openosint
OfficialProvides tools for searching GitHub profiles, repositories, and emails via the GitHub REST API.
Provides tools for checking files and domains against VirusTotal's database for security analysis.
mcp-name: io.github.OpenOSINT/openosint
Run a real OSINT investigation in your browser — bring your own Anthropic / OpenRouter / Ollama key, no signup.
pip install openosintQuick Start
# Interactive AI REPL (default)
openosint
# Web interface
openosint web
# Direct tool (no AI)
openosint email target@example.comRelated MCP server: AynOps
Usage
Start the REPL and investigate any target — the agent decides which tools to run and chains them on findings:
openosint > investigate target@example.com
-> generate_dorks('target@example.com')
-> search_email('target@example.com')
Found: Spotify, WordPress, Gravatar, Office365
-> search_breach('target@example.com')
Found in 2 breaches: LinkedIn (2016), Adobe (2013)
-> search_username('johndoe99') <- pivoted from email findings
Found: GitHub, Reddit, Twitter
Report saved -> reports/2026-05-11_14-32-11_report.mdFeatures
Capability | Details |
AI tool chaining | The agent selects and chains tools based on findings; describe the target in plain language |
18 modular tools | Email, username, breach, WHOIS, IP, subdomain, dorks, paste, phone, Shodan, VirusTotal, Censys, IP2Location, AbuseIPDB, GitHub, DNS, live dork search, URL scraping |
Three AI backends | Anthropic Claude (default), local Ollama, or any OpenAI-compatible endpoint (LiteLLM, vLLM, LM Studio, ...) |
Native MCP server | All 18 tools exposed to Claude Code, Claude Desktop, and any MCP-compatible client — no extra config |
Parallel execution |
|
Reports | PDF + Markdown auto-saved after every investigation ( |
Session history | All REPL sessions saved to |
Web UI | Browser-based AI chat with streaming output, tool cards, light/dark theme |
Legal Disclaimer: OpenOSINT is intended for legal and authorized use only. Users are solely responsible for ensuring their use complies with all applicable laws and regulations. The authors accept no liability for misuse. See DISCLAIMER.md.
Sponsors
Custom Integrations
Need OpenOSINT wired into your SOC, fraud, threat-intel, or AI-agent stack? I build bespoke OSINT & MCP integrations for teams — you bring the data sources and compliance requirements, I deliver a working integration.
Tools
Tool | Powered by | What it investigates |
| holehe | Social accounts linked to an email address |
| sherlock | Username presence across 300+ platforms |
| HaveIBeenPwned v3 API | Data breach exposure |
| python-whois | Domain registrant and DNS info |
| ipinfo.io | Geolocation, ASN, hostname |
| sublist3r | Subdomain enumeration |
| built-in | 12 targeted Google dork URLs (no network calls) |
| psbdmp.ws | Pastebin dump mentions |
| phoneinfoga | Carrier, country, line type |
| Shodan API | Open ports, banners, CVEs |
| VirusTotal API v3 | Verdict from 70+ antivirus engines |
| IP2Location.io API | Enhanced IP intel: VPN/Proxy/Tor/datacenter flags (sponsored) |
| Censys Search API | Internet-facing infrastructure, certificates |
| AbuseIPDB v2 API | IP abuse reputation: confidence score, reports, country, ISP |
| GitHub REST API | Profile, repos, commit-discovered emails, username/keyword search |
| dnspython (built-in) | A/AAAA/MX/NS/TXT/CNAME/SOA records; SPF, DMARC, DKIM analysis |
| Bright Data SERP API | Live Google search results for dork queries (title, URL, snippet) |
| Bright Data Web Unlocker | Fetch any URL bypassing Cloudflare/CAPTCHA — returns clean Markdown |
Full per-tool documentation, CLI flags, and output formats: openosint.tech.
search_email
Enumerates online services linked to an email address using holehe.
openosint email target@example.com[+] Spotify https://open.spotify.com/user/target
[+] WordPress https://wordpress.com/target
[+] Gravatar https://gravatar.com/target
[+] Office365 email usedsearch_username
Searches for a username across 300+ platforms using sherlock.
openosint username johndoe99[+] GitHub https://github.com/johndoe99
[+] Twitter https://twitter.com/johndoe99
[+] Reddit https://reddit.com/user/johndoe99search_breach
Checks data breach exposure via HaveIBeenPwned v3 API. Requires HIBP_API_KEY.
