Osint MCP Server
OSINT intelligence MCP server for AI agents — 37 tools, 12 sources. Shodan, VirusTotal, Censys, SecurityTrails, DNS reconnaissance, WHOIS, certificate transparency, BGP routing, Wayback Machine, GeoIP. Automated open source intelligence and attack surface mapping via Model Context Protocol.
Install / Use
/learn @badchars/Osint MCP ServerAbout this skill
Quality Score
0/100
Category
Development & EngineeringSupported Platforms
Claude Code
Cursor
README
<p align="center">
<strong>English</strong> |
<a href="README.zh.md">简体中文</a> |
<a href="README.zh-TW.md">繁體中文</a> |
<a href="README.ko.md">한국어</a> |
<a href="README.de.md">Deutsch</a> |
<a href="README.es.md">Español</a> |
<a href="README.fr.md">Français</a> |
<a href="README.it.md">Italiano</a> |
<a href="README.da.md">Dansk</a> |
<a href="README.ja.md">日本語</a> |
<a href="README.pl.md">Polski</a> |
<a href="README.ru.md">Русский</a> |
<a href="README.bs.md">Bosanski</a> |
<a href="README.ar.md">العربية</a> |
<a href="README.no.md">Norsk</a> |
<a href="README.pt-BR.md">Português (Brasil)</a> |
<a href="README.th.md">ไทย</a> |
<a href="README.tr.md">Türkçe</a> |
<a href="README.uk.md">Українська</a> |
<a href="README.bn.md">বাংলা</a> |
<a href="README.el.md">Ελληνικά</a> |
<a href="README.vi.md">Tiếng Việt</a> |
<a href="README.hi.md">हिन्दी</a>
</p>
<p align="center">
<br>
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/badchars/osint-mcp-server/main/.github/banner-dark.svg">
<source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/badchars/osint-mcp-server/main/.github/banner-light.svg">
<img alt="osint-mcp-server" src="https://raw.githubusercontent.com/badchars/osint-mcp-server/main/.github/banner-dark.svg" width="700">
</picture>
</p>
<h3 align="center">OSINT & reconnaissance intelligence for AI agents.</h3>
<p align="center">
Shodan, VirusTotal, Censys, SecurityTrails, DNS, WHOIS, BGP, Wayback Machine — unified into a single MCP server.<br>
Your AI agent gets <b>full-spectrum OSINT on demand</b>, not 12 browser tabs and manual correlation.
</p>
<br>
<p align="center">
<a href="#the-problem">The Problem</a> •
<a href="#how-its-different">How It's Different</a> •
<a href="#quick-start">Quick Start</a> •
<a href="#what-the-ai-can-do">What The AI Can Do</a> •
<a href="#tools-reference-37-tools">Tools (37)</a> •
<a href="#data-sources-12">Data Sources</a> •
<a href="#architecture">Architecture</a> •
<a href="CHANGELOG.md">Changelog</a> •
<a href="CONTRIBUTING.md">Contributing</a>
</p>
<p align="center">
<a href="https://www.npmjs.com/package/osint-mcp-server"><img src="https://img.shields.io/npm/v/osint-mcp-server.svg" alt="npm"></a>
<a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue.svg" alt="License"></a>
<img src="https://img.shields.io/badge/runtime-Bun-f472b6" alt="Bun">
<img src="https://img.shields.io/badge/protocol-MCP-8b5cf6" alt="MCP">
<img src="https://img.shields.io/badge/tools-37-06b6d4" alt="37 Tools">
<img src="https://img.shields.io/badge/sources-12-0ea5e9" alt="12 Sources">
<img src="https://img.shields.io/badge/free%20tools-21-22c55e" alt="21 Free Tools">
</p>
<p align="center">
<img src="https://raw.githubusercontent.com/badchars/osint-mcp-server/main/.github/demo.gif" alt="osint-mcp-server demo" width="800">
</p>
The Problem
OSINT collection is the first step of every penetration test, bug bounty, and threat assessment. The data you need is scattered across a dozen platforms — each with its own API, its own auth, its own rate limits, its own output format. Today you open Shodan in one tab, VirusTotal in another, run dig in a terminal, copy-paste from WHOIS, switch to crt.sh for certificates, and then spend 30 minutes manually correlating everything.
Traditional OSINT workflow:
resolve DNS records → dig / nslookup CLI
check WHOIS registration → whois CLI or web tool
enumerate subdomains → crt.sh + SecurityTrails + VirusTotal (3 different UIs)
scan for open ports/services → Shodan web interface
check domain reputation → VirusTotal web interface
map IP infrastructure → Censys + BGP lookups
find archived pages → Wayback Machine web UI
check email security → manual MX/SPF/DMARC lookups
correlate everything → copy-paste into a spreadsheet
─────────────────────────────────
Total: 45+ minutes per target, most of it switching contexts
osint-mcp-server gives your AI agent 37 tools across 12 data sources via the Model Context Protocol. The agent queries all sources in parallel, correlates data, identifies risks, and presents a unified intelligence picture — in a single conversation.
