Stats
Actions
Tags
From communitytools
Discovers a target's technology stack via passive OSINT signals. Routes to sub-skills for frontend, backend, infra, security, and correlation analysis.
How this skill is triggered — by the user, by Claude, or both
Slash command
/communitytools:techstack-identificationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Passive OSINT reconnaissance to identify a target's technology stack. No credentials, no active scanning — only publicly available signals.
Passive OSINT reconnaissance to identify a target's technology stack. No credentials, no active scanning — only publicly available signals.
1. Provide company name (+ optional domain hint)
2. Run infra first (asset inventory) → frontend / backend / security / osint in parallel
3. Pass all signals into correlation → final report (JSON + Markdown)
| Sub-skill | Identifies | Read |
|---|---|---|
| frontend | JS frameworks, meta-frameworks, CSS libraries, build tools, CMS via DOM/HTML/JS | frontend/SKILL.md |
| backend | Web servers, runtimes, languages, frameworks, DB, APIs, CMS | backend/SKILL.md |
| infra | Cloud, CDN/WAF, DNS, TLS/CT, DevOps, asset discovery (domains/subdomains/IPs) | infra/SKILL.md |
| security | Security headers, CSP, email auth, security.txt, third-party SaaS | security/SKILL.md |
| osint | Public repos (GitHub/GitLab), job postings/ATS, Wayback Machine | osint/SKILL.md |
| correlation | Cross-validation, confidence scoring, conflict resolution | correlation/SKILL.md |
| Objective | Mount |
|---|---|
| Full stack discovery | infra → (frontend, backend, security, osint) → correlation |
| CDN/WAF identification only | infra |
| API surface mapping | backend |
| Supply-chain / SaaS exposure | security + osint |
| CVE matching by version | backend + frontend (then correlation) |
| Migration / historical context | osint (web archive) + correlation |
| CMS fingerprint | frontend (HTML generators) + backend (CMS paths/cookies) |
| Asset inventory only | infra (domain discovery, subdomain enum, IP attribution, CT) |
Computed in correlation/. Target distribution: 50-70% High, 20-35% Medium, <15% Low.
{ "report_id": "uuid", "company": "string", "primary_domain": "string",
"discovered_assets": {"domains", "subdomains", "ip_addresses", "certificates", "api_portals"},
"technologies": {
"frontend": [{"name", "version?", "confidence", "evidence": []}],
"backend": [...], "infrastructure": [...], "security": [...],
"devops": [...], "third_party": [...] },
"confidence_summary": {"high_confidence", "medium_confidence", "low_confidence", "overall_score"} }
crt.sh 10/min · GitHub (unauth) 60/h · HTTP 30/min/domain · DNS 30/min · Wayback CDX 15/min · WHOIS 5/min.
Passive only. No active scanning, credentialed access, zone transfers, or brute force. Public sources only. Log every external request for audit.
npx claudepluginhub transilienceai/communitytoolsMaps organization's external attack surface via OSINT reconnaissance from public sources: DNS records, cert transparency logs, search engines, social media, repos, breach DBs. For pentest footprinting.
Conducts passive OSINT reconnaissance to map external attack surfaces from DNS records, cert transparency logs, search engines, social media, repos, and breach databases. For pentesting footprinting.
Gathers open source intelligence (OSINT) for red team engagements, enumerating external attack surfaces, identifying employees, leaked credentials, technology stacks, and physical locations.