원클릭으로
threatbook-intel
微步在线威胁情报查询工具。支持IP、域名、文件哈希威胁情报查询,漏洞情报查询,资产测绘等功能。支持微信登录自动化和X语言高级搜索。当用户需要查询威胁情报、进行资产测绘或使用微步在线平台时,应使用此技能。
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
微步在线威胁情报查询工具。支持IP、域名、文件哈希威胁情报查询,漏洞情报查询,资产测绘等功能。支持微信登录自动化和X语言高级搜索。当用户需要查询威胁情报、进行资产测绘或使用微步在线平台时,应使用此技能。
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Use when debugging interactive CLI, REPL, TUI, ssh, telnet, nc, watch-mode, dev server, long-running command, terminal prompt flow, or any command that may not exit. Provides a PTY-backed MCP workflow for spawning terminal sessions, sending text and keys, reading output, managing multiple sessions, and exporting full transcripts.
This skill should be used when a user asks to debug an interactive CLI, REPL, TUI, prompt loop, shell wizard, watch mode, long-running terminal process, or any command that hangs, waits for input, redraws incorrectly, needs multiple inputs, behaves differently in a real terminal, or requires comparing tmux panes. Trigger on phrases like “it hangs after Continue?”, “the prompt never appears,” “my curses UI breaks in a small terminal,” “the watcher only fails after I answer the prompt,” or “inspect pane 2.”
macOS offensive security assistant — helps engineers audit applications for security vulnerabilities, identify bypass vectors in macOS security controls, and learn macOS internals through real-world case studies (CVEs). Covers: app vulnerability assessment (entitlement/injection/sandbox/TCC analysis), system internals, binary analysis, shellcode crafting (x64/ARM64), dylib injection, Mach IPC exploitation, function hooking, XPC attacks, sandbox escapes, TCC bypasses, symlink/hardlink attacks, kernel code execution, persistence mechanisms, Gatekeeper/XProtect bypass, AMFI/MACF internals, launch constraints, application-runtime injection (Electron/Chromium/NIB/.NET/Java/Python), IOKit/DriverKit driver attacks, MDM/DEP exploitation, keychain attacks, dangerous entitlements, and full penetration testing workflows. Use this skill whenever the user asks about: checking macOS apps for security issues, auditing entitlements or sandbox profiles, learning macOS security internals, macOS security research, macOS privile
This skill should be used when the user asks to "close the case", "conclude the investigation", "wrap up", "present findings", or when the convergence check indicates the case has been solved. Produces the final resolution with complete evidence chain.
This skill should be used when the user asks to "discuss the case", "brainstorm about the investigation", "I'm stuck", "what do you think", or when the investigation loop detects a deadlock, hypothesis ambiguity, or needs user input to break a tie. Facilitates structured case discussion.
This skill should be used when the user asks to "investigate", "continue the investigation", "run the detective loop", "next investigation step", or wants to execute the Scan-Evolve-Focus-Act-File cycle on an active case. Runs the core investigation loop with periodic checkpoints.
| name | threatbook-intel |
| description | 微步在线威胁情报查询工具。支持IP、域名、文件哈希威胁情报查询,漏洞情报查询,资产测绘等功能。支持微信登录自动化和X语言高级搜索。当用户需要查询威胁情报、进行资产测绘或使用微步在线平台时,应使用此技能。 |
微步在线(ThreatBook)威胁情报查询工具。支持IP、域名、文件哈希等威胁情报查询,漏洞情报查询,资产测绘等功能。支持微信登录自动化流程。
https://x.threatbook.com/https://passport.threatbook.cn/login?service=xhttps://passport.threatbook.cn/oauthhttps://x.threatbook.com/v5/domain/{domain}https://x.threatbook.com/v5/ip/{ip}textarea.x-searchBar-input - 页面中央搜索框(注意:是 textarea 不是 input,且页面有两个,需选可见的那个 offsetWidth > 100)span.x-searchBar-input-confirm-btn - 搜索栏右侧放大镜图标(同样有两个,需选可见的)div.wx - 位于"其他登录方式"和"还没有账号?马上注册"之间span.checkbox - CSS模拟的checkbox,点击后二维码才能显示1. 访问 https://x.threatbook.com/
2. 检查是否有"登录"按钮
- 有"登录"按钮 → 用户未登录
- 无"登录"按钮,有用户头像 → 用户已登录
1. 导航到登录页面:https://passport.threatbook.cn/login?service=x
2. 点击微信登录图标(选择器:.wx)
3. 页面跳转到 /oauth 页面
4. 点击同意隐私协议checkbox(选择器:.checkbox)
5. 二维码显示在iframe中:https://open.weixin.qq.com/connect/qrconnect?appid=wx3ac222f71a76c36a&...
