huntkit

Investigation toolkit for Claude Code. Case management, OSINT, structured analytic techniques, chain-of-custody evidence capture, and bundled MCP servers for infrastructure recon and threat intel.

Not just a scraper wrapper. A full investigation workflow — from case intake to evidence-grade dossier.

Use it for: OSINT, due diligence, threat intelligence, incident response, digital forensics, journalistic research, competitive intel, security research, CTF challenges.

How it works

Investigation lifecycle

flowchart LR
    Start([New case]) --> NewCase[/q-new-case/]
    NewCase --> Scope[/q-scope/]
    Scope --> Begin[/q-begin/]

    Begin --> Collect{Collection}
    Collect --> Intake[/q-intake<br/>client docs/]
    Collect --> OSINT[/q-osint<br/>platform-targeted/]
    Collect --> Sweep[/q-collect<br/>broad sweep/]
    Collect --> Target[/q-target<br/>profile/]

    Intake --> Evidence[(EV-NNNN<br/>evidence items<br/>Wayback + archive.today<br/>+ Chrome PDF + SHA-256)]
    OSINT --> Evidence
    Sweep --> Evidence
    Target --> Evidence

    Evidence --> Analyze{Analysis}
    Analyze --> Timeline[/q-timeline/]
    Analyze --> Link[/q-link<br/>graph edges/]
    Analyze --> ACH[/q-analyze<br/>Heuer's ACH/]
    Analyze --> Challenge[/q-challenge<br/>red team/]
    Analyze --> Reality[/q-reality-check/]

    Timeline --> Report{Report}
    Link --> Report
    ACH --> Report
    Challenge --> Report
    Reality --> Report

    Report --> Brief[/q-brief<br/>evidence-cited/]
    Report --> Debrief[/q-debrief<br/>internal/]
    Brief --> Export[/q-export/]
    Debrief --> Export
    Export --> End([Dossier delivered])

    style Evidence fill:#fef3c7,stroke:#d97706,stroke-width:2px
    style Start fill:#dbeafe,stroke:#2563eb
    style End fill:#dcfce7,stroke:#16a34a

Loading

Every URL routes through capture-evidence.sh. Every finding cites [EV-NNNN]. Every claim has an A-F reliability grade.

Architecture

graph TB
    subgraph Claude[Claude Code]
        CC[/Claude Code session/]
    end

    subgraph huntkit[huntkit plugin]
        direction TB
        subgraph Skills
            OSINT_S[osint<br/>6-phase workflow]
            SA_S[structured-analysis<br/>Heuer's ACH + tradecraft primer]
        end

        subgraph Commands[22 commands]
            CM[case mgmt]
            CL[collection]
            AN[analysis]
            RP[reporting]
        end

        subgraph Rules[Enforced rules]
            EC[evidence-capture-protocol]
            QI[q-investigation]
            TD[token-discipline]
            SY[sycophancy]
        end

        subgraph Templates
            NI[new-investigation]
            SS[sec-stack-case]
        end
    end

    subgraph MCP[Bundled MCP servers]
        OI[osint-infra<br/>whois, dns, wayback]
        TI[threat-intel<br/>VT, URLhaus, ThreatFox, crt.sh]
    end

    subgraph External[Optional external APIs]
        PPL[Perplexity]
        EXA[Exa]
        TAV[Tavily]
        APF[Apify<br/>55+ scrapers]
        JIN[Jina]
        BD[Bright Data]
    end

    subgraph Case[Case workspace]
        EVD[(investigations/case/<br/>evidence/ findings/<br/>targets/ timelines/)]
    end

    CC --> huntkit
    huntkit --> MCP
    huntkit --> External
    huntkit --> Case
    Rules -.enforces.-> Commands
    Commands -.uses.-> Skills

    style Case fill:#fef3c7,stroke:#d97706
    style MCP fill:#e0e7ff,stroke:#6366f1
    style Rules fill:#fee2e2,stroke:#dc2626

Loading

What you get

Skills

• osint — 6-phase investigation: tooling check → seed collection → optional internal intel → platform extraction → cross-reference → psychoprofile → completeness scoring → dossier.
• structured-analysis — CIA tradecraft primer library (Heuer's ACH, key assumptions check, quality of information check, red team, premortem, 66-technique taxonomy). Apache 2.0, upstream Blevene/structured-analysis-skill.

