# OpenOSINT

> AI-powered OSINT agent & MCP server. 16 tools: email, breach, IP, WHOIS, DNS, Shodan, GitHub & more.

- **Type:** MCP server
- **Install:** `agentstack add mcp-openosint-openosint`
- **Verified:** Pending review
- **Seller:** [OpenOSINT](https://agentstack.voostack.com/s/openosint)
- **Installs:** 0
- **Latest version:** 2.15.1
- **License:** MIT
- **Upstream author:** [OpenOSINT](https://github.com/OpenOSINT)
- **Source:** https://github.com/OpenOSINT/OpenOSINT
- **Website:** https://openosint.tech

## Install

```sh
agentstack add mcp-openosint-openosint
```

Requires the [AgentStack CLI](https://agentstack.voostack.com/docs/cli). Works with Claude Code, Cursor, and any MCP-compatible agent.

## About

mcp-name: io.github.OpenOSINT/openosint

  
  OpenOSINT
  OSINT agent for security researchers and analysts: 18 investigation tools behind a natural-language interface.
  Use it as a REPL, CLI, MCP server, or browser Web UI.
  The AI issues hard-stop tool calls; your code executes the real binary — hallucinated findings are structurally impossible.

[](https://github.com/OpenOSINT/OpenOSINT/releases)
[](https://pypi.org/project/openosint/)
[](https://pypi.org/project/openosint/)
[](LICENSE)
[](https://github.com/OpenOSINT/OpenOSINT/stargazers)
[](https://modelcontextprotocol.io/)
[](https://registry.modelcontextprotocol.io/servers/io.github.OpenOSINT/openosint)
[](https://www.ip2location.io)

[](https://demo.openosint.tech)

*Run a real OSINT investigation in your browser — bring your own Anthropic / OpenRouter / Ollama key, no signup.*

  
    
  
  Try the live demo →

```bash
pip install openosint
```

## Quick Start

```bash
# Interactive AI REPL (default)
openosint

# Web interface
openosint web

# Direct tool (no AI)
openosint email target@example.com
```

## Usage

Start the REPL and investigate any target — the agent decides which tools to run and chains them on findings:

```text
openosint > investigate target@example.com

  -> generate_dorks('target@example.com')
  -> search_email('target@example.com')
  Found: Spotify, WordPress, Gravatar, Office365

  -> search_breach('target@example.com')
  Found in 2 breaches: LinkedIn (2016), Adobe (2013)

  -> search_username('johndoe99')    reports/2026-05-11_14-32-11_report.md
```

## Features

| Capability | Details |
|---|---|
| AI tool chaining | The agent selects and chains tools based on findings; describe the target in plain language |
| 18 modular tools | Email, username, breach, WHOIS, IP, subdomain, dorks, paste, phone, Shodan, VirusTotal, Censys, IP2Location, AbuseIPDB, GitHub, DNS, live dork search, URL scraping |
| Three AI backends | Anthropic Claude (default), local Ollama, or any OpenAI-compatible endpoint (LiteLLM, vLLM, LM Studio, ...) |
| Native MCP server | All 18 tools exposed to Claude Code, Claude Desktop, and any MCP-compatible client — no extra config |
| Parallel execution | `--parallel` runs complementary tools concurrently via `asyncio.gather()` |
| Reports | PDF + Markdown auto-saved after every investigation (`reportlab` optional) |
| Session history | All REPL sessions saved to `~/.openosint/history/`; browse with `openosint history` |
| Web UI | Browser-based AI chat with streaming output, tool cards, light/dark theme |

---

> **Legal Disclaimer**: OpenOSINT is intended for **legal and authorized use only**.
> Users are solely responsible for ensuring their use complies with all applicable laws and regulations.
> The authors accept no liability for misuse. See [DISCLAIMER.md](DISCLAIMER.md).

## Sponsors

IP2Location
IP Geolocation &amp; IP Intelligence
Enhanced IP geolocation, ISP, VPN/Proxy/Tor detection.

