OSINT Skill v3.0 — Orchestrated Intelligence

Phase 2: RECON (Orchestrator does this directly)

Run initial reconnaissance yourself using web_search + browser:

1. 3-5 targeted web searches — name + employer, name + platform, name + location
2. Read key pages — corporate bio, LinkedIn snippet, any primary source
3. Identify all possible matches — are there multiple people with this name?
4. Disambiguate — decide which profiles belong to the target, which don't
5. Build a target profile:
   • Confirmed identifiers (name, location, employer, handles)
   • Confirmed platforms (with URLs)
   • Professional background
   • What's missing (gaps to fill)

Output: Mental model of who this person is. You should be able to write a 2-sentence bio at this point.

Alternative: For targets with unusual/unique names, use the recon script:

python3 skills/osint/scripts/osint-recon.py --name "Target Name" --location "Location"

But ALWAYS review its output yourself — don't trust it blindly.

Phase 3: PLAN

Based on recon findings, decide which tools to deploy:

High-value phases (almost always useful):

• Web dorking (osint-dorking.py) — finds mentions, profiles, documents
• Deep profile (osint-profile.py) — GitHub, Reddit, Dev.to, HN details
• Breach check (osint-breach.py) — if email is known

Situational phases (only when relevant):

• Username scan (osint-username.py) — only if you have confirmed usernames
• Social graph (osint-social-graph.py) — only for GitHub-active targets
• Wayback (osint-wayback.py) — only if target has/had a personal website
• Geolocation (osint-geo.py) — only for tech targets with Git commits
• Company intel (osint-company.py) — only if company research requested
• Image cross-match (osint-image.py) — only if avatar analysis needed

Usually skip:

• Extended username scan (1700+ platforms) — mostly false positives for non-tech targets
• Maigret scan — same issue, noise > signal for most people

Decision rule: If in doubt about a phase, ask: "Will this produce actionable intel for THIS specific target?" If no → skip it.

Phase 4: EXECUTE (Spawn workers)

Spawn targeted sub-agents with TIGHT instructions. Each worker gets:

1. Objective — exactly what to find
2. Tool command — the exact script to run
3. Target identifiers — confirmed usernames/emails only (no guesses)
4. Output format — what to report back
5. Boundaries — what to ignore, what's out of scope

Sub-agent task template:

Run OSINT [phase name] on [target].

Execute:
python3 skills/osint/scripts/[script] [arguments]

Report back:
- Key findings (confirmed, with confidence)
- Notable items that need follow-up
- Any errors or empty results

Ignore:
- [specific false positive patterns for this target]
- Results that don't match [target identifier]

Parallelization: Spawn 2-3 workers simultaneously for independent phases. Don't spawn all at once — you need to evaluate between rounds.

Phase 5: EVALUATE

When worker results come back:

1. Filter false positives — same name ≠ same person. Check context.
2. Cross-reference — does finding X from worker A corroborate finding Y from worker B?
3. Identify gaps — what's still missing? Is a Round 2 needed?
4. Quality check — are confidence levels appropriate?

Round 2 (if needed): Spawn additional targeted workers for leads, gaps, deep-reads.

Max 3 rounds. If you haven't found it in 3 rounds, it's probably not publicly available.

Phase 6: SYNTHESIZE (Orchestrator writes the dossier)

Write the final dossier yourself. This is where the intelligence happens.

Dossier structure:

# OSINT Dossier: [Target Name]
**Generated:** [date] — Orchestrated investigation
**Confidence:** [HIGH/MEDIUM/LOW] — [reason]

## Summary
[2-3 sentence coherent narrative]

## Key Facts
| Field | Value |
[structured table of confirmed facts]

## Digital Footprint
### Confirmed Profiles (HIGH confidence)
[verified, with URLs]

### Possible Matches (MEDIUM confidence)
[with explanation of why uncertain]

### Ruled Out
[profiles that look like the target but aren't — explain why]

## Career / Professional Profile
[timeline, roles, companies — only confirmed data]

## Education
[if found]

## Network & Connections
[if relevant — colleagues, organizations, related people]

## Key Observations
[your analysis — patterns, insights, notable findings]

## Data Breaches
[if found — dates, sources, what was exposed]

## Gaps
[what we couldn't find and why]

## Sources
[numbered list of all primary sources used]

Writing rules:

