OpenOSINT

mcp-name: io.github.OpenOSINT/openosint

OpenOSINT OSINT agent for security researchers and analysts: 18 investigation tools behind a natural-language interface. Use it as a REPL, CLI, MCP server, or browser Web UI. The AI issues hard-stop tool calls; your code executes the real binary — hallucinated findings are structurally impossible.

[](https://github.com/OpenOSINT/OpenOSINT/releases) [](https://pypi.org/project/openosint/) [](https://pypi.org/project/openosint/) [](LICENSE) [](https://github.com/OpenOSINT/OpenOSINT/stargazers) [](https://modelcontextprotocol.io/) [](https://registry.modelcontextprotocol.io/servers/io.github.OpenOSINT/openosint) [](https://www.ip2location.io)

[](https://demo.openosint.tech)

Run a real OSINT investigation in your browser — bring your own Anthropic / OpenRouter / Ollama key, no signup.

Try the live demo →

pip install openosint

Quick Start

# Interactive AI REPL (default)
openosint

# Web interface
openosint web

# Direct tool (no AI)
openosint email target@example.com

Usage

Start the REPL and investigate any target — the agent decides which tools to run and chains them on findings:

openosint > investigate target@example.com

  -> generate_dorks('target@example.com')
  -> search_email('target@example.com')
  Found: Spotify, WordPress, Gravatar, Office365

  -> search_breach('target@example.com')
  Found in 2 breaches: LinkedIn (2016), Adobe (2013)

  -> search_username('johndoe99')    reports/2026-05-11_14-32-11_report.md

Features

| Capability | Details | |---|---| | AI tool chaining | The agent selects and chains tools based on findings; describe the target in plain language | | 18 modular tools | Email, username, breach, WHOIS, IP, subdomain, dorks, paste, phone, Shodan, VirusTotal, Censys, IP2Location, AbuseIPDB, GitHub, DNS, live dork search, URL scraping | | Three AI backends | Anthropic Claude (default), local Ollama, or any OpenAI-compatible endpoint (LiteLLM, vLLM, LM Studio, ...) | | Native MCP server | All 18 tools exposed to Claude Code, Claude Desktop, and any MCP-compatible client — no extra config | | Parallel execution | --parallel runs complementary tools concurrently via asyncio.gather() | | Reports | PDF + Markdown auto-saved after every investigation (reportlab optional) | | Session history | All REPL sessions saved to ~/.openosint/history/; browse with openosint history | | Web UI | Browser-based AI chat with streaming output, tool cards, light/dark theme |

---

> Legal Disclaimer: OpenOSINT is intended for legal and authorized use only. > Users are solely responsible for ensuring their use complies with all applicable laws and regulations. > The authors accept no liability for misuse. See [DISCLAIMER.md](DISCLAIMER.md).

Sponsors

IP2Location IP Geolocation & IP Intelligence Enhanced IP geolocation, ISP, VPN/Proxy/Tor detection.

Your logo here Open: proxy detection · breach data · threat intel · email/identity One vendor per category — exclusive placement across README, docs, CLI, and Web UI. Media kit & pricing → · Open Collective · openosint@yahoo.com

Custom Integrations

Need OpenOSINT wired into your SOC, fraud, threat-intel, or AI-agent stack? I build bespoke OSINT & MCP integrations for teams — you bring the data sources and compliance requirements, I deliver a working integration.

