IONSEC Threat Intel
by @nirhalfon
Query multiple threat intelligence services for IOC enrichment including IP reputation, domain analysis, URL scanning, hash lookups, and malware detection. U...
clawhub install ionsec-threat-intelπ About This Skill
name: threat-intel description: Query multiple threat intelligence services for IOC enrichment including IP reputation, domain analysis, URL scanning, hash lookups, and malware detection. Use when investigating observables (IP, domain, URL, hash) to gather context from external sources like VirusTotal, GreyNoise, Shodan, AbuseIPDB, AlienVault OTX, and more. Supports both API-key services and free services.
Threat Intel
Overview
Query multiple external threat intelligence services to enrich observables (IPs, domains, URLs, hashes). Aggregates data from security vendors, open-source feeds, and specialized platforms to provide comprehensive IOC context.
Supported Observable Types:
Quick Start
Basic Usage
# Check an IP across multiple services
openclaw threat-intel ip 8.8.8.8 --services greynoise,abuseipdb,virustotalCheck a domain
openclaw threat-intel domain evil.com --services allCheck a hash
openclaw threat-intel hash a3b2c1d4e5f6... --services virustotal,otxCheck a URL
openclaw threat-intel url http://suspicious.site/payload.exe --services urlscanView rate limit status
openclaw threat-intel --rate-limits
API Key Management
Most services require API keys. Configure them interactively:
openclaw threat-intel setup
Or set environment variables:
export VT_API_KEY="your_virustotal_key"
export GREYNOISE_API_KEY="your_greynoise_key"
export SHODAN_API_KEY="your_shodan_key"
export OTX_API_KEY="your_otx_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
export URLSCAN_API_KEY="your_urlscan_key"
export SPUR_API_KEY="your_spur_key"
export VALIDIN_API_KEY="your_validin_key"
See references/api-keys.md for full list of required keys per service.
Available Services
Free Services (No API Key Required)
| Service | Observable Types | Description | |---------|-----------------|-------------| | MalwareBazaar | Hash | Malware sample database | | URLhaus | URL | Malicious URL database | | DNS0 | Domain | DNS resolver with threat detection | | Google DNS | Domain | Public DNS resolver | | Cloudflare DNS | Domain | Public DNS resolver | | Pulsedive | IP, Domain, URL | Threat intelligence with rate limits |
Services Requiring API Keys
| Service | Observable Types | Best For | |---------|-----------------|----------| | VirusTotal v3 | IP, Domain, URL, Hash | Comprehensive malware detection | | GreyNoise | IP | Internet background noise and scanner classification | | Shodan | IP | Open ports, services, and exposed systems | | AlienVault OTX | IP, Domain, URL, Hash | Threat community data | | AbuseIPDB | IP | IP reputation and reported abuse | | URLscan | URL | Live URL scanning and screenshot | | Spur.us | IP | VPN, proxy, and hosting detection | | Validin | IP, Domain, Hash | Passive DNS, subdomains, and WHOIS |
See references/services.md for complete service documentation.
Workflows
IOC Investigation
When investigating a suspicious observable, use this pattern:
1. Quick triage - Check free services first
openclaw threat-intel ip --services pulsedive
2. Deep enrichment - Add premium services for known-bad indicators
openclaw threat-intel ip --services virustotal,greynoise,shodan
3. Correlate - Cross-reference with multiple sources
openclaw threat-intel ip --services all
Bulk Enrichment
Process multiple observables from a file:
openclaw threat-intel bulk iocs.txt --output results.json
Format: one observable per line, optionally prefixed with type:
ip:8.8.8.8
domain:evil.com
hash:a3b2c1...
Scripts
Use these scripts directly for programmatic access:
scripts/threat_intel.py - Main CLI toolscripts/check_ip.py - IP-focused helper scriptscripts/bulk_check.py - Bulk processingscripts/setup.py - Explicit interactive API key configurationOutput Formats
Default (Table)
Service | Result | Score | Details
---------------|--------|-------|--------
VirusTotal | β οΈ Suspicious | 12/71 | 12 vendors flagged
GreyNoise | β
Benign | 0% | Classified as benign
AbuseIPDB | β οΈ Suspicious | 85% | 12 reports
JSON (for automation)
openclaw threat-intel ip 8.8.8.8 --format json
Markdown (for reports)
openclaw threat-intel ip 8.8.8.8 --format markdown
References
π‘ Examples
Basic Usage
# Check an IP across multiple services
openclaw threat-intel ip 8.8.8.8 --services greynoise,abuseipdb,virustotalCheck a domain
openclaw threat-intel domain evil.com --services allCheck a hash
openclaw threat-intel hash a3b2c1d4e5f6... --services virustotal,otxCheck a URL
openclaw threat-intel url http://suspicious.site/payload.exe --services urlscanView rate limit status
openclaw threat-intel --rate-limits
API Key Management
Most services require API keys. Configure them interactively:
openclaw threat-intel setup
Or set environment variables:
export VT_API_KEY="your_virustotal_key"
export GREYNOISE_API_KEY="your_greynoise_key"
export SHODAN_API_KEY="your_shodan_key"
export OTX_API_KEY="your_otx_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
export URLSCAN_API_KEY="your_urlscan_key"
export SPUR_API_KEY="your_spur_key"
export VALIDIN_API_KEY="your_validin_key"
See references/api-keys.md for full list of required keys per service.