[+] LinkedIn (2016-05-05) — leaked: Email addresses, Passwords
[+] Adobe (2013-10-04) — leaked: Email addresses, Password hintssearch_whois
Retrieves WHOIS data using python-whois.
[+] Registrar: ICANN
[+] Created: 1995-08-14
[+] Expires: 2024-08-13
[+] Name Servers: A.IANA-SERVERS.NETsearch_ip
Retrieves geolocation and ASN data via ipinfo.io. Free tier: 50k/month.
[+] Hostname: dns.google
[+] Org: AS15169 Google LLC
[+] City: Mountain View, CA, USsearch_domain
Enumerates subdomains using sublist3r.
[+] mail.example.com
[+] dev.example.com
[+] api.example.comgenerate_dorks
Generates 12 targeted Google dork URLs for any target. No network calls.
[+] "johndoe" site:linkedin.com
https://www.google.com/search?q=%22johndoe%22+site%3Alinkedin.com
[+] "johndoe" leaked OR breach OR dump
https://www.google.com/search?q=%22johndoe%22+leaked+OR+breach+OR+dumpsearch_paste
Searches Pastebin dumps via psbdmp.ws.
[+] https://pastebin.com/aB1cD2eF (2023-04-12)
[+] https://pastebin.com/xY3zA4bC (2022-11-08)search_phone
Gathers phone intelligence using phoneinfoga. Use E.164 format.
[+] Country: United States
[+] Carrier: AT&T
[+] Line type: Mobilesearch_shodan
IPv4 input → host lookup (open ports, org, CVEs). Any other query → banner/keyword search. Requires SHODAN_API_KEY.
openosint shodan 8.8.8.8
openosint shodan "apache port:80 country:DE"[+] Org: Google LLC | Open ports: 53, 443search_virustotal
Checks an IP, domain, URL, or file hash against VirusTotal's 70+ engines. Auto-detects input type. Requires VIRUSTOTAL_API_KEY.
openosint virustotal 8.8.8.8
openosint virustotal example.com
openosint virustotal 44d88612fea8a8f36de82e1278abb02f[VirusTotal] Malicious: 0 / Harmless: 72search_ip2location
Queries IP2Location.io for enhanced IP intelligence: geolocation, ISP, ASN, and — on the Security Plan — VPN/Proxy/Tor/datacenter detection. Sponsored integration. Requires IP2LOCATION_API_KEY.
openosint ip2location 8.8.8.8[IP2Location] City: Mountain View, CA, US | ISP: Google LLC
[IP2Location] VPN: No | Proxy: No | TOR: No | Datacenter: Yessearch_censys
IPv4 → host view (open ports, services, ASN). Domain → certificate search (SANs, issuer). Requires CENSYS_API_ID and CENSYS_SECRET.
openosint censys 8.8.8.8
openosint censys example.com[Censys] Open Ports: 53, 443, 853 | ASN: AS15169 Google LLCsearch_abuseipdb
Checks an IP against AbuseIPDB v2. Returns abuse confidence score, total reports, country, ISP, and last reported timestamp. Requires ABUSEIPDB_API_KEY.
openosint abuseipdb 198.51.100.1[AbuseIPDB] Abuse Confidence Score: 87% | Total Reports: 143
⚠️ HIGH ABUSE CONFIDENCE — flagged by AbuseIPDBWarning appears when abuseConfidenceScore exceeds 50%.