→ [Get in touch](mailto:openosint@yahoo.com?subject=OpenOSINT%20Custom%20Integration)

---

Tools

| Tool | Powered by | What it investigates | |------|-----------|---------------------| | search_email | holehe | Social accounts linked to an email address | | search_username | sherlock | Username presence across 300+ platforms | | search_breach | HaveIBeenPwned v3 API | Data breach exposure | | search_whois | python-whois | Domain registrant and DNS info | | search_ip | ipinfo.io | Geolocation, ASN, hostname | | search_domain | sublist3r | Subdomain enumeration | | generate_dorks | built-in | 12 targeted Google dork URLs (no network calls) | | search_paste | psbdmp.ws | Pastebin dump mentions | | search_phone | phoneinfoga | Carrier, country, line type | | search_shodan | Shodan API | Open ports, banners, CVEs | | search_virustotal | VirusTotal API v3 | Verdict from 70+ antivirus engines | | search_ip2location | IP2Location.io API | Enhanced IP intel: VPN/Proxy/Tor/datacenter flags (sponsored) | | search_censys | Censys Search API | Internet-facing infrastructure, certificates | | search_abuseipdb | AbuseIPDB v2 API | IP abuse reputation: confidence score, reports, country, ISP | | search_github | GitHub REST API | Profile, repos, commit-discovered emails, username/keyword search | | search_dns | dnspython (built-in) | A/AAAA/MX/NS/TXT/CNAME/SOA records; SPF, DMARC, DKIM analysis | | search_dorks_live | Bright Data SERP API | Live Google search results for dork queries (title, URL, snippet) | | scrape_url | Bright Data Web Unlocker | Fetch any URL bypassing Cloudflare/CAPTCHA — returns clean Markdown |

Full per-tool documentation, CLI flags, and output formats: openosint.tech.

search_email

Enumerates online services linked to an email address using holehe.

openosint email target@example.com

[+] Spotify        https://open.spotify.com/user/target
[+] WordPress      https://wordpress.com/target
[+] Gravatar       https://gravatar.com/target
[+] Office365      email used

search_username

Searches for a username across 300+ platforms using sherlock.

openosint username johndoe99

[+] GitHub         https://github.com/johndoe99
[+] Twitter        https://twitter.com/johndoe99
[+] Reddit         https://reddit.com/user/johndoe99

search_breach

Checks data breach exposure via HaveIBeenPwned v3 API. Requires HIBP_API_KEY.

[+] LinkedIn (2016-05-05) — leaked: Email addresses, Passwords
[+] Adobe (2013-10-04) — leaked: Email addresses, Password hints

search_whois

Retrieves WHOIS data using python-whois.

[+] Registrar: ICANN
[+] Created: 1995-08-14
[+] Expires: 2024-08-13
[+] Name Servers: A.IANA-SERVERS.NET

search_ip

Retrieves geolocation and ASN data via ipinfo.io. Free tier: 50k/month.

[+] Hostname: dns.google
[+] Org: AS15169 Google LLC
[+] City: Mountain View, CA, US

search_domain

Enumerates subdomains using sublist3r.

[+] mail.example.com
[+] dev.example.com
[+] api.example.com

generate_dorks

Generates 12 targeted Google dork URLs for any target. No network calls.

[+] "johndoe" site:linkedin.com
    https://www.google.com/search?q=%22johndoe%22+site%3Alinkedin.com
[+] "johndoe" leaked OR breach OR dump
    https://www.google.com/search?q=%22johndoe%22+leaked+OR+breach+OR+dump

search_paste

Searches Pastebin dumps via psbdmp.ws.

[+] https://pastebin.com/aB1cD2eF (2023-04-12)
[+] https://pastebin.com/xY3zA4bC (2022-11-08)

search_phone

Gathers phone intelligence using phoneinfoga. Use E.164 format.

[+] Country: United States
[+] Carrier: AT&T
[+] Line type: Mobile

search_shodan

IPv4 input → host lookup (open ports, org, CVEs). Any other query → banner/keyword search. Requires SHODAN_API_KEY.

openosint shodan 8.8.8.8
openosint shodan "apache port:80 country:DE"

[+] Org: Google LLC  |  Open ports: 53, 443

search_virustotal

Checks an IP, domain, URL, or file hash against VirusTotal's 70+ engines. Auto-detects input type. Requires VIRUSTOTAL_API_KEY.

