mcp-name: io.github.OpenOSINT/openosint

OpenOSINT

OSINT agent for security researchers and analysts: 18 investigation tools behind a natural-language interface.

Use it as a REPL, CLI, MCP server, or browser Web UI.

The AI issues hard-stop tool calls; your code executes the real binary — hallucinated findings are structurally impossible.

Try the live demo →

pip install openosint

# Interactive AI REPL (default)
openosint

# Web interface
openosint web

# Direct tool (no AI)
openosint email target@example.com

Start the REPL and investigate any target — the agent decides which tools to run and chains them on findings:

openosint > investigate target@example.com

  -> generate_dorks('target@example.com')
  -> search_email('target@example.com')
  Found: Spotify, WordPress, Gravatar, Office365

  -> search_breach('target@example.com')
  Found in 2 breaches: LinkedIn (2016), Adobe (2013)

  -> search_username('johndoe99')   <- pivoted from email findings
  Found: GitHub, Reddit, Twitter

  Report saved -> reports/2026-05-11_14-32-11_report.md

Legal Disclaimer: OpenOSINT is intended for legal and authorized use only. Users are solely responsible for ensuring their use complies with all applicable laws and regulations. The authors accept no liability for misuse. See DISCLAIMER.md.

IP2Location IP Geolocation & IP Intelligence Enhanced IP geolocation, ISP, VPN/Proxy/Tor detection.

Your logo here Open: proxy detection · breach data · threat intel · email/identity One vendor per category — exclusive placement across README, docs, CLI, and Web UI. Media kit & pricing → · Open Collective · openosint@yahoo.com

Need OpenOSINT wired into your SOC, fraud, threat-intel, or AI-agent stack? I build bespoke OSINT & MCP integrations for teams — you bring the data sources and compliance requirements, I deliver a working integration.

→ Get in touch

Full per-tool documentation, CLI flags, and output formats: openosint.tech.

Enumerates online services linked to an email address using holehe.

openosint email target@example.com

[+] Spotify        https://open.spotify.com/user/target
[+] WordPress      https://wordpress.com/target
[+] Gravatar       https://gravatar.com/target
[+] Office365      email used

Searches for a username across 300+ platforms using sherlock.

openosint username johndoe99

[+] GitHub         https://github.com/johndoe99
[+] Twitter        https://twitter.com/johndoe99
[+] Reddit         https://reddit.com/user/johndoe99

Checks data breach exposure via HaveIBeenPwned v3 API. Requires HIBP_API_KEY.

[+] LinkedIn (2016-05-05) — leaked: Email addresses, Passwords
[+] Adobe (2013-10-04) — leaked: Email addresses, Password hints

Retrieves WHOIS data using python-whois.

[+] Registrar: ICANN
[+] Created: 1995-08-14
[+] Expires: 2024-08-13
[+] Name Servers: A.IANA-SERVERS.NET

Retrieves geolocation and ASN data via ipinfo.io. Free tier: 50k/month.

[+] Hostname: dns.google
[+] Org: AS15169 Google LLC
[+] City: Mountain View, CA, US

Enumerates subdomains using sublist3r.

[+] mail.example.com
[+] dev.example.com
[+] api.example.com

Generates 12 targeted Google dork URLs for any target. No network calls.

[+] "johndoe" site:linkedin.com
    https://www.google.com/search?q=%22johndoe%22+site%3Alinkedin.com
[+] "johndoe" leaked OR breach OR dump
    https://www.google.com/search?q=%22johndoe%22+leaked+OR+breach+OR+dump

Searches Pastebin dumps via psbdmp.ws.

[+] https://pastebin.com/aB1cD2eF (2023-04-12)
[+] https://pastebin.com/xY3zA4bC (2022-11-08)

Gathers phone intelligence using phoneinfoga. Use E.164 format.

[+] Country: United States
[+] Carrier: AT&T
[+] Line type: Mobile

IPv4 input → host lookup (open ports, org, CVEs). Any other query → banner/keyword search. Requires SHODAN_API_KEY.

openosint shodan 8.8.8.8
openosint shodan "apache port:80 country:DE"

[+] Org: Google LLC  |  Open ports: 53, 443

Checks an IP, domain, URL, or file hash against VirusTotal's 70+ engines. Auto-detects input type. Requires VIRUSTOTAL_API_KEY.

openosint virustotal 8.8.8.8
openosint virustotal example.com
openosint virustotal 44d88612fea8a8f36de82e1278abb02f