search_github
Queries GitHub REST API. Username → profile, repos, commit-discovered emails. Keyword → user/repo search. Optional GITHUB_TOKEN raises rate limit from 60 to 5000 req/h.
openosint github johndoe99[GitHub] Repos: 42 | Followers: 128
[GitHub] Commit email: johndoe@example.comsearch_dns
Queries A/AAAA/MX/NS/TXT/CNAME/SOA records and analyzes SPF, DMARC, and DKIM configuration using dnspython (no external API).
openosint dns example.com[DNS] A: 93.184.216.34
[DNS] MX: mail.example.com (priority 10)
[DNS] SPF: v=spf1 include:_spf.google.com ~allsearch_dorks_live
Executes live Google dork queries through the Bright Data SERP API¹, returning structured results (title, URL, snippet). Defaults to 5 dorks per run; each is a separate billable API call. Requires BRIGHTDATA_API_KEY and BRIGHTDATA_SERP_ZONE.
openosint search-dorks-live "john doe" --max-dorks 3[+] Dork: "john doe" site:linkedin.com
Title: John Doe | LinkedIn
URL: https://www.linkedin.com/in/john-doe-12345scrape_url
Fetches any public URL through Bright Data Web Unlocker¹, bypassing Cloudflare/CAPTCHA. Returns clean Markdown. Requires BRIGHTDATA_API_KEY and BRIGHTDATA_UNLOCKER_ZONE.
openosint scrape https://example.com[Web Unlocker] Remote status: 200
# Example Domain
This domain is for use in illustrative examples in documents.Interfaces
Web UI
pip install "openosint[web]"
openosint web
# Opens http://localhost:8080 automaticallyBrowser-based AI chat with streaming tool output, inline result cards, light/dark theme toggle. Supports local inference via Ollama or any OpenAI-compatible endpoint — no Anthropic API key required.
# Fully local (no API key) — requires Ollama runtime: https://ollama.com
ollama pull llama3.2
openosint web
# Settings -> Ollama (local) -> model: llama3.2
# OpenAI-compatible endpoint (LiteLLM, vLLM, LM Studio, ...)
export OPENAI_BASE_URL="http://localhost:4000/v1"
openosint web
# Settings -> OpenAI APIInteractive REPL
Run openosint with no arguments to start the AI-powered REPL:
REPL commands:
Command | Description |
| Investigate any target — email, username, domain, IP, name |
| Reset conversation memory |
| Save last report to |
| List available tools and their status |
| Show current configuration |
| Browse saved sessions |
| Show all commands |
| Exit |
All sessions are auto-saved to ~/.openosint/history/. Browse with openosint history.
For the REPL/CLI with an OpenAI-compatible backend:
pip install "openosint[openai]"
openosint --provider openai \
--openai-base-url http://localhost:4000/v1 \
--openai-model gpt-4o-miniLive Documentation
Full per-tool reference, CLI flags, and configuration options at openosint.tech.
MCP Server
Expose all 18 OpenOSINT tools to any MCP-compatible AI client. Once connected, Claude can natively invoke all 18 tools during conversations.
Claude Code:
claude mcp add openosint python /absolute/path/to/OpenOSINT/openosint/mcp_server.py
claude mcp listClaude Desktop — add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"openosint": {
"command": "python",
"args": ["/absolute/path/to/OpenOSINT/openosint/mcp_server.py"]
}
}
}Agentic use via Claude Code:
$ claude
> Investigate target@example.com. Trace any username found
across other platforms and compile a full report.Installation
# From PyPI (recommended)
pip install openosint
# From source
git clone https://github.com/OpenOSINT/OpenOSINT.git
cd OpenOSINT
pip install -e .External binaries (must be in PATH):
Binary | Purpose | Install |
| Email account enumeration |
|
| Username enumeration (300+ platforms) |
|
| Subdomain enumeration |
|
| Phone number intelligence |
If a binary is absent, the corresponding tool returns a descriptive error. All other tools remain operational.
