Passive domain reconnaissance using Python stdlib. Subdomain discovery, SSL certificate inspection, WHOIS lookups, DNS records, domain availability checks, and bulk multi-domain analysis. No API keys required.
Passive domain reconnaissance using only Python stdlib. Zero dependencies. Zero API keys. Works on Linux, macOS, and Windows.
This skill includes scripts/domain_intel.py — a complete CLI tool for all domain intelligence operations.
# Subdomain discovery via Certificate Transparency logs
python3 SKILL_DIR/scripts/domain_intel.py subdomains example.com
# SSL certificate inspection (expiry, cipher, SANs, issuer)
python3 SKILL_DIR/scripts/domain_intel.py ssl example.com
# WHOIS lookup (registrar, dates, name servers — 100+ TLDs)
python3 SKILL_DIR/scripts/domain_intel.py whois example.com
# DNS records (A, AAAA, MX, NS, TXT, CNAME)
python3 SKILL_DIR/scripts/domain_intel.py dns example.com
# Domain availability check (passive: DNS + WHOIS + SSL signals)
python3 SKILL_DIR/scripts/domain_intel.py available coolstartup.io
# Bulk analysis — multiple domains, multiple checks in parallel
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com google.com
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com --checks ssl,dns
SKILL_DIR is the directory containing this SKILL.md file. All output is structured JSON.
| Command | What it does | Data source |
|---|---|---|
subdomains | Find subdomains from certificate logs | crt.sh (HTTPS) |
ssl | Inspect TLS certificate details | Direct TCP:443 to target |
whois | Registration info, registrar, dates | WHOIS servers (TCP:43) |
dns | A, AAAA, MX, NS, TXT, CNAME records | System DNS + Google DoH |
available | Check if domain is registered | DNS + WHOIS + SSL signals |
bulk | Run multiple checks on multiple domains | All of the above |
web_search for general research about what a domain/company doesweb_extract to get the actual content of a webpageterminal with curl -I for a simple "is this URL reachable" check| Task | Better tool | Why |
|---|---|---|
| "What does example.com do?" | web_extract | Gets page content, not DNS/WHOIS data |
| "Find info about a company" | web_search | General research, not domain-specific |
| "Is this website safe?" | web_search | Reputation checks need web context |
| "Check if a URL is reachable" | terminal with curl -I | Simple HTTP check |
| "Find subdomains of X" | This skill | Only passive source for this |
| "When does the SSL cert expire?" | This skill | Built-in tools can't inspect TLS |
| "Who registered this domain?" | This skill | WHOIS data not in web search |
| "Is coolstartup.io available?" | This skill | Passive availability via DNS+WHOIS+SSL |
Pure Python stdlib (socket, ssl, urllib, json, concurrent.futures).
Works identically on Linux, macOS, and Windows with no dependencies.
All queries are passive — no port scanning, no vulnerability testing:
Contributed by @FurkanL0