• Confirmed facts only in Key Facts — don't speculate
• Disambiguate explicitly — explain which profiles belong to whom
• No data dumps — every line should be meaningful
• Analysis over data — Key Observations is the most valuable section
• Cite sources — every claim traces back to a source

QUICK MODE (simple lookups)

If the target is straightforward (unique name, public figure, just need basics):

1. Run 3-5 web searches directly
2. Read 2-3 key pages via browser
3. Write dossier — no sub-agents needed

Use this when: target has low disambiguation risk AND requester needs a quick answer. If the name is common or the request is complex → use Orchestration Protocol.

AUTOMATED MODE (batch/fallback)

# Recon-first automated pipeline
python3 skills/osint/scripts/osint-full.py --recon --name "Name" --location "Location"

# Quick automated scan
python3 skills/osint/scripts/osint-full.py --recon --name "Name" --quick

# Username-only scan
python3 skills/osint/scripts/osint-full.py username --quick

⚠️ Automated mode runs all phases blindly. It WILL produce false positives for common names and CANNOT disambiguate. Use orchestrated mode for quality.

TOOL REFERENCE

Output

knowledge/osint/     # Final dossiers (markdown, QMD-searchable)
skills/osint/output/ # Intermediate files (target.json, phase reports)

Configuration

# Required for dorking + recon
export BRAVE_API_KEY="BSA..."

# Optional
export GITHUB_TOKEN="ghp_..."  # 60→5000 req/hr for GitHub API
export SHODAN_API_KEY="..."    # for domain recon

📍 PHOTO GEOLOCATION

GeoGuessr-style geolocation using EXIF GPS, Vision AI, landmark pivot, and reverse geocode.

# Single image (local file)
python3 skills/osint/scripts/osint-photo-geo.py photo.jpg

# Image URL
python3 skills/osint/scripts/osint-photo-geo.py https://example.com/photo.jpg

# EXIF only (no Vision AI)
python3 skills/osint/scripts/osint-photo-geo.py photo.jpg --no-vision

# Save report
python3 skills/osint/scripts/osint-photo-geo.py photo.jpg --output report.md

# Batch folder
python3 skills/osint/scripts/osint-photo-geo.py --batch /path/to/photos/ --output-dir reports/

Layers: EXIF GPS → device fingerprint → Vision AI clue analysis → Wikipedia landmark → Nominatim reverse geocode → report with map links.

Requires: pillow + piexif
Optional: BRAVE_API_KEY (landmark search), vision model access (for AI layer)

ANTI-PATTERNS

1. ❌ Spawning one sub-agent to run osint-full.py — can't disambiguate, can't filter, produces Frankenstein dossiers
2. ❌ Running extended username scan on common names — 95% false positives
3. ❌ Trusting automated confidence levels blindly — HTTP 200 ≠ real profile
4. ❌ Including every finding in the dossier — noise drowns signal
5. ❌ Skipping the disambiguation step — multiple people with same name = garbage results
6. ❌ Running all phases for every target — most phases are irrelevant for non-tech targets

ETHICAL USE

• Only public data — no login scraping, no private APIs
• Legitimate purposes only — research, security, self-investigation
• GDPR-aware — reports stored locally, not shared without consent
• Never use for: stalking, harassment, doxing, unauthorized surveillance

Storage

Dossiers are plain markdown. Store them wherever fits your setup:

• knowledge/osint/ if using QMD/Obsidian (auto-indexed, searchable across vault)
• Any folder — scripts don't enforce a location
• All output includes YAML frontmatter for compatibility with static site generators, Obsidian, and search tools