← ClaudeAtlas

offensive-osintlisted

Operational arsenal for external red-team and bug-bounty reconnaissance. Concrete wordlists (28 Swagger paths, 13 GraphQL paths, 35 high-risk ports, 6 missing-header findings, 15 always-on HTTP checks, 5 SAML paths, cloud bucket permutations, JS guess-paths, vendor product fingerprints for Citrix/F5/Pulse/Fortinet/Cisco/PaloAlto/VMware/Exchange, cloud-native service fingerprints, container/K8s exposure paths, CI/CD platform paths, documentation/wiki leak paths, WHOIS/RDAP, DNS record catalog, Wayback CDX recipes), 43+-pattern secret-regex catalog (incl. modern AI API keys: Anthropic/OpenAI/HuggingFace/Cloudflare/DigitalOcean/npm/PyPI/Docker Hub/Atlassian/DataDog/Sentry/ngrok), 80+ dork corpus across 9 categories, GitHub code-search dorks, copy-paste curl/httpie probes for every check, post-discovery enumeration workflows (AWS/GitHub/Slack/JWT/PMAK/Anthropic/OpenAI), endpoint interest scoring rubric (0–100), mobile app ownership confidence, identity-fabric endpoints (Entra/Okta/ADFS/Google/SAML/M365 Teams+Shar
opencue/cue · ★ 1 · DevOps & Infrastructure · score 77
Install: claude install-skill opencue/cue
# Offensive OSINT — External Red-Team Arsenal > Companion skill: `osint-methodology` (the "how to think" skill). This skill is the "what to reach for." Use them together. ## 0. When to use / When NOT **Use this skill when:** - You need concrete probe paths, wordlists, regexes, payloads, scoring rules, or tool URLs. - You're executing reconnaissance and need the actual technical reference (vs. methodology). - You're building a recon automation and need specific lists to seed it. **Do NOT use this skill when:** - The user is asking for active exploitation, post-exploitation, or anything past reconnaissance. - The user is asking for defensive / blue-team detections. - The target's authorization isn't established — see §1. --- ## 1. Authorization & Legal Posture For assets the operator owns or has written authorization to assess. Soft scope check before acting against an unverified third-party target — see methodology skill §1 for the full posture. --- ## 2. Confidence Levels - **TENTATIVE** — plausible based on indirect evidence (snippet-only dork match, single-source asset, inferred email pattern). - **FIRM** — directly observed (subdomain resolves, HEAD-confirmed bucket exists, banner returned). - **CONFIRMED** — verified via independent corroboration OR direct verification (live PMAK validation, multiple sources agree, listable bucket with object retrieval). --- ## 3. Output Format Conventions Findings should carry: `id`, `module`, `asset_key`, `category`, `sever