openosint virustotal 8.8.8.8
openosint virustotal example.com
openosint virustotal 44d88612fea8a8f36de82e1278abb02f

[VirusTotal] Malicious: 0 / Harmless: 72

search_ip2location

Queries IP2Location.io for enhanced IP intelligence: geolocation, ISP, ASN, and — on the Security Plan — VPN/Proxy/Tor/datacenter detection. Sponsored integration. Requires IP2LOCATION_API_KEY.

openosint ip2location 8.8.8.8

[IP2Location] City: Mountain View, CA, US  |  ISP: Google LLC
[IP2Location] VPN: No  |  Proxy: No  |  TOR: No  |  Datacenter: Yes

search_censys

IPv4 → host view (open ports, services, ASN). Domain → certificate search (SANs, issuer). Requires CENSYS_API_ID and CENSYS_SECRET.

openosint censys 8.8.8.8
openosint censys example.com

[Censys] Open Ports: 53, 443, 853  |  ASN: AS15169 Google LLC

search_abuseipdb

Checks an IP against AbuseIPDB v2. Returns abuse confidence score, total reports, country, ISP, and last reported timestamp. Requires ABUSEIPDB_API_KEY.

openosint abuseipdb 198.51.100.1

[AbuseIPDB] Abuse Confidence Score: 87%  |  Total Reports: 143
⚠️  HIGH ABUSE CONFIDENCE — flagged by AbuseIPDB

Warning appears when abuseConfidenceScore exceeds 50%.

search_github

Queries GitHub REST API. Username → profile, repos, commit-discovered emails. Keyword → user/repo search. Optional GITHUB_TOKEN raises rate limit from 60 to 5000 req/h.

openosint github johndoe99

[GitHub] Repos: 42  |  Followers: 128
[GitHub] Commit email: johndoe@example.com

search_dns

Queries A/AAAA/MX/NS/TXT/CNAME/SOA records and analyzes SPF, DMARC, and DKIM configuration using dnspython (no external API).

openosint dns example.com

[DNS] A: 93.184.216.34
[DNS] MX: mail.example.com (priority 10)
[DNS] SPF: v=spf1 include:_spf.google.com ~all

searchdorkslive

Executes live Google dork queries through the Bright Data SERP API¹, returning structured results (title, URL, snippet). Defaults to 5 dorks per run; each is a separate billable API call. Requires BRIGHTDATA_API_KEY and BRIGHTDATA_SERP_ZONE.

openosint search-dorks-live "john doe" --max-dorks 3

[+] Dork: "john doe" site:linkedin.com
    Title:   John Doe | LinkedIn
    URL:     https://www.linkedin.com/in/john-doe-12345

scrape_url

Fetches any public URL through Bright Data Web Unlocker¹, bypassing Cloudflare/CAPTCHA. Returns clean Markdown. Requires BRIGHTDATA_API_KEY and BRIGHTDATA_UNLOCKER_ZONE.

openosint scrape https://example.com

[Web Unlocker] Remote status: 200
# Example Domain
This domain is for use in illustrative examples in documents.

---

Interfaces

Web UI

pip install "openosint[web]"
openosint web
# Opens http://localhost:8080 automatically

Browser-based AI chat with streaming tool output, inline result cards, light/dark theme toggle. Supports local inference via Ollama or any OpenAI-compatible endpoint — no Anthropic API key required.

# Fully local (no API key) — requires Ollama runtime: https://ollama.com
ollama pull llama3.2
openosint web
# Settings -> Ollama (local) -> model: llama3.2

# OpenAI-compatible endpoint (LiteLLM, vLLM, LM Studio, ...)
export OPENAI_BASE_URL="http://localhost:4000/v1"
openosint web
# Settings -> OpenAI API

Interactive REPL

Run openosint with no arguments to start the AI-powered REPL:

REPL commands:

| Command | Description | |---------|-------------| | ` | Investigate any target — email, username, domain, IP, name | | clear | Reset conversation memory | | save | Save last report to reports/ | | tools | List available tools and their status | | config | Show current configuration | | history | Browse saved sessions | | help | Show all commands | | exit` / Ctrl-D | Exit |

All sessions are auto-saved to ~/.openosint/history/. Browse with openosint history.

