Given one input — a username, email, phone, Telegram handle, domain, or IP — it fans out across 1,000+ public sources in parallel and streams findings into your terminal:
No paid APIs are required. Optional keys (HIBP / Numverify / IPinfo / LeakCheck / GitHub PAT / abuse.ch / AbuseIPDB) unlock higher quotas but the tool degrades gracefully.
What's new in 4.0 — entity graph + auto-pivot + SIEM + AI
Major version. mytools-osint is no longer a one-shot scanner — it's a
pivot-capable investigation engine with entity correlation, like
Maltego but free + CLI-first.
osint github.com --profile red-team --pivot 1 --html report.html --explain
# scan → save → correlate → auto-pivot → HTML + interactive graph → Claude summary
What's new in 0.3 — cyber-pro: web dashboard + 7 modules + self-update
mytools-osint 0.3 adds 7 more modules + a local web dashboard +
Markdown reports + an osint self-update path that pulls the
latest binary, verifies SHA-256, and swaps it in place.
osint serve # local web UI at http://127.0.0.1:8765
osint github.com --profile leak-hunt --md leaks.md
osint 'P@ssw0rd!' --kind password # HIBP k-anon (value never leaves host)
osint 5d41402abc4b2a76b9719d911017c592 --kind hash # MalwareBazaar IOC lookup
osint mycorp.com --profile red-team --html report.html # all 24 red-team modules
osint self-update # update in place, SHA-256 verified
Module
Use case
github_leaks
GitHub code+commit+user search for org/email mentions
mytools-osint 0.2 added 8 modules purpose-built for security engineers,
red teams, and IOC analysts — all free, all key-optional. Plus profile
presets, a HTML pivot report, a live Textual dashboard, and an OPSEC mode
that tunnels every request through Tor.
# winget (Windows 11)
winget install Bluetm.MytoolsOsint
# OR scoop
scoop bucket add bluetm https://github.com/Azizbek16l/scoop-bucket
scoop install mytools-osint
# OR pipx
pipx install mytools-osint
# OR direct download from the Releases page:
# https://github.com/Azizbek16l/mytools-osint/releases/latest
Docker
docker run --rm ghcr.io/azizbek16l/osint:latest temur
Local LLM (Ollama)
osint ai explain and osint ai query work with either a local model
(Ollama, free, OPSEC-safe) or Anthropic Claude (cloud, paid). The tool
runs on your laptop — local is the default and stays the default.
# 1. install Ollama (macOS: brew install ollama; Linux: curl install script)
ollama serve & # daemon on http://localhost:11434
# 2. pull a model sized to your RAM (see `osint doctor` for advice):
ollama pull qwen2.5:3b # ~2GB Q4 — 8GB RAM laptops
ollama pull llama3.1:8b # ~5GB Q4 — 16GB+ RAM
# 3. (optional) override the active model
export OSINT_AI_MODEL=qwen2.5:3b
If no provider is available the AI subcommands degrade with a friendly hint —
no crash, no missing-module surprise. Under --opsec Claude is automatically
disabled (queries would leave the host); only Ollama is used.
OSINT_AI_PROVIDER=ollama|claude|none forces a specific provider.
osint doctor — environment sanity check
osint doctor
Prints OS / arch / Python / RAM, whether Ollama is reachable and which models
are installed, your Claude key state, the active provider, config + cache
sizes, and a quick reachability probe against crt.sh. Exit codes: 0 all
green, 1 warnings, 2 errors. Use it any time ai explain says it's
unavailable.
Report patterns (Fabric-style)
Patterns are plain Markdown files with # IDENTITY, # STEPS, # OUTPUT
sections. Three ship in the box: exec-summary, phishing-triage, dossier.
osint ai patterns list
osint ai explain domain acme.com --pattern phishing-triage
User patterns live at ~/.config/mytools-osint/patterns/; a same-named file
there overrides the built-in. No template engine — {{PAYLOAD}} substitution
is intentionally tiny.