Optional Python packages:
Package | Purpose | Install |
| Local LLM backend (no API key) |
|
| OpenAI-compatible backend |
|
| Shodan API client |
|
| PDF report export |
|
| Censys API client |
|
Configuration
Store keys in a .env file at the project root (copy .env.example). python-dotenv loads it automatically at startup.
Variable | Tool | Required | Purpose |
| AI agent | Yes (or Ollama / OpenAI) | Anthropic API key |
| AI agent | Optional | Base URL of an OpenAI-compatible endpoint (e.g. |
| AI agent | Optional | API key for the endpoint (local servers may ignore it) |
| AI agent | Optional | Model name to request (default: |
|
| Optional | HaveIBeenPwned v3 — get one |
|
| Optional | ipinfo.io higher rate limits |
|
| Optional | Shodan API — get one |
|
| Optional | VirusTotal API v3 — get one |
|
| Optional | IP2Location.io — get one (sponsored) |
|
| Optional | Censys — get one |
|
| Optional | AbuseIPDB v2 — get one |
|
| Optional | GitHub API — raises rate limit 60 → 5000 req/h — get one |
|
| Optional | Bright Data — get one¹ (free tier: 5,000 req/month) |
|
| Optional | Your Bright Data SERP zone name (e.g. |
|
| Optional | Your Bright Data Web Unlocker zone name (e.g. |
CLI Reference
Flag / Subcommand | Description |
| Interactive AI REPL (default) |
| Launch browser UI |
| Direct email scan |
| Direct username scan |
| Shodan lookup |
| VirusTotal lookup |
| Censys lookup |
| IP2Location lookup |
| AbuseIPDB reputation check |
| GitHub profile/repo/email discovery |
| DNS records + email security analysis |
| Parallel multi-target investigation (max 10) |
| View/manage REPL session history |
| Enable debug logging to stderr |
| Override subprocess timeout (seconds) |
| Anthropic API key (overrides env var) |
| Run complementary tools concurrently |
| Output results as structured JSON |
| AI provider (default: |
| Ollama model name (default: |
| Ollama server URL (default: |
| OpenAI-compatible endpoint base URL (env: |
| Model to request from the endpoint (default: |
| API key for the endpoint (env: |
| Disable automatic PDF generation |
Docker
# Build and run
docker compose up --build
# One-off command
docker compose run --rm openosint email target@example.com --jsonSet ANTHROPIC_API_KEY (and optionally HIBP_API_KEY, IPINFO_TOKEN) in a .env file or export them before running docker compose. Reports are persisted to ./reports/ via a volume mount.
DigitalOcean App Platform: see .do/app.yaml for App Platform configuration.
Integrations
Service | URL | Tool | Tier | Auth |
IP2Location.io |
| Featured (sponsored) | API key — free tier | |
AbuseIPDB |
| Community | API key — free tier | |
Censys |
| Community | API key — free tier | |
GitHub |
| Community | Token optional | |
HaveIBeenPwned |
| Community | API key — paid | |
holehe |
| Community | None — local binary | |
ipinfo.io |
| Community | Token optional | |
phoneinfoga |
| Community | None — local binary | |
psbdmp.ws |
| Community | None | |
sherlock |
| Community | None — local binary | |
Shodan |
| Community | API key — free tier | |
sublist3r |
| Community | None — local binary | |
VirusTotal |
| Community | API key — free tier | |
WHOIS (IANA) |
| Community | None | |
DNS (system resolver) | — |
| Community | None |
Google Search |
| Community | None |
Resources
Free Starter Set
New to AI-assisted OSINT? The free starter set gives you 5 structured prompts — one per stage of a real investigation — that make ChatGPT and Claude collect real public data instead of hallucinating it.
Scope → Collect → Pivot → Verify → Document
Works with any AI assistant (Claude, ChatGPT, Gemini)
Free PDF, instant download — enter $0, no card needed
AI OSINT Prompt Pack
OpenOSINT gives you the tooling. The AI OSINT Prompt Pack gives you the method: 30+ tested prompts that make ChatGPT / Claude collect → pivot → verify against real public sources instead of hallucinating.
