-256)] OSINT --> Evidence Sweep --> Evidence Target --> Evidence Evidence --> Analyze{Analysis} Analyze --> Timeline[/q-timeline/] Analyze --> Link[/q-link
graph edges/] Analyze --> ACH[/q-analyze
Heuer's ACH/] Analyze --> Challenge[/q-challenge
red team/] Analyze --> Reality[/q-reality-check/] Timeline --> Report{Report} Link --> Report ACH --> Report Challenge --> Report Reality --> Report Report --> Brief[/q-brief
evidence-cited/] Report --> Debrief[/q-debrief
internal/] Brief --> Export[/q-export/] Debrief --> Export Export --> End([Dossier delivered]) style Evidence fill:#fef3c7,stroke:#d97706,stroke-width:2px style Start fill:#dbeafe,stroke:#2563eb style End fill:#dcfce7,stroke:#16a34a ``` Every URL routes through `capture-evidence.sh`. Every finding cites `[EV-NNNN]`. Every claim has an A-F reliability grade. ### 架构 ``` graph TB subgraph Claude[Claude Code] CC[/Claude Code session/] end subgraph huntkit[huntkit plugin] direction TB subgraph Skills OSINT_S[osint
6-phase workflow] SA_S[structured-analysis
Heuer's ACH + tradecraft primer] end subgraph Commands[22 commands] CM[case mgmt] CL[collection] AN[analysis] RP[reporting] end subgraph Rules[Enforced rules] EC[evidence-capture-protocol] QI[q-investigation] TD[token-discipline] SY[sycophancy] end subgraph Templates NI[new-investigation] SS[sec-stack-case] end end subgraph MCP[Bundled MCP servers] OI[osint-infra
whois, dns, wayback] TI[threat-intel
VT, URLhaus, ThreatFox, crt.sh] end subgraph External[Optional external APIs] PPL[Perplexity] EXA[Exa] TAV[Tavily] APF[Apify
55+ scrapers] JIN[Jina] BD[Bright Data] end subgraph Case[Case workspace] EVD[(investigations/case/
evidence/ findings/
targets/ timelines/)] end CC --> huntkit huntkit --> MCP huntkit --> External huntkit --> Case Rules -.enforces.-> Commands Commands -.uses.-> Skills style Case fill:#fef3c7,stroke:#d97706 style MCP fill:#e0e7ff,stroke:#6366f1 style Rules fill:#fee2e2,stroke:#dc2626 ``` ## 你得到什么 ### 技能 - **`osint`** — 6-phase investigation: tooling check → seed collection → optional internal intel → platform extraction → cross-reference → psychoprofile → completeness scoring → dossier. - **`structured-analysis`** — CIA tradecraft primer library (Heuer's ACH, key assumptions check, quality of information check, red team, premortem, 66-technique taxonomy). Apache 2.0, upstream [Blevene/structured-analysis-skill](https://github.com/Blevene/structured-analysis-skill). ### 命令（22） **Case management:** `/q-new-case`, `/q-scope`, `/q-begin`, `/q-status`, `/q-checkpoint`, `/q-handoff`, `/q-end` **Collection:** `/q-intake`, `/q-collect`, `/q-osint`, `/q-target`, `/q-screenshots` **Analysis:** `/q-analyze`, `/q-challenge`, `/q-reality-check`, `/q-client-questions`, `/q-timeline`, `/q-link` **Reporting:** `/q-brief`, `/q-debrief`, `/q-export` **Specialized:** `/q-sec-stack` (SaaS security stack intel) ### MCP 服务器（捆绑） - **`osint-infra`** — WHOIS, DNS, reverse DNS, Wayback snapshots / fetch. - **`threat-intel`** — VirusTotal, URLhaus, ThreatFox, crt.sh certificate transparency. ### 规则（强制执行） - **`evidence-capture-protocol`** — every URL routes through `capture-evidence.sh` (Wayback + archive.today + Chrome PDF + SHA-256 + metadata). Atomic `EV-NNNN-/` folders. Reports cite by ID. - **`q-investigation`** — fail-stop on