OpenSkillIndex← back to search
claude-code

Skills vision-one-threat-intel

Query TrendAI Vision One threat intelligence. Use when: looking up IOCs (IP, domain, hash, URL, email), checking threat feeds, reading intelligence reports, managing suspicious objects, or hunting threats by industry/campaign/actor/CVE. Triggers on: threat intel, IOC lookup, threat feed, suspicious object, Vision One, TrendAI, threat hunting, indicator of compromise.

install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/andresark/vision-one-threat-intel" ~/.claude/skills/clawdbot-skills-vision-one-threat-intel && rm -rf "$T"
manifest: skills/andresark/vision-one-threat-intel/SKILL.md
source content

TrendAI Vision One Threat Intelligence

Query threat intelligence from TrendAI Vision One: feed indicators, intelligence reports, suspicious objects, and threat hunting.

Environment

  • VISION_ONE_API_KEY
    (required) — Vision One API token
  • VISION_ONE_REGION
    (optional, default: 
    us
    ) — One of: 
    us
    , 
    eu
    , 
    jp
    , 
    sg
    , 
    au
    , 
    in
    , 
    mea

Commands

All commands use: 

python3 {baseDir}/scripts/v1ti.py [--region REGION] <command> [options]

1. lookup — What do we know about this IOC?

Searches feed indicators and suspicious objects list for a single indicator. Auto-detects IOC type.

python3 {baseDir}/scripts/v1ti.py lookup <indicator> [--days 90]

Examples:

python3 {baseDir}/scripts/v1ti.py lookup 198.51.100.23
python3 {baseDir}/scripts/v1ti.py lookup evil-domain.com --days 30
python3 {baseDir}/scripts/v1ti.py lookup 44d88612fea8a8f36de82e1278abb02f6d1c7e2a
python3 {baseDir}/scripts/v1ti.py lookup "https://malicious.example.com/payload"
python3 {baseDir}/scripts/v1ti.py lookup attacker@phishing.com

2. feed — Latest threat indicators

List recent feed indicators with optional risk/type filtering.

python3 {baseDir}/scripts/v1ti.py feed [--days 7] [--risk high|medium|low] [--type ip|domain|url|fileSha1|fileSha256|senderMailAddress] [--limit 50]

Examples:

python3 {baseDir}/scripts/v1ti.py feed --days 3 --risk high --limit 20
python3 {baseDir}/scripts/v1ti.py feed --type domain --days 14

3. report — Intelligence reports

List or view specific intelligence reports.

python3 {baseDir}/scripts/v1ti.py report [--id REPORT_ID] [--search KEYWORD] [--limit 10]

Examples:

python3 {baseDir}/scripts/v1ti.py report --limit 5
python3 {baseDir}/scripts/v1ti.py report --search "ransomware"
python3 {baseDir}/scripts/v1ti.py report --id RPT-12345

4. suspicious list — View suspicious objects

List indicators on the organization's suspicious objects list.

python3 {baseDir}/scripts/v1ti.py suspicious list [--type TYPE] [--limit 50]

5. suspicious add — Block an IOC

Add an indicator to the suspicious objects list. Requires explicit action and risk level (no defaults for safety).

python3 {baseDir}/scripts/v1ti.py suspicious add <indicator> --action block|log --risk high|medium|low [--description "reason"] [--expiry-days 30]

Examples:

python3 {baseDir}/scripts/v1ti.py suspicious add evil.com --action block --risk high --description "Phishing campaign C2"
python3 {baseDir}/scripts/v1ti.py suspicious add 198.51.100.23 --action log --risk medium --expiry-days 30

6. hunt — Threat hunt by criteria

Search for threat indicators by campaign, actor, industry, country, or CVE.

python3 {baseDir}/scripts/v1ti.py hunt [--campaign NAME] [--actor NAME] [--industry NAME] [--country NAME] [--cve CVE-ID] [--days 90] [--limit 50]

Examples:

python3 {baseDir}/scripts/v1ti.py hunt --industry Finance --days 30
python3 {baseDir}/scripts/v1ti.py hunt --actor APT29 --limit 20
python3 {baseDir}/scripts/v1ti.py hunt --cve CVE-2024-3400 --days 60
python3 {baseDir}/scripts/v1ti.py hunt --country "United States" --industry Healthcare

Output Format

All output is structured plain text with clear section headers and key-value pairs. No raw JSON is returned.

Error Format

Errors follow a three-part template:

ERROR: <what went wrong>
EXPECTED: <what was expected>
EXAMPLE: <correct usage example>

Supported IOC Types

The 

lookup
and 
suspicious add
commands auto-detect these indicator types from the raw value:

  • IPv4/IPv6 addresses
  • Domain names
  • URLs (http:// or https://)
  • SHA-256 hashes (64 hex chars)
  • SHA-1 hashes (40 hex chars)
  • Email addresses

Notes

  • All GET operations are read-only and safe to run
  • suspicious add
    is a write operation — always confirm the action with the user before running
  • Results are paginated internally — the 
    --limit
    flag controls max results returned
  • Use 
    --days
    to control the lookback window for time-based queries
  • For advanced filter syntax, read 
    {baseDir}/references/filter-examples.md