Your logo here
Open: proxy detection · breach data · threat intel · email/identity
One vendor per category — exclusive placement across README, docs, CLI, and Web UI.
Media kit &amp; pricing → · Open Collective · openosint@yahoo.com

## Custom Integrations

Need OpenOSINT wired into your SOC, fraud, threat-intel, or AI-agent stack?
I build bespoke OSINT & MCP integrations for teams — you bring the data
sources and compliance requirements, I deliver a working integration.

→ **[Get in touch](mailto:openosint@yahoo.com?subject=OpenOSINT%20Custom%20Integration)**

---

## Tools

| Tool | Powered by | What it investigates |
|------|-----------|---------------------|
| `search_email` | holehe | Social accounts linked to an email address |
| `search_username` | sherlock | Username presence across 300+ platforms |
| `search_breach` | HaveIBeenPwned v3 API | Data breach exposure |
| `search_whois` | python-whois | Domain registrant and DNS info |
| `search_ip` | ipinfo.io | Geolocation, ASN, hostname |
| `search_domain` | sublist3r | Subdomain enumeration |
| `generate_dorks` | built-in | 12 targeted Google dork URLs (no network calls) |
| `search_paste` | psbdmp.ws | Pastebin dump mentions |
| `search_phone` | phoneinfoga | Carrier, country, line type |
| `search_shodan` | Shodan API | Open ports, banners, CVEs |
| `search_virustotal` | VirusTotal API v3 | Verdict from 70+ antivirus engines |
| `search_ip2location` | IP2Location.io API | Enhanced IP intel: VPN/Proxy/Tor/datacenter flags *(sponsored)* |
| `search_censys` | Censys Search API | Internet-facing infrastructure, certificates |
| `search_abuseipdb` | AbuseIPDB v2 API | IP abuse reputation: confidence score, reports, country, ISP |
| `search_github` | GitHub REST API | Profile, repos, commit-discovered emails, username/keyword search |
| `search_dns` | dnspython (built-in) | A/AAAA/MX/NS/TXT/CNAME/SOA records; SPF, DMARC, DKIM analysis |
| `search_dorks_live` | Bright Data SERP API | Live Google search results for dork queries (title, URL, snippet) |
| `scrape_url` | Bright Data Web Unlocker | Fetch any URL bypassing Cloudflare/CAPTCHA — returns clean Markdown |

Full per-tool documentation, CLI flags, and output formats: [openosint.tech](https://openosint.tech/).

### search_email

Enumerates online services linked to an email address using [holehe](https://github.com/megadose/holehe).

```bash
openosint email target@example.com
```

```text
[+] Spotify        https://open.spotify.com/user/target
[+] WordPress      https://wordpress.com/target
[+] Gravatar       https://gravatar.com/target
[+] Office365      email used
```

### search_username

Searches for a username across 300+ platforms using [sherlock](https://github.com/sherlock-project/sherlock).

```bash
openosint username johndoe99
```

```text
[+] GitHub         https://github.com/johndoe99
[+] Twitter        https://twitter.com/johndoe99
[+] Reddit         https://reddit.com/user/johndoe99
```

### search_breach

Checks data breach exposure via [HaveIBeenPwned v3 API](https://haveibeenpwned.com/API/v3). Requires `HIBP_API_KEY`.

```text
[+] LinkedIn (2016-05-05) — leaked: Email addresses, Passwords
[+] Adobe (2013-10-04) — leaked: Email addresses, Password hints
```

### search_whois

Retrieves WHOIS data using [python-whois](https://github.com/richardpenman/whois).

```text
[+] Registrar: ICANN
[+] Created: 1995-08-14
[+] Expires: 2024-08-13
[+] Name Servers: A.IANA-SERVERS.NET
```

### search_ip

Retrieves geolocation and ASN data via [ipinfo.io](https://ipinfo.io). Free tier: 50k/month.

```text
[+] Hostname: dns.google
[+] Org: AS15169 Google LLC
[+] City: Mountain View, CA, US
```