errors, token discipline, state-vs-session file authority, source reliability A-F scale. - **`token-discipline`** — stop conditions, retry limits. - **`sycophancy`** — anti-RLHF drift, decision origin tagging. ### 模板 - **`new-investigation/`** — full case scaffold (`canonical/`, `investigation/evidence|findings|targets|timelines/`, `memory/`, `output/`). - **`sec-stack-case/`** — SaaS security stack investigation template. ## 安装 ``` # 在 Claude Code 中 /plugin install assafkip/huntkit ``` Or clone: ``` git clone https://github.com/assafkip/huntkit.git ``` ## MCP 服务器设置 ``` cp .mcp.json.template .mcp.json ``` ### `osint-infra`（无需密钥） ``` cd mcp-servers/osint-infra python3.13 -m venv .venv source .venv/bin/activate pip install -r requirements.txt ``` ### `threat-intel` Get free keys: - VirusTotal: https://virustotal.com/gui/join-us (500 req/day) - abuse.ch (URLhaus + ThreatFox): https://auth.abuse.ch ``` export VT_API_KEY=... export ABUSE_CH_AUTH_KEY=... ``` ## 可选的搜索/抓取 API All optional — the skill degrades gracefully. Run `bash skills/osint/scripts/diagnose.sh` to see what's active. | Env var | Service | Get key | |---|---|---| | `PERPLEXITY_API_KEY` | Perplexity Sonar / Deep | https://perplexity.ai | | `EXA_API_KEY` | Exa semantic search | https://exa.ai | | `TAVILY_API_KEY` | Tavily agent search | https://tavily.com | | `APIFY_TOKEN` | Apify scrapers (LinkedIn, IG, TikTok, YouTube, FB pages) | https://apify.com | | `JINA_API_KEY` | Jina reader / deepsearch | https://jina.ai | | `PARALLEL_API_KEY` | Parallel AI search | https://parallel.ai | | `BRIGHTDATA_MCP_URL` | Bright Data MCP (Facebook, LinkedIn, geo-blocked) | https://brightdata.com | ## 可选的：Telegram 侦察 Not bundled — install separately if needed: ``` git clone https://github.com/Darksight-Analytics/tgspyder.git cd tgspyder && pip install -r requirements.txt && pip install -e . ``` ## 典型工作流程 ``` /q-new-case acme-breach /q-scope # define question, targets, constraints /q-begin # resume session /q-intake # ingest client-provided docs /q-osint linkedin https://linkedin.com/in/someone /q-collect domain acme.com /q-target acme-ceo /q-timeline # reconstruct event sequence /q-analyze ach # analysis of competing hypotheses /q-challenge # red team own conclusions /q-brief # generate evidence-grounded report /q-export # final package ``` Every URL captured routes through the evidence protocol. Every report cites `[EV-NNNN]`. Every claim has an A-F reliability grade. ## 伦理 For: - Authorized security testing and due diligence - Journalistic and academic research on public figures - Defensive threat intelligence and incident response - CTF / educational contexts Do not use on private individuals without consent, for harassment, doxxing, or stalking. You are responsible for compliance with local laws and platform terms of service. ## 适用于 LLM 代理 See [`llms.txt`](llms.txt) for a machine-readable capability summary with a decision matrix for when to use each skill, command, and MCP server. ## 许可 MIT. See [LICENSE](LICENSE). The `skills/structured-analysis/` subdirectory is Apache 2.0 (see `skills/structured-analysis/LICENSE` and `NOTICE.md`).

标签：Claude Code 插件, ESC4, MCP 服务器, MIT License, OSINT, 取证证据捕获, 基础设施侦察, 威胁情报, 尽职调查, 开发者工具, 数字取证, 档案采集, 真实性核查, 竞争情报, 结构化分析技术, 自动化脚本, 记者研究, 证据链, 调查工具包, 逆向工具, 链接分析