domain-intel
Domain-intel performs passive domain reconnaissance using only Python's standard library, requiring no API keys or external dependencies. Use it to discover subdomains via certificate transparency logs, inspect SSL certificate details, retrieve WHOIS registration data, query DNS records, check domain availability, and analyze multiple domains in parallel across Linux, macOS, and Windows systems.
git clone --depth 1 https://github.com/NousResearch/hermes-agent /tmp/domain-intel && cp -r /tmp/domain-intel/optional-skills/research/domain-intel ~/.claude/skills/domain-intelSKILL.md
# Domain Intelligence — Passive OSINT Passive domain reconnaissance using only Python stdlib. **Zero dependencies. Zero API keys. Works on Linux, macOS, and Windows.** ## Helper script This skill includes `scripts/domain_intel.py` — a complete CLI tool for all domain intelligence operations. ```bash # Subdomain discovery via Certificate Transparency logs python3 SKILL_DIR/scripts/domain_intel.py subdomains example.com # SSL certificate inspection (expiry, cipher, SANs, issuer) python3 SKILL_DIR/scripts/domain_intel.py ssl example.com # WHOIS lookup (registrar, dates, name servers — 100+ TLDs) python3 SKILL_DIR/scripts/domain_intel.py whois example.com # DNS records (A, AAAA, MX, NS, TXT, CNAME) python3 SKILL_DIR/scripts/domain_intel.py dns example.com # Domain availability check (passive: DNS + WHOIS + SSL signals) python3 SKILL_DIR/scripts/domain_intel.py available coolstartup.io # Bulk analysis — multiple domains, multiple checks in parallel python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com google.com python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com --checks ssl,dns ``` `SKILL_DIR` is the directory containing this SKILL.md file. All output is structured JSON. ## Available commands | Command | What it does | Data source | |---------|-------------|-------------| | `subdomains` | Find subdomains from certificate logs | crt.sh (HTTPS) | | `ssl` | Inspect TLS certificate details | Direct TCP:443 to target | | `whois` | Registration info, registrar, dates | WHOIS servers (TCP:43) | | `dns` | A, AAAA, MX, NS, TXT, CNAME records | System DNS + Google DoH | | `available` | Check if domain is registered | DNS + WHOIS + SSL signals | | `bulk` | Run multiple checks on multiple domains | All of the above | ## When to use this vs built-in tools - **Use this skill** for infrastructure questions: subdomains, SSL certs, WHOIS, DNS records, availability - **Use `web_search`** for general research about what a domain/company does - **Use `web_extract`** to get the actual content of a webpage - **Use `terminal` with `curl -I`** for a simple "is this URL reachable" check | Task | Better tool | Why | |------|-------------|-----| | "What does example.com do?" | `web_extract` | Gets page content, not DNS/WHOIS data | | "Find info about a company" | `web_search` | General research, not domain-specific | | "Is this website safe?" | `web_search` | Reputation checks need web context | | "Check if a URL is reachable" | `terminal` with `curl -I` | Simple HTTP check | | "Find subdomains of X" | **This skill** | Only passive source for this | | "When does the SSL cert expire?" | **This skill** | Built-in tools can't inspect TLS | | "Who registered this domain?" | **This skill** | WHOIS data not in web search | | "Is coolstartup.io available?" | **This skill** | Passive availability via DNS+WHOIS+SSL | ## Platform compatibility Pure Python stdlib (`socket`, `ssl`, `urllib`, `json`, `concurrent.futures`). Works identically on Linux, macOS, and Windows with no dependencies. - **crt.sh queries** use HTTPS (port 443) — works behind most firewalls - **WHOIS queries** use TCP port 43 — may be blocked on restrictive networks - **DNS queries** use Google DoH (HTTPS) for MX/NS/TXT — firewall-friendly - **SSL checks** connect to the target on port 443 — the only "active" operation ## Data sources All queries are **passive** — no port scanning, no vulnerability testing: - **crt.sh** — Certificate Transparency logs (subdomain discovery, HTTPS only) - **WHOIS servers** — Direct TCP to 100+ authoritative TLD registrars - **Google DNS-over-HTTPS** — MX, NS, TXT, CNAME resolution (firewall-friendly) - **System DNS** — A/AAAA record resolution - **SSL check** is the only "active" operation (TCP connection to target:443) ## Notes - WHOIS queries use TCP port 43 — may be blocked on restrictive networks - Some WHOIS servers redact registrant info (GDPR) — mention this to the user - crt.sh can be slow for very popular domains (thousands of certs) — set reasonable expectations - The availability check is heuristic-based (3 passive signals) — not authoritative like a registrar API --- *Contributed by [@FurkanL0](https://github.com/FurkanL0)*
Operate the Antigravity CLI (agy): plugins, auth, sandbox.
Delegate coding tasks to Blackbox AI CLI agent. Multi-model agent with built-in judge that runs tasks through multiple LLMs and picks the best result. Requires the blackbox CLI and a Blackbox AI API key.
Delegate coding to xAI Grok Build CLI (features, PRs).
Configure and use Honcho memory with Hermes -- cross-session user modeling, multi-profile peer isolation, observation config, dialectic reasoning, session summaries, and context budget enforcement. Use when setting up Honcho, troubleshooting memory, managing profiles with Honcho peers, or tuning observation, recall, and dialectic settings.
Delegate coding to OpenHands CLI (model-agnostic, LiteLLM).
Read-only EVM client: wallets, tokens, gas across 8 chains.
Hyperliquid market data, account history, trade review.
Query Solana blockchain data with USD pricing — wallet balances, token portfolios with values, transaction details, NFTs, whale detection, and live network stats. Uses Solana RPC + CoinGecko. No API key required.