Claude Code Skills
Complete skill list
| Skill | Category | Brief description |
|---|---|---|
/osint-investigate | OSINT | Complete analysis 28 tools + saves as evidence |
/osint-recon | OSINT | Light technical recon without LLM reasoning |
/social-monitor | OSINT | Identity monitoring in social media |
/investigation-init | Lifecycle | Create new investigation |
/investigation-manage | Lifecycle | Archive, reactivate, summarize |
/evidence-ingest | Evidence | Complete ingestion pipeline |
/entity-extract | Entities | Extraction and FTM normalization |
/claim-track | Claims | Record assertion with traceability |
/verify-claims | Claims | Audit claim quality |
/db-query | Data | Read queries on the DB |
/db-manage | Data | Edit, merge, delete entities/claims |
/memory-query | Search | Semantic search in ChromaDB |
/alert-manage | Alerts | Create and manage alerts |
/report-generate | Reports | Final report with 9 sections |
osint-context | System | Auto-loaded context (identity, ontology) |
Skill details
/osint-investigate <target>
Syntax:
/osint-investigate 185.220.101.34/osint-investigate "acme-corp.com"/osint-investigate "Lazarus APT activity March 2026"Behavior:
- Detects target type (IP, domain, URL, hash, contextual query)
- Launches ReAct agent with 28 tools
- If active investigation exists, saves result as evidence
- Extracts key entities and records claims
Requires active investigation: No (but if one exists, saves results)
/osint-recon <domain|IP|email>
Syntax:
/osint-recon acme-corp.com/osint-recon 185.220.101.34/osint-recon user@example.comTools executed: WHOIS, DNS, crt.sh, HTTP headers, VirusTotal
Difference from /osint-investigate: Faster, no LLM reasoning, better suited for systematic recon
Requires active investigation: Yes
/investigation-init <name>
Syntax:
/investigation-init "Acme Corp Case"/investigation-init "APT-2024-Q1" --goal "Phishing campaign attribution"Creates:
- Directory
investigaciones/<slug>/with complete structure - SQLite registration with name, objective, date
- ChromaDB collection
osint_<slug> - Writes slug to
data/.active
/evidence-ingest <file|URL>
Syntax:
/evidence-ingest report.pdf/evidence-ingest https://example.com/press-release/evidence-ingest osint-result.jsonPipeline: SHA-256 → dedup → text extraction → chunking → embeddings → ChromaDB → SQLite
Supported formats: PDF, TXT, HTML, MD, JSON
/entity-extract
Syntax:
/entity-extract # Extract from all evidence/entity-extract ev_001 # Extract from specific evidenceExtracted types: Person, Company, Organization, PublicBody, Domain, Email, Phone, UserAccount, BankAccount, Document, Event, Location
/report-generate
Syntax:
/report-generateOutput: investigaciones/<slug>/informes/report-YYYY-MM-DD.md
Sections: Executive summary, Objective, Methodology, Verified findings, Entities, Evidence, Risks, Limitations, Next steps
/memory-query <text>
Syntax:
/memory-query "contracts with Chinese companies"/memory-query "offshore bank accounts"Uses semantic embeddings — finds relevant information even if exact words don’t match the evidence text.
/alert-manage
Available actions:
/alert-manage create --entity "Acme Corp" --frequency daily/alert-manage create --search "ransomware attack" --frequency weekly/alert-manage list/alert-manage delete alert-id-001/alert-manage run # Executes all active alerts now