### search_domain

Enumerates subdomains using [sublist3r](https://github.com/aboul3la/Sublist3r).

```text
[+] mail.example.com
[+] dev.example.com
[+] api.example.com
```

### generate_dorks

Generates 12 targeted Google dork URLs for any target. No network calls.

```text
[+] "johndoe" site:linkedin.com
    https://www.google.com/search?q=%22johndoe%22+site%3Alinkedin.com
[+] "johndoe" leaked OR breach OR dump
    https://www.google.com/search?q=%22johndoe%22+leaked+OR+breach+OR+dump
```

### search_paste

Searches Pastebin dumps via [psbdmp.ws](https://psbdmp.ws).

```text
[+] https://pastebin.com/aB1cD2eF (2023-04-12)
[+] https://pastebin.com/xY3zA4bC (2022-11-08)
```

### search_phone

Gathers phone intelligence using [phoneinfoga](https://github.com/sundowndev/phoneinfoga). Use E.164 format.

```text
[+] Country: United States
[+] Carrier: AT&T
[+] Line type: Mobile
```

### search_shodan

IPv4 input → host lookup (open ports, org, CVEs). Any other query → banner/keyword search. Requires `SHODAN_API_KEY`.

```bash
openosint shodan 8.8.8.8
openosint shodan "apache port:80 country:DE"
```

```text
[+] Org: Google LLC  |  Open ports: 53, 443
```

### search_virustotal

Checks an IP, domain, URL, or file hash against [VirusTotal](https://www.virustotal.com)'s 70+ engines. Auto-detects input type. Requires `VIRUSTOTAL_API_KEY`.

```bash
openosint virustotal 8.8.8.8
openosint virustotal example.com
openosint virustotal 44d88612fea8a8f36de82e1278abb02f
```

```text
[VirusTotal] Malicious: 0 / Harmless: 72
```

### search_ip2location

Queries [IP2Location.io](https://www.ip2location.io) for enhanced IP intelligence: geolocation, ISP, ASN, and — on the Security Plan — VPN/Proxy/Tor/datacenter detection. Sponsored integration. Requires `IP2LOCATION_API_KEY`.

```bash
openosint ip2location 8.8.8.8
```

```text
[IP2Location] City: Mountain View, CA, US  |  ISP: Google LLC
[IP2Location] VPN: No  |  Proxy: No  |  TOR: No  |  Datacenter: Yes
```

### search_censys

IPv4 → host view (open ports, services, ASN). Domain → certificate search (SANs, issuer). Requires `CENSYS_API_ID` and `CENSYS_SECRET`.

```bash
openosint censys 8.8.8.8
openosint censys example.com
```

```text
[Censys] Open Ports: 53, 443, 853  |  ASN: AS15169 Google LLC
```

### search_abuseipdb

Checks an IP against [AbuseIPDB](https://www.abuseipdb.com) v2. Returns abuse confidence score, total reports, country, ISP, and last reported timestamp. Requires `ABUSEIPDB_API_KEY`.

```bash
openosint abuseipdb 198.51.100.1
```

```text
[AbuseIPDB] Abuse Confidence Score: 87%  |  Total Reports: 143
⚠️  HIGH ABUSE CONFIDENCE — flagged by AbuseIPDB
```

Warning appears when `abuseConfidenceScore` exceeds 50%.