[VirusTotal] Malicious: 0 / Harmless: 72

Queries IP2Location.io for enhanced IP intelligence: geolocation, ISP, ASN, and — on the Security Plan — VPN/Proxy/Tor/datacenter detection. Sponsored integration. Requires IP2LOCATION_API_KEY.

openosint ip2location 8.8.8.8

[IP2Location] City: Mountain View, CA, US  |  ISP: Google LLC
[IP2Location] VPN: No  |  Proxy: No  |  TOR: No  |  Datacenter: Yes

IPv4 → host view (open ports, services, ASN). Domain → certificate search (SANs, issuer). Requires CENSYS_API_ID and CENSYS_SECRET.

openosint censys 8.8.8.8
openosint censys example.com

[Censys] Open Ports: 53, 443, 853  |  ASN: AS15169 Google LLC

Checks an IP against AbuseIPDB v2. Returns abuse confidence score, total reports, country, ISP, and last reported timestamp. Requires ABUSEIPDB_API_KEY.

openosint abuseipdb 198.51.100.1

[AbuseIPDB] Abuse Confidence Score: 87%  |  Total Reports: 143
⚠️  HIGH ABUSE CONFIDENCE — flagged by AbuseIPDB

Warning appears when abuseConfidenceScore exceeds 50%.

Queries GitHub REST API. Username → profile, repos, commit-discovered emails. Keyword → user/repo search. Optional GITHUB_TOKEN raises rate limit from 60 to 5000 req/h.

openosint github johndoe99

[GitHub] Repos: 42  |  Followers: 128
[GitHub] Commit email: johndoe@example.com

Queries A/AAAA/MX/NS/TXT/CNAME/SOA records and analyzes SPF, DMARC, and DKIM configuration using dnspython (no external API).

openosint dns example.com

[DNS] A: 93.184.216.34
[DNS] MX: mail.example.com (priority 10)
[DNS] SPF: v=spf1 include:_spf.google.com ~all

Executes live Google dork queries through the Bright Data SERP API¹, returning structured results (title, URL, snippet). Defaults to 5 dorks per run; each is a separate billable API call. Requires BRIGHTDATA_API_KEY and BRIGHTDATA_SERP_ZONE.

openosint search-dorks-live "john doe" --max-dorks 3

[+] Dork: "john doe" site:linkedin.com
    Title:   John Doe | LinkedIn
    URL:     https://www.linkedin.com/in/john-doe-12345

Fetches any public URL through Bright Data Web Unlocker¹, bypassing Cloudflare/CAPTCHA. Returns clean Markdown. Requires BRIGHTDATA_API_KEY and BRIGHTDATA_UNLOCKER_ZONE.

openosint scrape https://example.com

[Web Unlocker] Remote status: 200
# Example Domain
This domain is for use in illustrative examples in documents.

pip install "openosint[web]"
openosint web
# Opens http://localhost:8080 automatically

Browser-based AI chat with streaming tool output, inline result cards, light/dark theme toggle. Supports local inference via Ollama or any OpenAI-compatible endpoint — no Anthropic API key required.

# Fully local (no API key) — requires Ollama runtime: https://ollama.com
ollama pull llama3.2
openosint web
# Settings -> Ollama (local) -> model: llama3.2

# OpenAI-compatible endpoint (LiteLLM, vLLM, LM Studio, ...)
export OPENAI_BASE_URL="http://localhost:4000/v1"
openosint web
# Settings -> OpenAI API

Run openosint with no arguments to start the AI-powered REPL:

REPL commands:

All sessions are auto-saved to ~/.openosint/history/. Browse with openosint history.

For the REPL/CLI with an OpenAI-compatible backend:

pip install "openosint[openai]"
openosint --provider openai \
  --openai-base-url http://localhost:4000/v1 \
  --openai-model gpt-4o-mini

Full per-tool reference, CLI flags, and configuration options at openosint.tech.

Expose all 18 OpenOSINT tools to any MCP-compatible AI client. Once connected, Claude can natively invoke all 18 tools during conversations.

Claude Code:

claude mcp add openosint python /absolute/path/to/OpenOSINT/openosint/mcp_server.py
claude mcp list

Claude Desktop — add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "openosint": {
      "command": "python",
      "args": ["/absolute/path/to/OpenOSINT/openosint/mcp_server.py"]
    }
  }
}

Agentic use via Claude Code:

$ claude
> Investigate target@example.com. Trace any username found
  across other platforms and compile a full report.

# From PyPI (recommended)
pip install openosint

# From source
git clone https://github.com/OpenOSINT/OpenOSINT.git
cd OpenOSINT
pip install -e .

External binaries (must be in PATH):

If a binary is absent, the corresponding tool returns a descriptive error. All other tools remain operational.

