Investigation

Skill

OSINT and people-finding — structured investigations, company intel, due diligence, and ethical people search across public records and social media. USE WHEN OSINT, due diligence, company intel, background check, find person, locate, people search, reconnect, public records, reverse lookup, social media search, verify identity, domain lookup, entity lookup, organization lookup, company lookup, threat intel.

Files22
  • @skills/investigation/OSINT/CompanyTools.md
  • @skills/investigation/OSINT/EntityTools.md
  • @skills/investigation/OSINT/EthicalFramework.md
  • @skills/investigation/OSINT/Methodology.md
  • @skills/investigation/OSINT/PeopleTools.md
  • @skills/investigation/OSINT/SKILL.md
  • @skills/investigation/OSINT/SOURCES.JSON
  • @skills/investigation/OSINT/SOURCES.md
  • @skills/investigation/OSINT/Workflows/CompanyDueDiligence.md
  • @skills/investigation/OSINT/Workflows/CompanyLookup.md
  • @skills/investigation/OSINT/Workflows/DiscoverOSINTSources.md
  • @skills/investigation/OSINT/Workflows/DomainLookup.md
  • @skills/investigation/OSINT/Workflows/EntityLookup.md
  • @skills/investigation/OSINT/Workflows/OrganizationLookup.md
  • @skills/investigation/OSINT/Workflows/PeopleLookup.md
  • @skills/investigation/PrivateInvestigator/SKILL.md
  • @skills/investigation/PrivateInvestigator/Workflows/FindPerson.md
  • @skills/investigation/PrivateInvestigator/Workflows/PublicRecordsSearch.md
  • @skills/investigation/PrivateInvestigator/Workflows/ReverseLookup.md
  • @skills/investigation/PrivateInvestigator/Workflows/SocialMediaSearch.md
  • @skills/investigation/PrivateInvestigator/Workflows/VerifyIdentity.md
  • @skills/investigation/SKILL.md

Customization

Before executing, check for user customizations at: ~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/OSINT/
If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.

🚨 MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)

You MUST send this notification BEFORE doing anything else when this skill is invoked.
  1. Send voice notification:
    bash
    curl -s -X POST http://localhost:8888/notify \
      -H "Content-Type: application/json" \
      -d '{"message": "Running the WORKFLOWNAME workflow in the OSINT skill to ACTION"}' \
      > /dev/null 2>&1 &
  2. Output text notification:
    Running the **WorkflowName** workflow in the **OSINT** skill to ACTION...
This is not optional. Execute this curl command immediately upon skill invocation.

OSINT Skill

Open Source Intelligence gathering for authorized investigations.

Workflow Routing

Investigation TypeWorkflowContext
People lookupWorkflows/PeopleLookup.mdSOURCES.JSON
Company lookupWorkflows/CompanyLookup.mdSOURCES.JSON
Investment due diligenceWorkflows/CompanyDueDiligence.mdSOURCES.JSON
Entity/threat intelWorkflows/EntityLookup.mdSOURCES.JSON
Domain/subdomain investigationWorkflows/DomainLookup.mdSOURCES.JSON
Organization/NGO/gov researchWorkflows/OrganizationLookup.mdSOURCES.JSON
Discover new OSINT sourcesWorkflows/DiscoverOSINTSources.mdSOURCES.JSON

Trigger Patterns

People OSINT:
  • "do OSINT on [person]", "research [person]", "background check on [person]"
  • "who is [person]", "find info about [person]", "investigate this person" -> Route to Workflows/PeopleLookup.md
Company OSINT:
  • "do OSINT on [company]", "research [company]", "company intelligence"
  • "what can you find about [company]", "investigate [company]" -> Route to Workflows/CompanyLookup.md
Investment Due Diligence:
  • "due diligence on [company]", "vet [company]", "is [company] legitimate"
  • "assess [company]", "should we work with [company]" -> Route to Workflows/CompanyDueDiligence.md
Entity/Threat Intel:
  • "investigate [entity]", "threat intelligence on [entity]", "is this malicious"
  • "research this threat actor", "analyze [entity]", "check this IP" -> Route to Workflows/EntityLookup.md
Domain/Subdomain Investigation:
  • "investigate domain", "check domain", "subdomain enumeration"
  • "domain recon on [domain]", "what subdomains does [domain] have"
  • "DNS investigation", "certificate transparency for [domain]" -> Route to Workflows/DomainLookup.md
Organization/NGO/Government:
  • "research organization", "investigate NGO", "research agency"
  • "who is [organization]", "investigate [nonprofit]", "research [government agency]"
  • "what do we know about [association]", "background on [institution]" -> Route to Workflows/OrganizationLookup.md

Authorization (REQUIRED)

Before ANY investigation, verify:
  • Explicit authorization from client
  • Clear scope definition
  • Legal compliance confirmed
  • Documentation in place
STOP if any checkbox is unchecked. See EthicalFramework.md for details.

Resource Index

FilePurpose
SOURCES.JSONMaster catalog of 279 OSINT sources across 8 categories
SOURCES.mdHuman-readable source reference with descriptions and access info
EthicalFramework.mdAuthorization, legal, ethical boundaries
Methodology.mdCollection methods, verification, reporting
PeopleTools.mdPeople search, social media, public records (legacy — use SOURCES.JSON)
CompanyTools.mdBusiness databases, DNS, tech profiling (legacy — use SOURCES.JSON)
EntityTools.mdThreat intel, scanning, malware analysis (legacy — use SOURCES.JSON)

Integration

Automatic skill invocations:
  • Research Skill - Parallel researcher agent deployment (REQUIRED)
  • Recon Skill - Technical infrastructure reconnaissance
Agent fleet patterns:
  • Quick lookup: 4-6 agents
  • Standard investigation: 8-16 agents
  • Comprehensive due diligence: 24-32 agents
Researcher types:
ResearcherBest For
PerplexityResearcherCurrent web data, social media, company updates
ClaudeResearcherAcademic depth, professional backgrounds
GeminiResearcherMulti-perspective, cross-domain connections
GrokResearcherContrarian analysis, fact-checking

File Organization

Active investigations:
~/.claude/MEMORY/WORK/$(jq -r '.work_dir' ~/.claude/MEMORY/STATE/current-work.json)/YYYY-MM-DD-HHMMSS_osint-[target]/
Archived reports:
~/.claude/History/research/YYYY-MM/[target]-osint/

Ethical Guardrails

ALLOWED: Public sources only - websites, social media, public records, search engines, archived content
PROHIBITED: Private data, unauthorized access, social engineering, purchasing breached data, ToS violations
See EthicalFramework.md for complete requirements.

Version: 3.0 (SOURCES.JSON Integration) Last Updated: February 2026
Investigation — Kortix Marketplace | Kortix