CLI Reference
Main command: osint-agent
osint-agent [OPTIONS] [COMMAND]Execution modes
Interactive mode (default)
osint-agentOpens the osint> prompt for interactive session.
Single query
osint-agent -q "Investigate IP 185.220.101.34"osint-agent -q "Analyze domain evil.com" --json| Flag | Description |
|---|---|
-q, --query TEXT | Query to execute in non-interactive mode |
--json | Output in JSON format |
Batch mode from file
osint-agent --batch iocs.txtosint-agent --batch iocs.txt --limit 20 --json| Flag | Description |
|---|---|
--batch PATH | Path to file with one IOC per line |
--limit N | Maximum IOCs to process (default: 10) |
--json | JSON output per IOC |
Batch mode from feed
osint-agent --feed feodo --limit 5osint-agent --feed urlhaus --limit 3 --json| Flag | Description |
|---|---|
--feed NAME | Feed name: feodo, urlhaus, ipsum, c2intel, cloudflare |
--limit N | Number of IOCs to analyze from feed |
--json | JSON output |
Global flags
| Flag | Description |
|---|---|
--help | Show help |
--version | Show version |
--verbose | Detailed output (debug) |
Investigation subcommands
investigation create
osint-agent investigation create "Acme Corp Case" --goal "Due diligence"| Flag | Description |
|---|---|
NAME | Investigation name |
--goal TEXT | Investigation objective |
investigation list
osint-agent investigation listLists all investigations with their status (active, archived).
investigation use
osint-agent investigation use acme-corp-caseActivates an investigation by its slug. Writes slug to data/.active.
investigation archive
osint-agent investigation archive acme-corp-caseinvestigation reactivate
osint-agent investigation reactivate acme-corp-caseStatus commands
status
osint-agent statusShows summary of active investigation: name, objective, number of evidence, entities, claims.
limits
osint-agent limitsShows monthly quota consumption for operations.
Interactive prompt commands
Once inside the osint> prompt:
| Command | Description |
|---|---|
/dashboard | Risk table of all IOCs investigated in the session |
/report save | Save Markdown report in reports/ |
/report preview | Show report preview in terminal |
/cache stats | SQLite cache statistics |
/cache clear | Clear cache (next query will go to API) |
/feeds list | List available feeds |
/feeds <name> --limit N | Analyze N most recent IOCs from a feed |
/help | List available commands |
exit / quit | Exit the agent |
MCP Server: osint-mcp
osint-mcp # STDIOosint-mcp --transport streamable-http --port 8080 # HTTPosint-mcp --helpA2A Server: osint-a2a
osint-a2a # default: 0.0.0.0:9000osint-a2a --port 9090 # custom portosint-a2a --host 127.0.0.1 # localhost onlyosint-a2a --helpPractical examples
# Quick investigation of one IOCosint-agent -q "Investigate IP 8.8.8.8"
# Domain analysis with JSON output for scriptingosint-agent -q "Analyze domain google.com" --json | jq '.risk_score'
# Analyze top 5 active C2s from Feodoosint-agent --feed feodo --limit 5
# Batch of IOC list with 3s pause between eachBATCH_DELAY_SECONDS=3 osint-agent --batch suspicious_ips.txt
# Start investigation and activate itosint-agent investigation create "Phishing-Q1-2026" --goal "Identify infrastructure"osint-agent investigation use phishing-q1-2026
# Check statusosint-agent status