ワンクリックで
recon
Security reconnaissance. USE WHEN recon, reconnaissance, bug bounty, attack surface. SkillSearch('recon') for docs.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Security reconnaissance. USE WHEN recon, reconnaissance, bug bounty, attack surface. SkillSearch('recon') for docs.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Personal AI Infrastructure core. The authoritative reference for how PAI works.
Life OS and project management. USE WHEN life goals, projects, dependencies, TELOS, books, movies, tracking.
Security assessment and intelligence. USE WHEN recon, reconnaissance, port scan, subdomain, DNS, WHOIS, web assessment, pentest, vulnerability, security scan, prompt injection, jailbreak, LLM security, security news, breaches, annual reports, threat landscape.
Web security assessment. USE WHEN web assessment, pentest, security testing, vulnerability scan. SkillSearch('webassessment') for docs.
PowerPoint processing. USE WHEN pptx, PowerPoint, slides. SkillSearch('pptx') for docs.
Utility and helper skills. USE WHEN aphorisms, quotes, browser automation, Cloudflare, create CLI, build CLI, create skill, process documents, PDF, Word, Excel, evaluations, evals, fabric patterns, PAI upgrade, parser, prompting, templates.
| name | Recon |
| description | Security reconnaissance. USE WHEN recon, reconnaissance, bug bounty, attack surface. SkillSearch('recon') for docs. |
Before executing, check for user customizations at:
~/.opencode/PAI/USER/SKILLCUSTOMIZATIONS/Recon/
If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.
Infrastructure and Network Reconnaissance
Technical reconnaissance of network infrastructure including domains, IP addresses, netblocks, and ASNs. Combines passive intelligence gathering with authorized active scanning to map attack surfaces and identify assets.
When executing a workflow, do BOTH:
Send voice notification:
curl -s -X POST http://localhost:8888/notify \
-H "Content-Type: application/json" \
-d '{"message": "Running the WORKFLOWNAME workflow from the Recon skill"}' \
> /dev/null 2>&1 &
Output text notification:
Running the **WorkflowName** workflow from the **Recon** skill...
Core Triggers - Use this skill when user says:
OSINT → recon (Common Pattern):
recon → webassessment:
Workflow Integration:
// OSINT skill discovers company infrastructure
const domains = await osintFindCompanyDomains("Acme Corp");
// Calls recon skill to map technical details
const infraMap = await reconDomain(domains[0]);
// Recon identifies web apps
const webApps = infraMap.subdomains.filter(s => s.hasHTTP);
// Calls web assessment for testing
await webAssessment(webApps);
CRITICAL AUTHORIZATION REQUIREMENTS:
Active reconnaissance MUST have:
Default behavior is PASSIVE ONLY. Always confirm before active techniques.
PassiveRecon.md - Safe ReconnaissanceNon-intrusive intelligence gathering using public sources:
Input: Domain, IP, or netblock Output: Passive intelligence report Authorization: None required
IpRecon.md - IP Address InvestigationComprehensive IP address reconnaissance:
Input: Single IP address Output: IP reconnaissance report Authorization: Required for active scanning
DomainRecon.md - Domain InvestigationFull domain mapping and enumeration:
Input: Domain name Output: Domain reconnaissance report Authorization: Required for active subdomain probing
NetblockRecon.md - CIDR Range ScanningNetwork range reconnaissance:
Input: CIDR notation (e.g., 192.168.1.0/24) Output: Netblock scan report Authorization: Required for active scanning
AsnRecon.md - Autonomous System InvestigationASN and BGP reconnaissance:
Input: ASN number (e.g., AS15169) Output: ASN mapping report Authorization: None required (passive data)
IPInfo API (ipinfo.io)
process.env.IPINFO_API_KEYtools/ipinfo-client.tsSystem Tools (always available)
whois - Domain and IP WHOIS lookupsdig - DNS queriesnslookup - DNS resolutioncurl - HTTP requests, API callsMCP Tools (security profile required)
httpx - HTTP probing and technology detectionnaabu - Port scanning~/.opencode/MCPs/swap-mcp security)Shodan (when API key added)
Censys (when API key added)
SecurityTrails (when API key added)
VirusTotal (when API key added)
Located in tools/ directory:
ipinfo-client.ts
dns-utils.ts
whois-parser.ts
cidr-utils.ts
cert-transparency.ts
report-generator.ts
# IP Reconnaissance: 1.2.3.4
## Summary
- IP: 1.2.3.4
- Organization: Example Corp
- ASN: AS12345
- Location: San Francisco, CA, US
- ISP: Example Hosting
## DNS
- Reverse DNS: server.example.com
- Additional PTR: ...
