AI-powered OSINT agent. Interactive REPL · CLI · MCP Server · Web UI
16 tools. Powered by Anthropic Claude or local Ollama. For authorized security research only.
See DISCLAIMER.md for legal and ethical use information.
![]()
![]()
![]()
![]()

Legal Disclaimer: OpenOSINT is intended for legal and authorized use only. Users are solely responsible for ensuring their use complies with all applicable laws and regulations. The authors accept no liability for misuse. See DISCLAIMER.md.
OpenOSINT is an AI agent for Open Source Intelligence with three interfaces: an interactive terminal REPL, a direct CLI, and an MCP server exposable to Claude Code, Claude Desktop, or any MCP-compatible client — plus a browser-based Web UI added in v2.12.0. The AI layer uses Anthropic's native tool use API (or a local Ollama model): the model issues hard stops when it needs a tool, your code executes the real binary, the actual output goes back — hallucination in tool results is structurally impossible.
--parallel runs complementary tools concurrently via asyncio.gather()reportlab~/.openosint/history/; browse with openosint history# Install from PyPI (recommended)
pip install openosint
# Or install from source
git clone https://github.com/OpenOSINT/OpenOSINT.git
cd OpenOSINT
pip install -e .
External binaries (must be in PATH):
| Binary | Purpose | Install |
|---|---|---|
holehe |
Email account enumeration | pip install holehe |
sherlock |
Username enumeration (300+ platforms) | pip install sherlock-project |
sublist3r |
Subdomain enumeration | pip install sublist3r |
phoneinfoga |
Phone number intelligence | Download binary |
If a binary is absent, the corresponding tool returns a descriptive error string. All other tools remain operational.
# Interactive AI REPL (default)
openosint
# Web interface
openosint web
# Direct tool (no AI)
openosint email target@example.com
Store all keys in a .env file at the project root (copy .env.example). python-dotenv loads it automatically at startup.
| Variable | Tool | Required | Purpose |
|---|---|---|---|
ANTHROPIC_API_KEY |
AI agent | Yes (or use Ollama) | Anthropic API key |
HIBP_API_KEY |
search_breach |
Optional | HaveIBeenPwned v3 — get one |
IPINFO_TOKEN |
search_ip |
Optional | ipinfo.io higher rate limits |
SHODAN_API_KEY |
search_shodan |
Optional | Shodan API — get one |
VIRUSTOTAL_API_KEY |
search_virustotal |
Optional | VirusTotal API v3 — get one |
IP2LOCATION_API_KEY |
search_ip2location |
Optional | IP2Location.io enhanced IP intelligence — get one (sponsored) |
CENSYS_API_ID + CENSYS_SECRET |
search_censys |
Optional | Censys Search API — get one |
ABUSEIPDB_API_KEY |
search_abuseipdb |
Optional | AbuseIPDB v2 — get one |
GITHUB_TOKEN |
search_github |
Optional | GitHub API — raises rate limit from 60 to 5000 req/h — get one |
Optional Python packages:
| Package | Purpose | Install |
|---|---|---|
ollama |
Local LLM backend (no API key) | pip install ollama |
shodan |
Shodan API client | pip install shodan |
reportlab |
PDF report export | pip install reportlab |
censys |
Censys API client | pip install censys |
| Tool | Powered by | What it investigates |
|---|---|---|
search_email |
holehe | Social accounts linked to an email address |
search_username |
sherlock | Username presence across 300+ platforms |
search_breach |
HaveIBeenPwned v3 API | Data breach exposure |
search_whois |
python-whois | Domain registrant and DNS info |
search_ip |
ipinfo.io | Geolocation, ASN, hostname |
search_domain |
sublist3r | Subdomain enumeration |
generate_dorks |
built-in | 12 targeted Google dork URLs (no network calls) |
search_paste |
psbdmp.ws | Pastebin dump mentions |
search_phone |
phoneinfoga | Carrier, country, line type |
search_shodan |
Shodan API | Open ports, banners, CVEs |
search_virustotal |
VirusTotal API v3 | Verdict from 70+ antivirus engines |
search_ip2location |
IP2Location.io API | Enhanced IP intel: VPN/Proxy/Tor/datacenter flags (sponsored) |
search_censys |
Censys Search API | Internet-facing infrastructure, certificates |
search_abuseipdb |
AbuseIPDB v2 API | IP abuse reputation: confidence score, reports, country, ISP |
search_github |
GitHub REST API | Profile, repos, commit-discovered emails, username/keyword search |
search_dns |
dnspython (built-in) | A/AAAA/MX/NS/TXT/CNAME/SOA records; SPF, DMARC, DKIM analysis |
Enumerates online services linked to an email address using holehe.
openosint email target@example.com
openosint email target@example.com -t 60
OSINT results for 'target@example.com':
[+] Spotify https://open.spotify.com/user/target
[+] WordPress https://wordpress.com/target
[+] Gravatar https://gravatar.com/target
[+] Office365 email used
Searches for a username across 300+ platforms using sherlock.
openosint username johndoe99
openosint username johndoe99 -t 120
OSINT results for username 'johndoe99':
[+] GitHub https://github.com/johndoe99
[+] Twitter https://twitter.com/johndoe99
[+] Reddit https://reddit.com/user/johndoe99
Checks data breach exposure via HaveIBeenPwned v3 API. Requires HIBP_API_KEY.
Found in 2 breach(es) for 'target@example.com':
[+] LinkedIn (2016-05-05) — leaked: Email addresses, Passwords
[+] Adobe (2013-10-04) — leaked: Email addresses, Password hints
Retrieves WHOIS data for a domain using python-whois.
