A2A Skills

investigate_ip

Description: Complete investigation of an IP with all available OSINT tools.

Input:

{
  "skill": "investigate_ip",
  "message": "Investigate IP 185.220.101.34"
}

Output:

{
  "ioc": "185.220.101.34",
  "ioc_type": "ip",
  "risk_score": 94,
  "risk_level": "CRITICAL",
  "assessment": "IP 185.220.101.34 is a detected Tor exit node...",
  "tools_used": ["virustotal_ip_lookup", "abuseipdb_check_ip", "shodan_host_lookup", "..."],
  "malicious_indicators": ["87 AV detections", "95% abuse confidence", "Active Tor node"],
  "related_iocs": ["evil-relay.example.com"],
  "timestamp": "2026-03-07T14:30:00Z"
}

investigate_domain

Description: Complete investigation of a domain.

Input:

{
  "skill": "investigate_domain",
  "message": "investigate domain evil-phishing.com"
}

Output: Same as investigate_ip but with domain-specific fields (WHOIS, DNS, subdomains, certs).

investigate_url

Description: Analysis of a URL with URLScan and additional context.

Input:

{
  "skill": "investigate_url",
  "message": "analyze URL http://malware.host/payload.exe"
}

Output:

{
  "url": "http://malware.host/payload.exe",
  "risk_score": 88,
  "verdict": "malicious",
  "technologies": ["nginx", "PHP"],
  "screenshot_url": "https://urlscan.io/screenshots/...",
  "domain_analysis": {...},
  "ip_analysis": {...}
}

threat_feed_analysis

Description: Analyzes the N most recent IOCs from a threat feed.

Input:

{
  "skill": "threat_feed_analysis",
  "message": "analyze feodo feed top 5"
}

Output:

{
  "feed": "feodo",
  "analyzed": 5,
  "results": [
    {"ioc": "185.220.101.34", "risk_score": 94, "risk_level": "CRITICAL"},
    {"ioc": "192.168.100.1", "risk_score": 72, "risk_level": "HIGH"},
    ...
  ],
  "summary": "3 of 5 IOCs are CRITICAL or HIGH risk"
}

risk_scoring

Description: Returns only the risk score for an IOC, without complete analysis. Faster and more economical.

Input:

{
  "skill": "risk_scoring",
  "message": "score 185.220.101.34"
}

Output:

{
  "ioc": "185.220.101.34",
  "risk_score": 94,
  "risk_level": "CRITICAL",
  "confidence": 0.95
}

Streaming events

All skills support streaming. Event types:

Type	Description
`tool_call`	Agent is about to execute a tool
`tool_result`	Tool result received
`reasoning`	Agent reasoning step (optional)
`final`	Final result of investigation
`error`	Error during investigation

{"type": "tool_call", "data": {"tool": "virustotal_ip_lookup", "input": "185.220.101.34"}}
{"type": "tool_result", "data": {"tool": "virustotal_ip_lookup", "malicious_count": 87}}
{"type": "final", "data": {"risk_score": 94, "assessment": "..."}}