Complete MCP Tools
OSINT Tools
| Tool | Parameters | Description |
|---|---|---|
virustotal_ip_lookup | ip: str | IP reputation, AV detections, associated domains |
virustotal_domain_lookup | domain: str | Categories, reputation, WHOIS, detections |
virustotal_hash_lookup | hash: str | File reputation, AV detections, metadata |
abuseipdb_check_ip | ip: str | Abuse confidence (0-100%), reports, ISP |
alienvault_ip_lookup | target: str | OTX threat pulses, ASN, country |
shodan_host_lookup | ip: str | Ports, services, CVEs |
ipinfo_lookup | ip: str | Geolocation, org, hostname |
urlscan_lookup | url: str | Page scan, verdict, technologies |
whois_lookup | domain: str | Registrar, dates, registrant |
dns_lookup | domain: str | A, AAAA, MX, NS, TXT, CNAME records |
crtsh_lookup | domain: str | Subdomains by Certificate Transparency |
fetch_threat_feed | feed: str, limit: int | IOCs from Feodo, URLhaus, IPsum, etc. |
Agent and Scoring
| Tool | Parameters | Description |
|---|---|---|
investigate_ioc | ioc: str | Complete investigation with ReAct agent |
get_risk_score | ioc: str | Risk score 0-100 |
generate_report | — | Generates threat intel report from session |
classify_ioc | ioc: str | Classifies threat type |
list_available_feeds | — | Lists available threat feeds |
list_tools | — | Lists all registered OSINT tools |
Intelligence and Context
| Tool | Parameters | Description |
|---|---|---|
gdelt_entity_search | entity: str, days: int | Recent news about an entity |
gdelt_topic_search | topic: str, days: int | News about a topic |
gdelt_tone_analysis | entity: str, days: int | Media tone analysis |
rss_news_search | query: str | Search in general RSS feeds |
rss_security_news | query: str | Cybersecurity news |
rss_financial_news | query: str | Financial news |
get_crypto_prices | coins: list[str] | Cryptocurrency prices (CoinGecko) |
get_economic_indicator | indicator: str | Macroeconomic indicators (FRED) |
acled_conflict_events | country: str, days: int | Conflict events (ACLED) |
get_country_risk_score | country_code: str | Country Instability Index |
ais_vessel_lookup | mmsi: str | Vessel information (AISStream) |
ais_chokepoint_activity | chokepoint: str | Traffic at strategic maritime chokepoint |
check_entity_anomaly | entity: str | Anomaly detection in mentions |
search_history | query: str | Search in investigation history |
Investigation Management
| Tool | Parameters | Description |
|---|---|---|
create_investigation | name: str, goal: str | Create new investigation |
list_investigations | — | List all investigations |
get_investigation_summary | slug: str | Investigation summary |
ingest_evidence | source: str, investigation_slug: str | Ingest evidence |
add_entity | type: str, name: str, slug: str | Manually add entity |
list_entities | slug: str | List investigation entities |
add_claim | text: str, evidence_id: str, slug: str | Record claim with traceability |
list_claims | slug: str | List investigation claims |
verify_claim | claim_id: str, status: str | Change claim status |
semantic_search_evidence | query: str, slug: str, n: int | Semantic search in evidence |
The 5 Resources
| URI | Description |
|---|---|
osint://feeds | Available feeds with description and URL |
osint://tools | All tools with name and description |
osint://history/{query} | Past results for an IOC |
osint://investigations | JSON list of all investigations |
osint://investigation/{slug} | Complete investigation details |
The 3 Prompts
| Prompt | Variables | Usage |
|---|---|---|
investigate_ip | ip: str | Complete template for investigating an IP |
investigate_domain | domain: str | Complete template for investigating a domain |
investigate_url | url: str | Complete template for investigating a URL |