### search_github

Queries [GitHub REST API](https://docs.github.com/en/rest). Username → profile, repos, commit-discovered emails. Keyword → user/repo search. Optional `GITHUB_TOKEN` raises rate limit from 60 to 5000 req/h.

```bash
openosint github johndoe99
```

```text
[GitHub] Repos: 42  |  Followers: 128
[GitHub] Commit email: johndoe@example.com
```

### search_dns

Queries A/AAAA/MX/NS/TXT/CNAME/SOA records and analyzes SPF, DMARC, and DKIM configuration using [dnspython](https://www.dnspython.org) (no external API).

```bash
openosint dns example.com
```

```text
[DNS] A: 93.184.216.34
[DNS] MX: mail.example.com (priority 10)
[DNS] SPF: v=spf1 include:_spf.google.com ~all
```

### search_dorks_live

Executes live Google dork queries through the [Bright Data SERP API](https://get.brightdata.com/984ni58s2oad?utm_source=github&utm_medium=readme)¹, returning structured results (title, URL, snippet). Defaults to 5 dorks per run; each is a separate billable API call. Requires `BRIGHTDATA_API_KEY` and `BRIGHTDATA_SERP_ZONE`.

```bash
openosint search-dorks-live "john doe" --max-dorks 3
```

```text
[+] Dork: "john doe" site:linkedin.com
    Title:   John Doe | LinkedIn
    URL:     https://www.linkedin.com/in/john-doe-12345
```

### scrape_url

Fetches any public URL through [Bright Data Web Unlocker](https://get.brightdata.com/984ni58s2oad?utm_source=github&utm_medium=readme)¹, bypassing Cloudflare/CAPTCHA. Returns clean Markdown. Requires `BRIGHTDATA_API_KEY` and `BRIGHTDATA_UNLOCKER_ZONE`.

```bash
openosint scrape https://example.com
```

```text
[Web Unlocker] Remote status: 200
# Example Domain
This domain is for use in illustrative examples in documents.
```

---

## Interfaces

### Web UI

```bash
pip install "openosint[web]"
openosint web
# Opens http://localhost:8080 automatically
```

Browser-based AI chat with streaming tool output, inline result cards, light/dark theme toggle. Supports local inference via Ollama or any OpenAI-compatible endpoint — no Anthropic API key required.

```bash
# Fully local (no API key) — requires Ollama runtime: https://ollama.com
ollama pull llama3.2
openosint web
# Settings -> Ollama (local) -> model: llama3.2

# OpenAI-compatible endpoint (LiteLLM, vLLM, LM Studio, ...)
export OPENAI_BASE_URL="http://localhost:4000/v1"
openosint web
# Settings -> OpenAI API
```

### Interactive REPL

Run `openosint` with no arguments to start the AI-powered REPL:

  

**REPL commands:**

| Command | Description |
|---------|-------------|
| `` | Investigate any target — email, username, domain, IP, name |
| `clear` | Reset conversation memory |
| `save` | Save last report to `reports/` |
| `tools` | List available tools and their status |
| `config` | Show current configuration |
| `history` | Browse saved sessions |
| `help` | Show all commands |
| `exit` / Ctrl-D | Exit |

All sessions are auto-saved to `~/.openosint/history/`. Browse with `openosint history`.

For the REPL/CLI with an OpenAI-compatible backend:

```bash
pip install "openosint[openai]"
openosint --provider openai \
  --openai-base-url http://localhost:4000/v1 \
  --openai-model gpt-4o-mini
```

### Live Documentation

Full per-tool reference, CLI flags, and configuration options at [openosint.tech](https://openosint.tech/).

  

### MCP Server

Expose all 18 OpenOSINT tools to any MCP-compatible AI client. Once connected, Claude can natively invoke all 18 tools during conversations.

**Claude Code:**

```bash
claude mcp add openosint python /absolute/path/to/OpenOSINT/openosint/mcp_server.py
claude mcp list
```

**Claude Desktop** — add to `~/Library/Application Support/Claude/claude_desktop_config.json`:

```json
{
  "mcpServers": {
    "openosint": {
      "command": "python",
      "args": ["/absolute/path/to/OpenOSINT/openosint/mcp_server.py"]
    }
  }
}
```

**Agentic use via Claude Code:**

```text
$ claude
> Investigate target@example.com. Trace any username found
  across other platforms and compile a full report.
```