Visit , sign in with your phone, create an app, copy api_id + api_hash.
Run osint config telegram → pick set api_id / api_hash / phone.
Pick start sign-in → Telegram sends a 5-digit code to your existing Telegram client (not SMS).
Enter the code → done. Session persists at %LOCALAPPDATA%\mytools-osint\telethon\ on Windows, ~/Library/Application Support/MarsIT/mytools-osint/telethon/ on macOS, ~/.local/share/mytools-osint/telethon/ on Linux.
After setup: osint + does a real Telegram phone→username resolution. The contact is imported and immediately deleted — Telegram still flags the lookup, so use sparingly on numbers you don't own.
Free APIs in use
Source
Coverage
Key required?
Sherlock + WhatsMyName
1,008 username probe targets
no
crt.sh
Certificate Transparency → subdomain leak
no
HackerTarget
DNS recon (~50 req/day)
no
urlscan.io public
Recent scans of a domain
no
XposedOrNot
Email breach lookup
no
Hudson Rock Cavalier
Info-stealer compromised credentials
no
ProxyNova ComB
Leaked email:password combos
no
Wayback Machine
Historical URL snapshots
no
GitHub public search
Leaked secrets / user profile
optional PAT for higher rate
Telethon MTProto
phone↔username, profile, premium/verified
your own TG account
Team Cymru WHOIS
ASN + prefix + country (TCP 43)
no
BGPView
Upstreams + peers + prefixes
no
Gravatar
Avatar hash check
no
Mozilla Observatory rubric
HTTP security-header grade
no (local logic)
Wappalyzer-lite
Web technology fingerprint (~30 sigs built-in)
no
libphonenumber
Offline phone parsing
no
dnspython
A/AAAA/MX/TXT/NS/CAA/SOA + reverse
no
wa.me
WhatsApp existence probe (best-effort)
no
Optional paid keys plug into the same modules: HIBP, Numverify, IPinfo, LeakCheck. Set them with osint config set HIBP_API_KEY xxx — they extend coverage but are never required.
MCP server — use mytools-osint from Claude Code / Warp / Cursor
mytools-osint ships as a Model Context Protocol server so AI assistants
can call its OSINT tools directly. Once the server is wired into your AI
client's config, the assistant gets the following tools — lookup_username,
lookup_email, lookup_phone, lookup_whatsapp, lookup_domain,
lookup_ip, plus list_modules and list_sites_stats for inventory.
lookup_telegram is registered automatically iff a Telegram MTProto
session is configured (osint config telegram). Three resources are
exposed (osint://history, osint://history/{id}, osint://sites)
along with two pre-canned investigation prompts (digital_footprint_audit
and domain_security_check).
osint mcp # launches the stdio MCP server
Wire into Claude Code by adding this to ~/.claude/mcp.json (example file
shipped at agent/mcp.json):
Restart Claude Code; the assistant can now call the tools directly. Same
config shape works for Warp Agents and Cursor.
Why this matters (2026 standard): embedding an LLM chat bar inside the
CLI competes with Copilot CLI, Warp AI and Claude Code itself. Exposing the
tool as an MCP server is the inversion that wins — agents come to you,
the user never has to leave their chat.
Architecture
Single-process Python. The Runner registers every module against the QueryKinds it handles. Each query fans out to the matching producers concurrently under a single asyncio semaphore (default 40). Each module streamsHits as they arrive — the GUI/CLI shows positives the moment they land.
docs/sources.md — every external source the tool talks to, with rate-limit notes
packaging/README.md — install-command quick-reference for every channel + release runbook
Authorised use only
This tool is intended for: (1) auditing your own digital footprint,
(2) authorised pentesting engagements with written consent, and (3) fraud or
scam investigations conducted under applicable law. Misuse may violate the
Computer Fraud and Abuse Act, GDPR, or the laws of your jurisdiction. The
authors disclaim all responsibility.