For the REPL/CLI with an OpenAI-compatible backend:

pip install "openosint[openai]"
openosint --provider openai \
  --openai-base-url http://localhost:4000/v1 \
  --openai-model gpt-4o-mini

Live Documentation

Full per-tool reference, CLI flags, and configuration options at openosint.tech.

MCP Server

Expose all 18 OpenOSINT tools to any MCP-compatible AI client. Once connected, Claude can natively invoke all 18 tools during conversations.

Claude Code:

claude mcp add openosint python /absolute/path/to/OpenOSINT/openosint/mcp_server.py
claude mcp list

Claude Desktop — add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "openosint": {
      "command": "python",
      "args": ["/absolute/path/to/OpenOSINT/openosint/mcp_server.py"]
    }
  }
}

Agentic use via Claude Code:

$ claude
> Investigate target@example.com. Trace any username found
  across other platforms and compile a full report.

---

Installation

# From PyPI (recommended)
pip install openosint

# From source
git clone https://github.com/OpenOSINT/OpenOSINT.git
cd OpenOSINT
pip install -e .

External binaries (must be in PATH):

| Binary | Purpose | Install | |--------|---------|---------| | holehe | Email account enumeration | pip install holehe | | sherlock | Username enumeration (300+ platforms) | pip install sherlock-project | | sublist3r | Subdomain enumeration | pip install sublist3r | | phoneinfoga | Phone number intelligence | Download binary |

If a binary is absent, the corresponding tool returns a descriptive error. All other tools remain operational.

Optional Python packages:

| Package | Purpose | Install | |---------|---------|---------| | ollama | Local LLM backend (no API key) | pip install ollama (also requires Ollama runtime) | | openai | OpenAI-compatible backend | pip install "openosint[openai]" | | shodan | Shodan API client | pip install shodan | | reportlab | PDF report export | pip install reportlab | | censys | Censys API client | pip install censys |

Configuration

Store keys in a .env file at the project root (copy .env.example). python-dotenv loads it automatically at startup.

| Variable | Tool | Required | Purpose | |----------|------|----------|---------| | ANTHROPIC_API_KEY | AI agent | Yes (or Ollama / OpenAI) | Anthropic API key | | OPENAI_BASE_URL | AI agent | Optional | Base URL of an OpenAI-compatible endpoint (e.g. http://localhost:4000/v1) | | OPENAI_API_KEY | AI agent | Optional | API key for the endpoint (local servers may ignore it) | | OPENAI_MODEL | AI agent | Optional | Model name to request (default: gpt-4o-mini) | | HIBP_API_KEY | search_breach | Optional | HaveIBeenPwned v3 — get one | | IPINFO_TOKEN | search_ip | Optional | ipinfo.io higher rate limits | | SHODAN_API_KEY | search_shodan | Optional | Shodan API — get one | | VIRUSTOTAL_API_KEY | search_virustotal | Optional | VirusTotal API v3 — get one | | IP2LOCATION_API_KEY | search_ip2location | Optional | IP2Location.io — get one (sponsored) | | CENSYS_API_ID + CENSYS_SECRET | search_censys | Optional | Censys — get one | | ABUSEIPDB_API_KEY | search_abuseipdb | Optional | AbuseIPDB v2 — get one | | GITHUB_TOKEN | search_github | Optional | GitHub API

…

Source & license

This open-source MCP server is cataloged on AgentStack and links to its original source — we do not rehost the code.

• Author: OpenOSINT
• Source: OpenOSINT/OpenOSINT
• License: MIT
• Homepage: https://openosint.tech

Install and usage instructions live in the source repository linked above.