Commands (22)

Case management: /q-new-case, /q-scope, /q-begin, /q-status, /q-checkpoint, /q-handoff, /q-end

Collection: /q-intake, /q-collect, /q-osint, /q-target, /q-screenshots

Analysis: /q-analyze, /q-challenge, /q-reality-check, /q-client-questions, /q-timeline, /q-link

Reporting: /q-brief, /q-debrief, /q-export

Specialized: /q-sec-stack (SaaS security stack intel)

MCP servers (bundled)

• osint-infra — WHOIS, DNS, reverse DNS, Wayback snapshots / fetch.
• threat-intel — VirusTotal, URLhaus, ThreatFox, crt.sh certificate transparency.

Rules (enforced)

• evidence-capture-protocol — every URL routes through capture-evidence.sh (Wayback + archive.today + Chrome PDF + SHA-256 + metadata). Atomic EV-NNNN-<slug>/ folders. Reports cite by ID.
• q-investigation — fail-stop on errors, token discipline, state-vs-session file authority, source reliability A-F scale.
• token-discipline — stop conditions, retry limits.
• sycophancy — anti-RLHF drift, decision origin tagging.

Templates

• new-investigation/ — full case scaffold (canonical/, investigation/evidence|findings|targets|timelines/, memory/, output/).
• sec-stack-case/ — SaaS security stack investigation template.

Install

# In Claude Code
/plugin install assafkip/huntkit

Or clone:

git clone https://github.com/assafkip/huntkit.git

MCP server setup

cp .mcp.json.template .mcp.json

osint-infra (no keys required)

cd mcp-servers/osint-infra
python3.13 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

threat-intel

Get free keys:

• VirusTotal: https://virustotal.com/gui/join-us (500 req/day)
• abuse.ch (URLhaus + ThreatFox): https://auth.abuse.ch

export VT_API_KEY=...
export ABUSE_CH_AUTH_KEY=...

Optional search / scrape APIs

All optional — the skill degrades gracefully. Run bash skills/osint/scripts/diagnose.sh to see what's active.

Env var	Service	Get key
PERPLEXITY_API_KEY	Perplexity Sonar / Deep	https://perplexity.ai
EXA_API_KEY	Exa semantic search	https://exa.ai
TAVILY_API_KEY	Tavily agent search	https://tavily.com
APIFY_TOKEN	Apify scrapers (LinkedIn, IG, TikTok, YouTube, FB pages)	https://apify.com
JINA_API_KEY	Jina reader / deepsearch	https://jina.ai
PARALLEL_API_KEY	Parallel AI search	https://parallel.ai
BRIGHTDATA_MCP_URL	Bright Data MCP (Facebook, LinkedIn, geo-blocked)	https://brightdata.com

Optional: Telegram recon

Not bundled — install separately if needed:

git clone https://github.com/Darksight-Analytics/tgspyder.git
cd tgspyder && pip install -r requirements.txt && pip install -e .

Typical workflow

/q-new-case acme-breach
/q-scope          # define question, targets, constraints
/q-begin          # resume session
/q-intake <file>  # ingest client-provided docs
/q-osint linkedin https://linkedin.com/in/someone
/q-collect domain acme.com
/q-target acme-ceo
/q-timeline       # reconstruct event sequence
/q-analyze ach    # analysis of competing hypotheses
/q-challenge      # red team own conclusions
/q-brief          # generate evidence-grounded report
/q-export         # final package

Every URL captured routes through the evidence protocol. Every report cites [EV-NNNN]. Every claim has an A-F reliability grade.

Ethics

For:

• Authorized security testing and due diligence
• Journalistic and academic research on public figures
• Defensive threat intelligence and incident response
• CTF / educational contexts

Do not use on private individuals without consent, for harassment, doxxing, or stalking. You are responsible for compliance with local laws and platform terms of service.

Contributing

Issues and PRs welcome. Backward-compatible additions preferred.

For LLM agents

See llms.txt for a machine-readable capability summary with a decision matrix for when to use each skill, command, and MCP server.

License

MIT. See LICENSE.

The skills/structured-analysis/ subdirectory is Apache 2.0 (see skills/structured-analysis/LICENSE and NOTICE.md).