6. 截图二维码发送给用户
7. 等待用户扫码确认
8. 再次截图确认登录状态
1. 导航到主页:https://x.threatbook.com/
2. 找到搜索框(ref=e2)
3. 输入查询内容(IP/域名/哈希)
4. 提交搜索(submit=true)
5. 页面跳转到查询结果页面
6. 截图查询结果发送给用户
连接符:
= - 匹配,表示查询包含关键词资产== - 精准匹配,表示仅查询关键词资产!= - 剔除,表示剔除包含关键词资产() - 括号内容优先级最高&& - 代表 and(多条件组合查询)|| - 代表 or(多条件组合查询)ip="1.1.1.1" 或 ip="1.1.1.1/24"ip="1.1.1.1,8.8.8.8"ipv6="2409:8762:1301::13"port="20" 或 port="20,21"(最多3个端口)asn="15169"asn_name="TRA"asn_org="Tanzania Revenue Authority"ip_type="false" - IPV6资产数据ip_type="true" - IPV4资产数据rdns="dns.google"country="中国"region="辽宁"city="大连"district="海淀区"isp="中国联通"host="localhost"os="windows"owner="阿里云"运算符:
"" - 双引号,精确匹配
intext="海莲花"&& - 必须同时包含两个语法下的关键词
intitle=报告 && intext=APTintitle=微步intext=海莲花x=溯源blog=APTsmedia=蜜罐# 资产测绘组合查询
ip="1.1.1.1" && port="80"
country="中国" && city="北京" && port="443"
asn="15169" && os="linux"
# 关键词组合查询
intitle=报告 && intext=APT
blog=溯源 && intext=威胁情报
查询IP: 8.8.8.8 的威胁情报
查询域名: example.com 的威胁情报
查询文件哈希: abc123... 的威胁情报
# 资产测绘搜索
ip="1.1.1.1" && port="80"
country="中国" && city="北京"
# 关键词搜索
intitle=报告 && intext=APT
blog=溯源 && intext=威胁情报
用户: 查询 nscc-tj.cn 的威胁情报
助手: 我会访问微步在线查询 nscc-tj.cn 的威胁情报。检测到您未登录,需要先登录账号。
助手: [导航到登录页面]
助手: [点击微信登录图标]
助手: [点击同意隐私协议]
助手: [截图二维码并发送] 请使用微信扫描二维码登录
用户: 完成扫描
助手: [再次截图确认登录状态]
用户: 是的已经完成登陆
助手: [访问主页]
助手: [在搜索框输入 nscc-tj.cn 并提交]
助手: [截图查询结果并发送] 查询完成!这是 nscc-tj.cn 的威胁情报信息
脚本位于 scripts/threatbook_query.py,使用 pydoll 库实现浏览器自动化,通过 uv 直接运行(自动安装依赖)。
# 查询 IP 威胁情报
uv run scripts/threatbook_query.py -q 8.8.8.8
# 查询域名
uv run scripts/threatbook_query.py -q example.com
# 查询文件哈希
uv run scripts/threatbook_query.py -q abc123...
# X语言资产测绘搜索
uv run scripts/threatbook_query.py -q 'ip="1.1.1.1" && port="80"'
# 复杂组合查询
uv run scripts/threatbook_query.py -q 'country="中国" && city="北京" && port="443"'
# 输出结果到 JSON 文件
uv run scripts/threatbook_query.py -q 8.8.8.8 -o result.json
用户: 查询 nscc-tj.cn 的威胁情报
助手: 我会访问微步在线查询 nscc-tj.cn 的威胁情报。检测到您未登录,需要先登录账号。我为您准备了微信登录二维码,请扫描登录。
[发送登录页面截图]
用户: 完成扫描
助手: 好的,让我确认一下登录状态。
[再次截图确认]
用户: 是的已经完成登陆
助手: 登录成功!现在查询 nscc-tj.cn 的威胁情报...
[显示查询结果]
用户: 查询 8.8.8.8 的威胁情报
助手: 我会访问微步在线查询 8.8.8.8 的威胁情报。
[访问主页]
[在搜索框输入 8.8.8.8 并提交]
[显示查询结果]