Email, username, domain, IP, phone, company due-diligence, image & reporting prompts
One repeatable investigation flow + an ethics & legal primer
7-page PDF · instant download · pairs directly with OpenOSINT
Buying it directly funds OpenOSINT's development.
Sponsor this project
OpenOSINT is used by OSINT practitioners, security researchers, and developers actively evaluating intelligence APIs. Every time a user configures an integration, the docs route them to that provider's sign-up page — high-intent exposure at the moment of adoption.
Featured Integration ($2,000/year or $220/month): recommended/default provider for one tool category, exclusive. Logo + badge across README, docs, CLI banner, and Web UI. One vendor per category.
Open categories: proxy detection · breach/credential data · threat & domain intel · email/identity lookup
→ Full media kit and pricing: openosint.tech/sponsors.html
Current sponsors
IP2Location.io — Featured Integration · IP Geolocation & IP Intelligence
Enhanced IP geolocation, ISP, VPN/Proxy/Tor, and datacenter detection. Powers search_ip2location.
Open Collective · openosint@yahoo.com · SPONSORSHIP.md
SERVICES
The framework is free and MIT-licensed. This is an optional paid setup service offered by the maintainer.
OSINT-MCP Setup Sprint — done-for-you installation and configuration of an autonomous OSINT-MCP pipeline on your environment. Fully async, no calls required.
Includes:
Pre-configured OpenOSINT setup tailored to your stack (Claude Code, Claude Desktop, or any MCP client)
API keys wired in (Shodan, VirusTotal, IP2Location, HaveIBeenPwned, and others as needed)
One investigation workflow built around your use case
Written step-by-step setup guide + screen-recorded walkthrough
Delivery: 3–5 days, fully async.
For: SOC analysts · threat-intel teams · fraud/AML · pentesters · OSINT investigators
Need it set up for you?
Get OpenOSINT wired into your stack in 3–5 days — done-for-you, fully async, no calls.
Book the Setup Sprint → $350 (founding price, first 5 teams)
→ Or email openosint@yahoo.com · LinkedIn
For authorized use only. See DISCLAIMER.md.
Commercial License & Support
OpenOSINT is free and MIT-licensed for everyone — personal projects, commercial products, SaaS, and closed-source are all covered with no purchase required. Organizations that additionally need a vendor contract, written warranty, indemnification, SLA, or priority support for procurement and compliance can purchase a commercial plan. Three tiers available from €300/year — see COMMERCIAL.md for full details and pricing. Contact: commercial@openosint.tech.
Contributing
Issues and pull requests are welcome. See CONTRIBUTING.md for the development workflow, integration registration checklist, and coding conventions. Please read DISCLAIMER.md before contributing.
Regenerating the demo GIF/MP4
export OPENOSINT_DEMO_KEY=sk-ant-... # your Anthropic key — never committed
openosint --web & # start the web server on :8080
make demo # record -> encode -> write docs/assets/demo-web-graph.*
git add docs/assets/demo-web-graph.*See scripts/record-demo/README.md for full prerequisites and pipeline details.
Maintainer
Tommaso Bertocchi
X (personal): https://x.com/SonoTommy_
X (OpenOSINT): https://x.com/openosint_oss
Email: openosint@yahoo.com
Contributors
Contributor | Contribution |
venv/uv-tool binary resolution fix — co-installed tools are now found without a separate activation step (#6) |
License
OpenOSINT is open source under the MIT License — free for any use, including personal, commercial, academic, and closed-source.
¹ Bright Data links in this README are affiliate/referral links — OpenOSINT earns a commission if you sign up through them, at no extra cost to you.
For authorized security research only. See DISCLAIMER.md.
OpenOSINT v2.22.0 — June 2026
Star History
Maintenance
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/OpenOSINT/OpenOSINT'
If you have feedback or need assistance with the MCP directory API, please join our Discord server