---

## Installation

```bash
# From PyPI (recommended)
pip install openosint

# From source
git clone https://github.com/OpenOSINT/OpenOSINT.git
cd OpenOSINT
pip install -e .
```

**External binaries** (must be in `PATH`):

| Binary | Purpose | Install |
|--------|---------|---------|
| `holehe` | Email account enumeration | `pip install holehe` |
| `sherlock` | Username enumeration (300+ platforms) | `pip install sherlock-project` |
| `sublist3r` | Subdomain enumeration | `pip install sublist3r` |
| `phoneinfoga` | Phone number intelligence | [Download binary](https://github.com/sundowndev/phoneinfoga/releases) |

If a binary is absent, the corresponding tool returns a descriptive error. All other tools remain operational.

**Optional Python packages:**

| Package | Purpose | Install |
|---------|---------|---------|
| `ollama` | Local LLM backend (no API key) | `pip install ollama` *(also requires [Ollama runtime](https://ollama.com))* |
| `openai` | OpenAI-compatible backend | `pip install "openosint[openai]"` |
| `shodan` | Shodan API client | `pip install shodan` |
| `reportlab` | PDF report export | `pip install reportlab` |
| `censys` | Censys API client | `pip install censys` |

## Configuration

Store keys in a `.env` file at the project root (copy `.env.example`). `python-dotenv` loads it automatically at startup.

| Variable | Tool | Required | Purpose |
|----------|------|----------|---------|
| `ANTHROPIC_API_KEY` | AI agent | Yes (or Ollama / OpenAI) | Anthropic API key |
| `OPENAI_BASE_URL` | AI agent | Optional | Base URL of an OpenAI-compatible endpoint (e.g. `http://localhost:4000/v1`) |
| `OPENAI_API_KEY` | AI agent | Optional | API key for the endpoint (local servers may ignore it) |
| `OPENAI_MODEL` | AI agent | Optional | Model name to request (default: `gpt-4o-mini`) |
| `HIBP_API_KEY` | `search_breach` | Optional | HaveIBeenPwned v3 — [get one](https://haveibeenpwned.com/API/Key) |
| `IPINFO_TOKEN` | `search_ip` | Optional | ipinfo.io higher rate limits |
| `SHODAN_API_KEY` | `search_shodan` | Optional | Shodan API — [get one](https://account.shodan.io) |
| `VIRUSTOTAL_API_KEY` | `search_virustotal` | Optional | VirusTotal API v3 — [get one](https://www.virustotal.com/gui/my-apikey) |
| `IP2LOCATION_API_KEY` | `search_ip2location` | Optional | IP2Location.io — [get one](https://www.ip2location.io/pricing) *(sponsored)* |
| `CENSYS_API_ID` + `CENSYS_SECRET` | `search_censys` | Optional | Censys — [get one](https://censys.io/account) |
| `ABUSEIPDB_API_KEY` | `search_abuseipdb` | Optional | AbuseIPDB v2 — [get one](https://www.abuseipdb.com/account/api) |
| `GITHUB_TOKEN` | `search_github` | Optional | GitHub API

…

## Source & license

This open-source MCP server is cataloged on AgentStack and links to its original source — we do not rehost the code.

- **Author:** [OpenOSINT](https://github.com/OpenOSINT)
- **Source:** [OpenOSINT/OpenOSINT](https://github.com/OpenOSINT/OpenOSINT)
- **License:** MIT
- **Homepage:** https://openosint.tech

Install and usage instructions live in the source repository linked above.

## Pricing

- **Free** — Free

## Versions

- **2.15.1** — security scan: pending review — Imported from the upstream source.

## Links

- Listing page: https://agentstack.voostack.com/l/mcp-openosint-openosint
- Seller: https://agentstack.voostack.com/s/openosint
- Browse the marketplace: https://agentstack.voostack.com/browse

---
Listed on AgentStack — the marketplace for AI agent skills and MCP servers. Every listing is security-reviewed. Creators keep 70%.