## Network Information
- CIDR: 1.2.3.0/24
- Netblock Owner: Example Corp
- Abuse Contact: abuse@example.com
## Services (Passive)
- Certificates: 3 certificates found
- Historical DNS: ...
## Services (Active - Authorized)
- Open Ports: 22, 80, 443
- Services: SSH (OpenSSH 8.2), HTTP (nginx 1.20.1), HTTPS
- Technologies: nginx, OpenSSH
## Recommendations
- Further investigation areas
- Related assets
- Security observations
# Domain Reconnaissance: example.com
## Summary
- Domain: example.com
- Registrar: Example Registrar
- Registration: 2010-01-15
- Expiry: 2026-01-15
## DNS Records
### A Records
- 1.2.3.4
- 5.6.7.8
### MX Records
- 10 mail.example.com
## Subdomains
- www.example.com (1.2.3.4)
- api.example.com (1.2.3.5)
- admin.example.com (1.2.3.6)
## Email Security
- SPF: Configured
- DMARC: Configured
- DKIM: Configured
## Technologies
- Web Server: nginx
- Framework: React
- CDN: Cloudflare
## Recommendations
- Interesting subdomains: admin.example.com, api.example.com
- Attack surface: 15 web applications identified
Reports saved to:
~/.opencode/MEMORY/WORK/{current_work}/scratch/) - For iterative artifacts during investigation~/.opencode/MEMORY/RESEARCH/YYYY-MM/) - For pentest engagements and formal assessmentsFor passive recon: No special MCP profile needed
For active recon: Requires security MCP profile
# Switch to security profile
~/.opencode/MCPs/swap-mcp security
# Restart Claude Code to apply
# Then run active reconnaissance
Security profile includes:
CRITICAL RULES:
Authorization Types:
Never scan:
When in doubt: Ask for explicit confirmation and documented authorization.
User: "Do passive recon on example.com"
Assistant: Activating recon skill with passive-recon workflow.
Target: example.com
Mode: Passive only (no active scanning)
[Performs WHOIS, DNS, cert transparency, IPInfo]
[Generates report in scratchpad]
Report: ~/.opencode/MEMORY/WORK/{current_work}/scratch/recon-example-com/
User: "Investigate IP 1.2.3.4 - I own this server"
Assistant: Activating recon skill with ip-recon workflow.
Target: 1.2.3.4
Authorization check: You confirmed this is an owned asset.
Proceeding with passive + active reconnaissance.
[Performs IPInfo, reverse DNS, WHOIS, port scan, service detection]
[Generates comprehensive report]
Report: Open ports found (22, 80, 443)
Services: SSH, HTTP, HTTPS
Technologies: nginx 1.20.1, OpenSSH 8.2
User: "Do OSINT on Acme Corp and map their infrastructure"
Assistant: Activating OSINT skill...
Found domains: acme.com, acmecorp.com, acme.io
Now calling recon for infrastructure mapping...
[Recon skill maps each domain]
[Discovers subdomains, IPs, netblocks]
[Creates comprehensive infrastructure map]
Report: Complete OSINT + Infrastructure report
15 domains, 47 subdomains, 3 netblocks identified
Automatic workflow selection based on input:
IpRecon.mdDomainRecon.mdNetblockRecon.mdAsnRecon.mdPassiveRecon.mdUser can override:
"Use passive-recon workflow on 1.2.3.4"
"Run domain-recon on example.com with active scanning"
Passive Recon Success:
Active Recon Success:
Security Skills:
~/.opencode/skills/Investigation/OSINT/ - Entity and people reconnaissance~/.opencode/skills/Webassessment/ - Web application testingTool Documentation:
Best Practices:
Remember: Start passive, confirm authorization before going active, document everything, and be respectful of target systems.