DEV.co
MCP Servers · OpenOSINT

OpenOSINT

OpenOSINT is an AI-powered OSINT agent that chains 18 specialized tools for security research and threat intelligence. It supports multiple AI backends (Claude, GPT-4, local models) via a REPL, CLI, Web UI, or MCP server interface, with built-in safeguards to prevent hallucinated findings.

Source: GitHub — github.com/OpenOSINT/OpenOSINT
925
GitHub stars
137
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryOpenOSINT/OpenOSINT
OwnerOpenOSINT
Primary languagePython
LicenseMIT — OSI-approved
Stars925
Forks137
Open issues6
Latest releasev2.23.0 (2026-06-18)
Last updated2026-07-07
Sourcehttps://github.com/OpenOSINT/OpenOSINT

What OpenOSINT is

Python-based agent framework exposing 18 modular OSINT tools (email, username, breach, WHOIS, IP, domain, Shodan, VirusTotal, etc.) through an LLM-driven interface with hard-stop tool calls to eliminate hallucination. Includes parallel execution via asyncio, session history, PDF/Markdown reporting, and native MCP server support.

Quickstart

Get the OpenOSINT source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/OpenOSINT/OpenOSINT.gitcd OpenOSINT# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Authorized Security Research & Threat Investigation

Investigators and analysts can describe a target in natural language; the agent chains email, breach, username, and IP tools to pivot across findings. Useful for incident response, threat profiling, and reconnaissance within legal boundaries.

OSINT Automation via MCP Integration

Native MCP server exposes all 18 tools to Claude Desktop, Claude Code, and any MCP-compatible client, enabling seamless integration into existing SOCs, security workflows, and AI-driven automation pipelines without extra glue code.

Multi-Tenancy & Custom AI Backends

Support for Anthropic Claude, local Ollama, and any OpenAI-compatible endpoint (LiteLLM, vLLM) allows teams to route queries through their preferred LLM while maintaining compliance and cost control.

Implementation considerations

  • API Key Management: Requires explicit API keys for Shodan, VirusTotal, Censys, AbuseIPDB, IP2Location, Bright Data, GitHub, and HaveIBeenPwned. Plan a secure secrets store (e.g., env vars, HashiCorp Vault) and rotation strategy.
  • Rate Limiting & Cost Control: Each tool has independent rate limits and pricing. Budget for concurrent investigations, implement backoff retry logic, and consider caching frequently queried targets.
  • Legal/Compliance Boundaries: Tool chain decisions are delegated to the LLM—there is no built-in guardrail to prevent queries on unauthorized targets. Legal review and user consent workflows must be enforced at the application layer.
  • Reporting & Evidence Chain: Markdown and PDF reports are auto-generated, but no cryptographic signing or tamper-proof audit trails are provided. For forensic or compliance contexts, post-process reports with additional integrity controls.
  • Parallel Execution Trade-Offs: --parallel flag runs tools concurrently; monitor rate limits and external API quotas to avoid throttling or account suspensions.

When to avoid it — and what to weigh

  • Requires Real-Time Intelligence at Scale — Many external APIs (HaveIBeenPwned, Shodan, Censys, VirusTotal) require rate-limited keys or subscriptions. High-volume concurrent investigations may hit throttles or incur substantial costs.
  • Strict Non-Disclosure or Air-Gapped Environments — Most tools depend on external APIs (IP2Location, Bright Data SERP, holehe). Offline-only or restricted network deployments will be severely limited without local data mirrors.
  • No Explicit Accountability or Data Retention Auditing — Session history is stored locally in ~/.openosint/history/; no built-in audit logging, compliance dashboards, or data residency controls are mentioned. Organizations with strict data governance may need custom extensions.
  • Misaligned Use-Case: General Web Automation — Tightly coupled to OSINT/security workflows. If you need generic LLM-tool integration or general web scraping, lighter frameworks (e.g., LangChain, LlamaIndex) or pure HTTP clients may be simpler.

License & commercial use

MIT License (permissive). Allows commercial use, modification, and redistribution with attribution and no warranty. No copyleft or patent clauses. Clean for most use cases.

MIT is a permissive OSI-approved license explicitly permitting commercial deployment, provided you retain the license and copyright notice. No royalties or special permissions required. However, the tool's OSINT focus and "authorized security research only" disclaimer in README suggest users bear full legal responsibility for compliance with data protection, wiretapping, and unauthorized access laws in their jurisdiction. Liability is explicitly disclaimed. For regulated industries or sensitive deployments, legal review is mandatory before production use.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

OpenOSINT does not perform sensitive authentication, encryption, or cryptographic operations; it is a wrapper around existing OSINT APIs. Key security considerations: (1) API keys must be securely stored and rotated; (2) Tool outputs are unvalidated external data—caller must implement input validation and signature verification if results are used for critical decisions; (3) LLM-driven tool selection introduces prompt injection risk if user input is not sanitized; (4) No built-in rate-limiting, retry, or circuit-breaker logic—external API abuse or DDoS exposure depends on caller discipline; (5) Local session history (~/.openosint/history/) stores investigation metadata in plaintext—ensure filesystem permissions prevent unauthorized access; (6) Bright Data Web Unlocker (scrape_url tool) may bypass Cloudflare/CAPTCHA—use only on targets you have authorization to access. Audit legal compliance before deployment.

Alternatives to consider

Shodan CLI / Shodan Python

Focused on IP/port reconnaissance. Lower-level, direct API access; no AI chaining. Better for teams already invested in Shodan and needing CLI scripting.

Maltego

Commercial, GUI-based OSINT platform with extensive data transformations and collaboration features. Steeper learning curve and licensing cost; stronger for large-scale investigations and team workflows.

LangChain / LlamaIndex + Custom Tools

Generic LLM agent frameworks. More flexible for non-OSINT use cases; require more DIY engineering to wire in specific tools. Better for teams building multi-domain AI agents.

Software development agency

Build on OpenOSINT with DEV.co software developers

OpenOSINT is production-ready for authorized investigations. Explore the live demo, check API requirements, review legal compliance, and contact the maintainer for custom integrations.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

OpenOSINT FAQ

Can I use OpenOSINT for commercial investigations or red-teaming?
MIT license permits commercial use. However, the README states "authorized security research only." You are solely responsible for ensuring all investigations comply with applicable laws (e.g., CFAA, GDPR, local wiretapping statutes). Legal review is mandatory before deployment.
What happens if an external API (Shodan, VirusTotal) goes down?
Not clearly stated. If an API is unavailable or rate-limited, the tool call will likely fail. No built-in fallback, retry, or graceful degradation is mentioned. Implement your own retry logic or circuit breaker if high availability is required.
Can I run OpenOSINT offline?
The REPL, CLI, and MCP server themselves run locally. However, 12+ external APIs (Shodan, HaveIBeenPwned, VirusTotal, etc.) require internet access and API keys. generate_dorks is offline; most other tools are not. Plan external connectivity.
How do I prevent the LLM from investigating unauthorized targets?
Unknown. Tool selection is delegated to the LLM. No built-in allowlist, policy engine, or guardrail is mentioned. Implement authorization checks and user consent workflows in your application layer before invoking the agent.

Software developers & web developers for hire

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If OpenOSINT is part of your mcp servers roadmap, our team can implement, customize, migrate, and maintain it.

Ready to Integrate OSINT into Your Security Stack?

OpenOSINT is production-ready for authorized investigations. Explore the live demo, check API requirements, review legal compliance, and contact the maintainer for custom integrations.