Security and Legal Use

import { Aside } from ‘@astrojs/starlight/components’;

This tool is for **authorized security research, defense, CTF and educational purposes**. Do not use it for unauthorized reconnaissance or activities that violate applicable law.

Data Privacy

Everything is local

• SQLite and ChromaDB databases are stored on your machine
• Investigations, evidence and reports are saved in local folders
• With Ollama, the LLM model also runs locally — no query leaves your machine

API keys

• Saved in .env (gitignored) — never uploaded to the repository
• Only sent to respective OSINT services (VirusTotal, AbuseIPDB, etc.)
• Never logged or transmitted to other services

When using cloud LLMs

If you use LLM_PROVIDER=openai or LLM_PROVIDER=anthropic, your queries are sent to the provider. If IOC privacy is critical (sensitive investigations, customer data), use local Ollama.

Passive reconnaissance only

All tools perform passive reconnaissance:

What it does	What it does NOT do
Queries to public APIs (VirusTotal, Shodan…)	Active port scanning
DNS queries (read-only)	Sending attack traffic
Certificate Transparency logs queries	Subdomain brute-force
Public WHOIS lookups	Vulnerability exploitation
Threat feed reading	DNS record modification

Shodan, for example, shows data that has ALREADY been collected previously — it doesn’t scan the IP at query time.

Rate limits and responsible use

Respect the terms of use of each service:

BATCH_DELAY_SECONDS=2    # Pause between IOCs in batch (prevents rate limit breaches)
CACHE_TTL_SECONDS=86400  # 24h cache (avoids redundant calls)

Recommendations

• Don’t process more than 100 IOCs/hour in batch mode without increasing delay
• Use the cache — avoid analyzing the same IOC multiple times in one day
• With VirusTotal free tier (500 req/day), it’s easy to hit the limit in batch mode

Investigation classification

Investigation type	Legal status
IOC analysis on your own infrastructure	Always legal
Threat hunting on systems you administer	Legal
Academic research or CTF	Legal
Third-party due diligence (with consent)	Legal
OSINT on public figures (public data)	Jurisdiction dependent
Reconnaissance of systems without authorization	Illegal in most countries

Personal data (GDPR)

If you investigate entities that include personal data (name, email, phone, IBAN):

• Only use data from legal public sources
• Don’t cross-reference personal data to create profiles without legal basis
• Respect deletion rights if applicable
• For journalistic or public interest investigations, consult a lawyer

Reports and disclosure

When sharing reports generated by this tool:

• Indicate that information comes from public sources and may be inaccurate
• Don’t claim an IP or domain is malicious just because of the score — it’s a signal, not proof
• Risk score is a probabilistic indicator, not a legal verdict
• Always include the date of analysis (data changes)

The system includes a "Limitations and warnings" section in all auto-generated reports. Never remove it.

Vulnerability reporting

If you find a security vulnerability in OSINT AI One:

1. Don’t disclose it publicly until it’s patched
2. Report privately via GitHub Issues marked as “Security”
3. Include reproduction steps and potential impact