OpenSkillIndex← back to search
claude-coderesearch

Hermes-agent domain-intel

Passive domain reconnaissance using Python stdlib. Subdomain discovery, SSL certificate inspection, WHOIS lookups, DNS records, domain availability checks, and bulk multi-domain analysis. No API keys required.

install
source · Clone the upstream repo
git clone https://github.com/NousResearch/hermes-agent
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NousResearch/hermes-agent "$T" && mkdir -p ~/.claude/skills && cp -r "$T/optional-skills/research/domain-intel" ~/.claude/skills/nousresearch-hermes-agent-domain-intel-9743bf && rm -rf "$T"
manifest: optional-skills/research/domain-intel/SKILL.md
tags
#osint#domain-intelligence#dns#whois#ssl#python
source content

Domain Intelligence — Passive OSINT

Passive domain reconnaissance using only Python stdlib. Zero dependencies. Zero API keys. Works on Linux, macOS, and Windows.

Helper script

This skill includes 

scripts/domain_intel.py
— a complete CLI tool for all domain intelligence operations.

# Subdomain discovery via Certificate Transparency logs
python3 SKILL_DIR/scripts/domain_intel.py subdomains example.com

# SSL certificate inspection (expiry, cipher, SANs, issuer)
python3 SKILL_DIR/scripts/domain_intel.py ssl example.com

# WHOIS lookup (registrar, dates, name servers — 100+ TLDs)
python3 SKILL_DIR/scripts/domain_intel.py whois example.com

# DNS records (A, AAAA, MX, NS, TXT, CNAME)
python3 SKILL_DIR/scripts/domain_intel.py dns example.com

# Domain availability check (passive: DNS + WHOIS + SSL signals)
python3 SKILL_DIR/scripts/domain_intel.py available coolstartup.io

# Bulk analysis — multiple domains, multiple checks in parallel
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com google.com
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com --checks ssl,dns


SKILL_DIR
is the directory containing this SKILL.md file. All output is structured JSON.

Available commands

CommandWhat it doesData source
subdomains
Find subdomains from certificate logscrt.sh (HTTPS)
ssl
Inspect TLS certificate detailsDirect TCP:443 to target
whois
Registration info, registrar, datesWHOIS servers (TCP:43)
dns
A, AAAA, MX, NS, TXT, CNAME recordsSystem DNS + Google DoH
available
Check if domain is registeredDNS + WHOIS + SSL signals
bulk
Run multiple checks on multiple domainsAll of the above

When to use this vs built-in tools

  • Use this skill for infrastructure questions: subdomains, SSL certs, WHOIS, DNS records, availability
  • Use 
    web_search
     for general research about what a domain/company does
  • Use 
    web_extract
     to get the actual content of a webpage
  • Use 
    terminal
    with 
    curl -I
     for a simple "is this URL reachable" check
TaskBetter toolWhy
"What does example.com do?"
web_extract
Gets page content, not DNS/WHOIS data
"Find info about a company"
web_search
General research, not domain-specific
"Is this website safe?"
web_search
Reputation checks need web context
"Check if a URL is reachable"
terminal
with 
curl -I
Simple HTTP check
"Find subdomains of X"This skillOnly passive source for this
"When does the SSL cert expire?"This skillBuilt-in tools can't inspect TLS
"Who registered this domain?"This skillWHOIS data not in web search
"Is coolstartup.io available?"This skillPassive availability via DNS+WHOIS+SSL

Platform compatibility

Pure Python stdlib (

socket
, 
ssl
, 
urllib
, 
json
, 
concurrent.futures
). Works identically on Linux, macOS, and Windows with no dependencies.

  • crt.sh queries use HTTPS (port 443) — works behind most firewalls
  • WHOIS queries use TCP port 43 — may be blocked on restrictive networks
  • DNS queries use Google DoH (HTTPS) for MX/NS/TXT — firewall-friendly
  • SSL checks connect to the target on port 443 — the only "active" operation

Data sources

All queries are passive — no port scanning, no vulnerability testing:

  • crt.sh — Certificate Transparency logs (subdomain discovery, HTTPS only)
  • WHOIS servers — Direct TCP to 100+ authoritative TLD registrars
  • Google DNS-over-HTTPS — MX, NS, TXT, CNAME resolution (firewall-friendly)
  • System DNS — A/AAAA record resolution
  • SSL check is the only "active" operation (TCP connection to target:443)

Notes

  • WHOIS queries use TCP port 43 — may be blocked on restrictive networks
  • Some WHOIS servers redact registrant info (GDPR) — mention this to the user
  • crt.sh can be slow for very popular domains (thousands of certs) — set reasonable expectations
  • The availability check is heuristic-based (3 passive signals) — not authoritative like a registrar API

Contributed by @FurkanL0