With osint-mcp-server:
You: "Do a full recon on target.com"
Agent: → DNS: 4 A records, 3 MX (Google Workspace), 2 NS
→ WHOIS: Registered 2019, expires 2025, GoDaddy
→ crt.sh: 47 unique subdomains from CT logs
→ HackerTarget: 23 hosts with IPs
→ Email: SPF soft-fail (~all), DMARC p=none, no DKIM
→ Shodan: 3 IPs, 12 open ports, Apache 2.4.49 (CVE-2021-41773)
→ VirusTotal: Clean reputation, 0 detections
→ "target.com has 47 subdomains, weak email security
(SPF soft-fail, DMARC monitoring only), and one IP
running Apache 2.4.49 with a known path traversal CVE.
Priority: patch Apache, upgrade SPF to -all, set DMARC to p=reject."
How It's Different
Existing OSINT tools give you raw data one source at a time. osint-mcp-server gives your AI agent the ability to reason across all sources simultaneously.
<table> <thead> <tr> <th></th> <th>Traditional OSINT</th> <th>osint-mcp-server</th> </tr> </thead> <tbody> <tr> <td><b>Interface</b></td> <td>12 different web UIs, CLIs, and APIs</td> <td>MCP — AI agent calls tools conversationally</td> </tr> <tr> <td><b>Data sources</b></td> <td>One platform at a time</td> <td>12 sources queried in parallel</td> </tr> <tr> <td><b>Subdomain enum</b></td> <td>crt.sh OR SecurityTrails OR VirusTotal</td> <td>Agent merges all three + HackerTarget, deduplicates</td> </tr> <tr> <td><b>Correlation</b></td> <td>Manual copy-paste between tabs</td> <td>Agent cross-references: "This IP from Shodan also appears in Censys with expired cert"</td> </tr> <tr> <td><b>Email security</b></td> <td>Separate SPF/DMARC/DKIM lookups</td> <td>Combined analysis with risk score and actionable recommendations</td> </tr> <tr> <td><b>Infrastructure</b></td> <td>GeoIP + BGP + WHOIS separately</td> <td>Agent maps full infrastructure: ASN, prefixes, geolocation, ownership</td> </tr> <tr> <td><b>API keys</b></td> <td>Required for almost everything</td> <td>21 tools work free, 16 more with optional API keys</td> </tr> <tr> <td><b>Setup</b></td> <td>Install each tool, manage each config</td> <td><code>npx osint-mcp-server</code> — one command, zero config</td> </tr> </tbody> </table>Quick Start
Option 1: npx (no install)
npx osint-mcp-server
21 public OSINT tools work immediately. No API keys required.
Option 2: Clone
git clone https://github.com/badchars/osint-mcp-server.git
cd osint-mcp-server
bun install
Environment variables (optional)
# Premium OSINT sources — all optional
export SHODAN_API_KEY=your-key # Enables 4 Shodan tools
export VT_API_KEY=your-key # Enables 4 VirusTotal tools
export ST_API_KEY=your-key # Enables 3 SecurityTrails tools
export CENSYS_API_ID=your-id # Enables 3 Censys tools
export CENSYS_API_SECRET=your-secret # Required with CENSYS_API_ID
All premium API keys are optional. Without them, you still get 21 tools covering DNS, WHOIS, crt.sh, GeoIP, BGP, Wayback Machine, HackerTarget, and Microsoft 365 tenant discovery.
Connect to your AI agent
<details open> <summary><b>Claude Code</b></summary># With npx
claude mcp add osint-mcp-server -- npx osint-mcp-server
# With local clone
claude mcp add osint-mcp-server -- bun run /path/to/osint-mcp-server/src/index.ts
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"osint": {
"command": "npx",
"args": ["-y", "osint-mcp-server"],
"env": {
"SHODAN_API_KEY": "optional",
"VT_API_KEY": "optional",
"ST_API_KEY": "optional",
"CENSYS_API_ID": "optional",
"CENSYS_API_SECRET": "optional"
}
}
}
}
Same JSON config format. Point the command to npx osint-mcp-server or your local installation path.
Start querying
You: "What can you find about example.com?"
That's it. The agent handles DNS, WHOIS, subdomains, email security, and more automatically.
What The AI Can Do
Domain Reconnaissance
You: "Do a full recon on target.com"
Agent: → osint_domain_recon {domain: "target.com"}
→ DNS: A records point to 3 IPs (AWS us-east-1)
→ WHOIS: Registered 2018 via Namecheap, expires 2026
→ crt.sh: 62 subdomains discovered
→ HackerTarget: 31 hosts with resolved IPs
→ Email: SPF hard-fail, DMARC p=reject, DKIM found (selector1)
→ "target.com is well-configured for email security.
62 subdomains found — notable: staging.target.com,
admin-portal.target.com, api-v2.target.com.
Infrastructure is on AWS (us-east-1)."
Attack Surface Mapping
You: "Map the attack surface for 203.0.113.50"
Agent: → shodan_host {ip: "203.0.113.50"}
→ geoip_lookup {ip: "203.0.113.50"}
→ bgp_ip {ip: "203.0.113.50"}
→ whois_ip {ip: "203.0.113.50"}
→ dns_reverse {ip: "203.0.113.50"}
→ "203.0.113.50 (Hetzner, DE, AS24940)
Open ports: 22/SSH, 80/HTTP, 443/HTTPS, 8080/HTTP-Proxy
Apache 2.4.51, OpenSSH 8.9, nginx reverse proxy on 8080
Reverse DNS: web1.target.com
3 known CVEs flagged by Shodan"
Subdomain Enumeration (Multi-Source)
