npm - @aegis-scan/skills - Versions diffs - 0.2.1 → 0.5.0 - Mend

@aegis-scan/skills 0.2.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/skills/osint/elementalsouls-fork/offensive-osint/README.md ADDED Viewed

@@ -0,0 +1,92 @@
+# `offensive-osint` skill
+The "what to reach for" operational arsenal for external red-team OSINT and bug-bounty reconnaissance.
+| Field | Value |
+|---|---|
+| Name | `offensive-osint` |
+| Version | 2.1 |
+| Lines | ~3,800 |
+| Top-level sections | 51 |
+| Subsections | ~135 |
+| Companion skill | [`osint-methodology`](../osint-methodology/) |
+## When this skill triggers
+Auto-triggers on prompts containing any of ~110 trigger phrases. Common ones:
+- All triggers from `osint-methodology` (most prompts pull both)
+- `swagger discovery`, `openapi discovery`, `graphql introspection`, `graphql field suggestion`
+- `subdomain enumeration`, `subdomain takeover`, `cloud bucket enum`, `S3 enum`, `GCS enum`, `Azure blob enum`
+- `okta enum`, `entra enum`, `azure AD enum`, `ADFS enum`, `SAML metadata`
+- `mobile recon`, `APK analysis`, `Microsoft 365 deep`, `Teams federation`, `SharePoint enum`, `OneDrive enum`
+- `secret scanning`, `secret leak`, `leaked credential`, `JWT triage`, `AWS key triage`
+- `github dorking`, `google dorking`, `postman workspace`, `stack exchange OSINT`
+- `breach lookup`, `have I been pwned`, `HudsonRock cavalier`, `infostealer`, `dehashed`, `intelx`
+- `shodan recon`, `censys recon`, `certificate transparency`, `crt.sh`, `JARM`, `favicon mmh3`
+- `JS endpoint extraction`, `sourcemap leak`
+- `copy paste probes`, `curl one-liner`
+- `email security analysis`, `SPF DMARC DKIM`
+- `origin discovery`, `CDN bypass`, `WAF bypass`
+- `vendor product fingerprints`, `Citrix Netscaler`, `F5 BIG-IP`, `Pulse Secure`, `FortiGate`, `PaloAlto GlobalProtect`, `Cisco AnyConnect`, `VMware vCenter`
+- `cloud native fingerprint`, `Lambda function URL`, `Cloud Run`
+- `kubernetes exposure`, `kubelet`, `etcd`
+- `CI CD exposure`, `Jenkins recon`, `GitLab self-hosted`, `GitHub Actions secrets`
+- `documentation leak`, `Notion public`, `Confluence anonymous`, `Trello board`
+- `WHOIS RDAP`, `DNS record catalog`, `Wayback CDX`
+- `LinkedIn enumeration`, `job posting tech stack`
+- `Slack workspace discovery`, `Discord server discovery`
+- `npm token leak`, `PyPI token leak`, `Docker Hub leak`
+- `sat imagery physical recon`
+- `TLS deep audit`, `JA3 JA4`, `reverse DNS sweep`, `IPv6 enumeration`
+- `CVE prioritization`, `EPSS scoring`, `CISA KEV`, `vulnerability prioritization`
+- `tooling install`
+- `sector specific recon`, `healthcare DICOM`, `finance SWIFT`, `ICS SCADA`, `Modbus`, `BACnet`
+- `post discovery workflow`
+- `Anthropic API key`, `OpenAI API key`
+Full trigger list in the SKILL.md frontmatter.
+## What's in it
+See the parent [README's "What's in the box" table](../../README.md#whats-in-the-box) for the full §-by-§ breakdown.
+Highlights:
+- **§16 — Pre-built wordlists & probe paths** including 28 Swagger paths, 13 GraphQL paths + introspection POST body, 35 high-risk ports, 6 missing security headers, 15 always-on HTTP checks, 5 SAML metadata paths, 8 SSO subdomain prefixes, cloud-bucket arsenal (6 prefixes × 15 suffixes × 47 stems × 3 providers), JS guess-paths, endpoint-extraction regex tiers, internal-host leakage regexes, 27 takeover provider fingerprints, copy-paste curl probes, email security analysis, origin discovery / CDN bypass, vendor product fingerprints, cloud-native fingerprints, container/K8s exposure, CI/CD exposure, doc/wiki leak paths, WHOIS/RDAP, DNS catalog with TXT verification token table, Wayback CDX deep usage.
+- **§17 — Secret-pattern catalog (48 patterns)** with severity, category, false-positive notes.
+- **§18 — Dork corpus (80+ templates, 9 categories)**.
+- **§20 — Endpoint interest score (0–100 rubric)**.
+- **§21 — Mobile app ownership confidence (0–100 rubric)**.
+- **§22 — Identity-fabric concrete endpoints** (incl. M365 Deep + GraphQL field-suggestion enum).
+- **§23 — 9 read-only secret validators** + post-discovery enumeration workflows.
+- **§39 — 27 attack-path hint templates**.
+- **§40 — Severity decision matrix (80+ worked examples)**.
+- **§41–§47 — LinkedIn enum, job posting analysis, Slack/Discord discovery, package registry leaks, sat imagery, tooling install, sector notes**.
+- **§48 — Secret-scan helper reference** (stdlib-only Python — pending port to AEGIS scanner; see *Helper script* below).
+## Loading
+`@aegis-scan/skills` ships this skill via the parent skill-loader; no manual copy is needed inside an AEGIS project. For external use:
+```bash
+# Local Claude Code install
+cp SKILL.md ~/.claude/skills/offensive-osint/SKILL.md
+```
+The full content lives in this `SKILL.md`.
+## Helper script
+The §48 reference points at a stdlib-only Python helper (`secret_scan.py`) that lives in the upstream repo (elementalsouls/Claude-OSINT) but is NOT shipped here — `@aegis-scan/skills` is markdown-only by CI invariant. Pending an AEGIS port under **F-EXTERNAL-SECRETS-1** (planned v0.18.x), use one of:
+- AEGIS' own gitleaks / trufflehog wrappers (already shipped — run `aegis scan` for git-tracked code, no further setup needed).
+- The upstream helper, fetched directly from elementalsouls/Claude-OSINT — see ATTRIBUTION.md for repo + commit pin.
+## Self-test
+Smoke-test prompts live upstream under `tests/smoke-test-prompts.md` in the source repo (elementalsouls/Claude-OSINT). When the AEGIS skill-validation CI lands (F-SKILL-SYNC-CI-1), a local copy will be added under `packages/skills/__tests__/skill-prompts/`.
+## License
+MIT — see the AEGIS root `LICENSE` file. Original source MIT-licensed; see `../../ATTRIBUTION.md` for upstream provenance.