Optional Python packages:

Store keys in a .env file at the project root (copy .env.example). python-dotenv loads it automatically at startup.

# Build and run
docker compose up --build

# One-off command
docker compose run --rm openosint email target@example.com --json

Set ANTHROPIC_API_KEY (and optionally HIBP_API_KEY, IPINFO_TOKEN) in a .env file or export them before running docker compose. Reports are persisted to ./reports/ via a volume mount.

DigitalOcean App Platform: see .do/app.yaml for App Platform configuration.

New to AI-assisted OSINT? The free starter set gives you 5 structured prompts — one per stage of a real investigation — that make ChatGPT and Claude collect real public data instead of hallucinating it.

• Scope → Collect → Pivot → Verify → Document
• Works with any AI assistant (Claude, ChatGPT, Gemini)
• Free PDF, instant download — enter $0, no card needed

→ Free download on Gumroad

OpenOSINT gives you the tooling. The AI OSINT Prompt Pack gives you the method: 30+ tested prompts that make ChatGPT / Claude collect → pivot → verify against real public sources instead of hallucinating.

• Email, username, domain, IP, phone, company due-diligence, image & reporting prompts
• One repeatable investigation flow + an ethics & legal primer
• 7-page PDF · instant download · pairs directly with OpenOSINT

→ Get the Prompt Pack ($29)

Buying it directly funds OpenOSINT's development.

OpenOSINT is used by OSINT practitioners, security researchers, and developers actively evaluating intelligence APIs. Every time a user configures an integration, the docs route them to that provider's sign-up page — high-intent exposure at the moment of adoption.

Featured Integration ($2,000/year or $220/month): recommended/default provider for one tool category, exclusive. Logo + badge across README, docs, CLI banner, and Web UI. One vendor per category.

Open categories: proxy detection · breach/credential data · threat & domain intel · email/identity lookup

→ Full media kit and pricing: openosint.tech/sponsors.html

IP2Location.io — Featured Integration · IP Geolocation & IP Intelligence

Enhanced IP geolocation, ISP, VPN/Proxy/Tor, and datacenter detection. Powers search_ip2location.

Open Collective · openosint@yahoo.com · SPONSORSHIP.md

The framework is free and MIT-licensed. This is an optional paid setup service offered by the maintainer.

OSINT-MCP Setup Sprint — done-for-you installation and configuration of an autonomous OSINT-MCP pipeline on your environment. Fully async, no calls required.

Includes:

• Pre-configured OpenOSINT setup tailored to your stack (Claude Code, Claude Desktop, or any MCP client)
• API keys wired in (Shodan, VirusTotal, IP2Location, HaveIBeenPwned, and others as needed)
• One investigation workflow built around your use case
• Written step-by-step setup guide + screen-recorded walkthrough
• 1-page runbook
• Async email support for 7 days

Delivery: 3–5 days, fully async.

For: SOC analysts · threat-intel teams · fraud/AML · pentesters · OSINT investigators

Founding pricing available for early teams — inquire.

→ Email openosint@yahoo.com · LinkedIn ·

For authorized use only. See DISCLAIMER.md.

OpenOSINT is free and MIT-licensed for everyone — personal projects, commercial products, SaaS, and closed-source are all covered with no purchase required. Organizations that additionally need a vendor contract, written warranty, indemnification, SLA, or priority support for procurement and compliance can purchase a commercial plan. Three tiers available from €300/year — see COMMERCIAL.md for full details and pricing. Contact: commercial@openosint.tech.

Issues and pull requests are welcome. See CONTRIBUTING.md for the development workflow, integration registration checklist, and coding conventions. Please read DISCLAIMER.md before contributing.

export OPENOSINT_DEMO_KEY=sk-ant-...   # your Anthropic key — never committed
openosint --web &                      # start the web server on :8080
make demo                              # record -> encode -> write docs/assets/demo-web-graph.*
git add docs/assets/demo-web-graph.*

See scripts/record-demo/README.md for full prerequisites and pipeline details.

Tommaso Bertocchi

• X (personal): https://x.com/SonoTommy_
• X (OpenOSINT): https://x.com/openosint_oss
• LinkedIn: https://www.linkedin.com/company/openosintoss
• Email: openosint@yahoo.com

OpenOSINT is open source under the MIT License — free for any use, including personal, commercial, academic, and closed-source.

¹ Bright Data links in this README are affiliate/referral links — OpenOSINT earns a commission if you sign up through them, at no extra cost to you.

For authorized security research only. See DISCLAIMER.md.

OpenOSINT v2.22.0 — June 2026