WHOIS results for 'example.com':
[+] Registrar: ICANN
[+] Created: 1995-08-14
[+] Expires: 2024-08-13
[+] Name Servers: A.IANA-SERVERS.NET
Retrieves geolocation and ASN data via ipinfo.io. Free tier: 50k/month.
IP intelligence for '8.8.8.8':
[+] Hostname: dns.google
[+] Org: AS15169 Google LLC
[+] City: Mountain View, CA, US
Enumerates subdomains using sublist3r.
Subdomains found for 'example.com':
[+] mail.example.com
[+] dev.example.com
[+] api.example.com
Generates 12 targeted Google dork URLs for any target. No network calls.
Google dork URLs for 'johndoe':
[+] "johndoe" site:linkedin.com
https://www.google.com/search?q=%22johndoe%22+site%3Alinkedin.com
[+] "johndoe" leaked OR breach OR dump
https://www.google.com/search?q=%22johndoe%22+leaked+OR+breach+OR+dump
Searches Pastebin dumps via psbdmp.ws.
Found in 3 paste(s) for 'target@example.com':
[+] https://pastebin.com/aB1cD2eF (2023-04-12)
[+] https://pastebin.com/xY3zA4bC (2022-11-08)
Gathers phone intelligence using phoneinfoga. Use E.164 format.
Phone intelligence for '+14155552671':
[+] Country: United States
[+] Carrier: AT&T
[+] Line type: Mobile
Queries the Shodan API. IPv4 input → host lookup (open ports, org, CVEs). Any other query → banner/keyword search. Requires SHODAN_API_KEY.
openosint shodan 8.8.8.8
openosint shodan "apache port:80 country:DE"
openosint shodan 8.8.8.8 -t 30
Shodan host intelligence for '8.8.8.8':
[+] IP: 8.8.8.8
[+] Org: Google LLC
[+] Country: United States
[+] Open ports: 53, 443
Checks an IP address, domain, URL, or file hash against VirusTotal's 70+ antivirus engines using API v3. Auto-detects input type. Requires VIRUSTOTAL_API_KEY.
openosint virustotal 8.8.8.8
openosint virustotal example.com
openosint virustotal https://example.com/path
openosint virustotal 44d88612fea8a8f36de82e1278abb02f
[VirusTotal] Type: ip
[VirusTotal] ASN: AS15169 Google LLC
[VirusTotal] Malicious: 0
[VirusTotal] Harmless: 72
If any engine flags the target:
[VirusTotal] Malicious: 3
FLAGGED AS MALICIOUS by 3 engines
Queries the Censys API. IPv4 input → host view (open ports, services, ASN); domain input → certificate search (SANs, issuer, first/last seen). Requires CENSYS_API_ID and CENSYS_SECRET.
openosint censys 8.8.8.8
openosint censys example.com
[Censys] IP: 8.8.8.8
[Censys] Open Ports: 53, 443, 853
[Censys] Services: DNS, HTTPS, DNS-over-TLS
[Censys] ASN: AS15169 Google LLC
[Censys] Country: United States
[Censys] Domain: example.com
[Censys] Certificates Found: 12
[Censys] Issuer: Let's Encrypt
[Censys] SANs: example.com, www.example.com, api.example.com
Queries the IP2Location.io API for enhanced IP intelligence: geolocation (country, region, city, coordinates, ZIP), ISP, domain, ASN, and — on the Security Plan — VPN, proxy, Tor exit node, and datacenter detection. Sponsored integration. Requires IP2LOCATION_API_KEY.
openosint ip2location 8.8.8.8
openosint ip2location 2001:4860:4860::8888
[IP2Location] IP: 8.8.8.8
[IP2Location] Country: United States (US)
[IP2Location] Region: California
[IP2Location] City: Mountain View
[IP2Location] ISP: Google LLC
[IP2Location] ASN: AS15169 Google LLC
[IP2Location] VPN: No | Proxy: No | TOR: No | Datacenter: Yes
[IP2Location] Threat: clean
If a VPN, proxy, or Tor exit node is detected:
FLAGGED: VPN/Proxy/Tor detected
Checks an IP address against the AbuseIPDB v2 API for abuse reputation. Returns abuse confidence score (0–100%), total reports, country, ISP, domain, and last reported timestamp. Requires ABUSEIPDB_API_KEY.
openosint abuseipdb 198.51.100.1
openosint abuseipdb 198.51.100.1 -t 30
Abuse intelligence for '198.51.100.1':
[AbuseIPDB] IP: 198.51.100.1
[AbuseIPDB] Abuse Confidence Score: 87%
[AbuseIPDB] Total Reports: 143
[AbuseIPDB] Country: US
[AbuseIPDB] ISP: Example ISP LLC
[AbuseIPDB] Domain: example-isp.net
[AbuseIPDB] Last Reported: 2026-05-20T14:33:00+00:00
⚠️ HIGH ABUSE CONFIDENCE — flagged by AbuseIPDB
The warning line only appears when abuseConfidenceScore exceeds 50%.
Run openosint with no arguments to start the AI-powered REPL:
openosint > investigate target@example.com
-> generate_dorks('target@example.com')
-> search_email('target@example.com')
Found: Spotify, WordPress, Gravatar, Office365
-> search_breach('target@example.com')
Found in 2 breaches: LinkedIn (2016), Adobe (2013)
Report saved -> reports/2026-05-11_14-32-11_report.md
REPL commands:
| Command | Description |
|---|---|
<target> |
Investigate any t |
$ claude mcp add OpenOSINT \
-- python -m otcore.mcp_server <graph>