Liberty91
Open source · MIT · v1.0.0

CTI skills for every AI coding agent.

64+ Cyber Threat Intelligence skills you can drop into Claude Code, Cursor, Codex, or any Agent Skills–compatible IDE. Built by practitioners. Free to use, fork, and extend.

$ /plugin marketplace add Liberty91LTD/cti-skills
$ /plugin install cti-skills

or $ npx github:Liberty91LTD/cti-skills

View on GitHub →Browse skills
Works withClaude CodeCursorCodexWindsurf

64+ skills, organised by job-to-be-done.

Skills compose. Investigation skills chain lookups. Analytical skills prioritise IOCs for further investigation. Production skills apply tradecraft to everything that comes out.

Investigation

Hand over an IP, domain, hash, or URL. The investigation skills chain every supported API, consolidate findings, and prioritise follow-up IOCs.

/ip-investigation/domain-investigation/hash-investigation/url-investigation/ioc-enrichment-workflow

Analytical tradecraft

Structured analytic techniques from the CIA tradecraft primer, available on demand to keep analysis rigorous under pressure.

/ach/red-team-analysis/key-assumptions-check/horizon-scanning/threat-assessment/structured-analytic-techniques

Threat actor & campaign work

Build actor profiles, document campaigns, pivot on indicators, and dig into malware behaviour — with consistent structure every time.

/threat-actor-profiling/campaign-tracking/indicator-pivoting/malware-analysis

Detection engineering

Turn intelligence into detections. SIGMA for SIEMs, YARA for files, KQL for Microsoft Sentinel — written to the conventions each format expects.

/sigma-writing/yara-writing/kql-writing

Intelligence production

Write assessments, build IOC exports in CSV / STIX 2.1 / OpenIOC / MISP, and quality-check the finished product before release.

/intelligence-writing/writing-assessments/ioc-export/stix-bundle/quality-control

Living knowledge cells

Self-updating reference cells on the threat groups and categories you need to speak to every week. Each carries a freshness date.

/china-cyber-espionage/russia-cyber-espionage/iran-cyber-espionage/dprk-cyber-espionage/ransomware-ecosystem/infostealers/initial-access-brokers/phishing-social-engineering/supply-chain-threats/carding-financial-fraud/hacktivism

Lookups (external APIs)

Zero-dependency wrappers around the threat-intel APIs you already pay for. Free tiers work. Missing keys degrade gracefully.

/lookup-virustotal/lookup-urlscan/lookup-shodan/lookup-abuseipdb/lookup-greynoise/lookup-otx/lookup-censys/mitre-attack

Management & methodology

The programme-level scaffolding that turns a library of skills into a running intelligence function: requirements, stakeholders, feedback, SOPs.

/pir-management/stakeholder-management/feedback-loops/sops/maturity-assessment/intelligence-sharing/cti-hyperloop

See the full skill index on GitHub →

Try it in 30 seconds.

Type a natural request. The /cti-orchestrator skill routes it to the right investigation or analysis skill, then auto-applies rigor on the output — source rating, TLP marking, MISP confidence, and standard likelihood language.

Or direct-invoke a skill with a slash command when you know exactly what you want.

> Investigate 203.0.113.42
→ routes to /ip-investigation
> Profile APT28
→ routes to /threat-actor-profiling
> /ach
→ direct-invoke Analysis of Competing Hypotheses

Works with the tools you already use.

Skills follow the Agent Skills specification, so anywhere the spec is supported, the pack is supported.

AI coding agents

  • Claude Code
    First-class plugin install via marketplace
  • Cursor
    Drop into your agent skills directory
  • Codex
    Agent Skills spec compatible
  • Windsurf
    Agent Skills spec compatible

Threat-intel APIs

Optional. Skills degrade gracefully — no key, no enrichment, no crash.

  • VirusTotal4 req/min, 500/day
    VIRUSTOTAL_API_KEY
  • URLScan.io100 scans/day
    URLSCAN_API_KEY
  • Shodan1 req/sec
    SHODAN_API_KEY
  • AbuseIPDB1,000 checks/day
    ABUSEIPDB_API_KEY
  • GreyNoise50 req/day
    GREYNOISE_API_KEY
  • AlienVault OTX10,000 req/hour
    OTX_API_KEY
  • Censys250 queries/month
    CENSYS_API_ID + CENSYS_API_SECRET

Five ways to install.

Pick whichever fits your workflow. All five land the same 64+ skills in the same layout.

Claude Code plugin

Recommended for Claude Code. Two commands and you're running.

/plugin marketplace add Liberty91LTD/cti-skills
/plugin install cti-skills

npx (one-shot)

Drops the whole pack into any project directory. No global install.

npx github:Liberty91LTD/cti-skills

Git clone

If you want to read the code, run the setup script, and iterate locally.

git clone git@github.com:Liberty91LTD/cti-skills.git
cd cti-skills
./scripts/setup.sh
claude

Git submodule

Embed the pack inside an existing repo under your own skills directory.

git submodule add https://github.com/Liberty91LTD/cti-skills.git skills/cti

Fork or direct copy

Hit Fork on GitHub, or copy the skills/ directory straight into your project. Every skill is self-contained.

# Each skill is a folder under skills/
# Grab the ones you want, leave the rest.

Full install docs and the setup script live in the README.

Frequently Asked Questions.

Pack or platform — which is for you?

Same tradecraft under the hood. Two different products for two different jobs.

Open-source pack

You want to build it yourself.

You’re comfortable on the command line. You want the skills handed to you as building blocks so you can compose, fork, and ship your own workflows. Total control, no opinions you didn’t ask for.

  • Free and MIT-licensed
  • Runs inside your coding agent
  • Bring your own API keys and infrastructure
View on GitHub →
Liberty91 platform

You want the outcomes, not the plumbing.

You’re a security professional who wants these capabilities — and a lot more — running against your organisation every day, with a team-ready UI, without having to maintain the technical foundation underneath.

  • Continuous collection + analysis, 24/7
  • Dashboards, reports, and alerting out of the box
  • Integrations for SIEM, SOAR, and ticketing
Start Free Trial →

Still deciding? See what the Liberty91 platform does →