Liberty91

CTI skills for every AI coding agent.

72 Cyber Threat Intelligence skills you can drop into Claude Code, Cursor, Codex, or any Agent Skills-compatible IDE. Built by practitioners. Free to use, fork, and extend.

$ /plugin marketplace add Liberty91LTD/cti-skills
$ /plugin install cti-skills

or $ npx github:Liberty91LTD/cti-skills

Works withClaude CodeCursorCodexWindsurf

See the skills in action.

Install the pack, point an agent at MISP, and let it run a Diamond Model cluster analysis end-to-end, strategic report, STIX bundles, IOC CSV. Plus a daily SOC alert workflow that enriches IOCs and models them in MISP automatically.

New: OpenCTI, read and write.

The pack now speaks OpenCTI in both directions. Your agent can check whether an indicator is already in your knowledge base, pull the actors, reports, and campaigns you hold on a subject, and write vetted findings back as indicators, relationships, TLP markings, or whole STIX 2.1 bundles.

/lookup-opencti

Talks to your OpenCTI instance over GraphQL. Connect with OPENCTI_URL and OPENCTI_TOKEN, self-hosted or SaaS, localhost included.

One lookup checks observables and indicators at once. Global search spans every entity type, filtered listing covers ten of them, and single-entity reads walk the relationship graph. On the write side it creates indicators and observables, applies labels and TLP markings, relates entities, and imports STIX 2.1 bundles as-is, because OpenCTI is STIX-native. Writes are deliberate: destructive operations confirm first, and every command has a dry-run mode.

Read the full /lookup-opencti page →

Your knowledge base becomes the pack's memory

When credentials are present, /ip-investigation and the other three investigation skills check OpenCTI automatically, /ioc-enrichment-workflow correlates every indicator against it and pushes confirmed findings back at the end, and /threat-actor-profiling reuses the intrusion sets and reports you already hold before rebuilding a profile from scratch.

/campaign-tracking publishes clusters into it and /stix-bundle output imports without rework. No OpenCTI yet? It runs locally with Docker in an afternoon.

Set up your own OpenCTI server with Docker →

Also recent: CrowdStrike Falcon Intelligence, ReversingLabs Spectra Analyze, MISP two-way sync, and Ransomware.live tracking

/lookup-crowdstrike returns a vendor-authoritative verdict on an indicator or a full adversary profile with origin, targeting, and MITRE ATT&CK TTPs. /lookup-reversinglabs wraps the Spectra Analyze (A1000) API for hash classification, sandbox behaviour, and pivot candidates. /lookup-misp writes as well as reads, and /lookup-ransomwarelive puts 27,600+ leak-site claims across 330+ groups at the agent's fingertips.

72
skills in the pack
12
external API integrations
2-way
OpenCTI + MISP read & write
v1.10
shipped 2026-07-02

Full v1.10.0 release notes on GitHub →

72 skills, organised by job-to-be-done.

Skills compose. Investigation skills chain lookups. Analytical skills prioritise IOCs for further investigation. Production skills apply tradecraft to everything that comes out.

Investigation

Hand over an IP, domain, hash, or URL. The investigation skills chain every supported API, consolidate findings, and prioritise follow-up IOCs.

Analytical tradecraft

Structured analytic techniques from the CIA tradecraft primer, available on demand to keep analysis rigorous under pressure. The same disciplines run continuously inside the Liberty91 platform's tradecraft agents.

/ach/red-team-analysis/key-assumptions-check/horizon-scanning/threat-assessment/structured-analytic-techniques

Threat actor & campaign work

Build actor profiles, document campaigns, pivot on indicators, and dig into malware behaviour, with consistent structure every time.

Detection engineering

Turn intelligence into detections. SIGMA for SIEMs, YARA for files, KQL for Microsoft Sentinel, written to the conventions each format expects.

Intelligence production

Write assessments, build IOC exports in CSV / STIX 2.1 / OpenIOC / MISP, and quality-check the finished product before release.

/intelligence-writing/writing-assessments/ioc-export/stix-bundle/quality-control

Living knowledge cells

Self-updating reference cells on the threat groups and categories you need to speak to every week. Each carries a freshness date.

/china-cyber-espionage/russia-cyber-espionage/iran-cyber-espionage/dprk-cyber-espionage/ransomware-ecosystem/infostealers/initial-access-brokers/phishing-social-engineering/supply-chain-threats/carding-financial-fraud/hacktivism

Lookups (external APIs)

Zero-dependency wrappers around the threat-intel APIs you already pay for. Free tiers work. Missing keys degrade gracefully. /lookup-misp and /lookup-opencti write as well as read.

/lookup-virustotal/lookup-urlscan/lookup-shodan/lookup-abuseipdb/lookup-greynoise/lookup-otx/lookup-censys/lookup-misp/lookup-opencti/lookup-ransomwarelive/lookup-reversinglabs/lookup-crowdstrike/mitre-attack

Management & methodology

The programme-level scaffolding that turns a library of skills into a running intelligence function: requirements, stakeholders, feedback, SOPs.

/pir-management/stakeholder-management/feedback-loops/sops/maturity-assessment/intelligence-sharing/cti-hyperloop

See the full skill index on GitHub →

Try it in 30 seconds.

Type a natural request. The /cti-orchestrator skill routes it to the right investigation or analysis skill, then auto-applies rigour on the output, source rating, TLP marking, MISP confidence, and standard likelihood language.

Or direct-invoke a skill with a slash command when you know exactly what you want.

> Investigate 203.0.113.42
→ routes to /ip-investigation
> Profile APT28
→ routes to /threat-actor-profiling
> /ach
→ direct-invoke Analysis of Competing Hypotheses

Works with the tools you already use.

Skills follow the Agent Skills specification, so anywhere the spec is supported, the pack is supported.

AI coding agents

  • Claude Code
    First-class plugin install via marketplace
  • Cursor
    Drop into your agent skills directory
  • Codex
    Agent Skills spec compatible
  • Windsurf
    Agent Skills spec compatible

Threat-intel APIs

Optional. Skills degrade gracefully, no key, no enrichment, no crash.

  • VirusTotal4 req/min, 500/day
    VIRUSTOTAL_API_KEY
  • URLScan.io100 scans/day
    URLSCAN_API_KEY
  • Shodan1 req/sec
    SHODAN_API_KEY
  • AbuseIPDB1,000 checks/day
    ABUSEIPDB_API_KEY
  • GreyNoise50 req/day
    GREYNOISE_API_KEY
  • AlienVault OTX10,000 req/hour
    OTX_API_KEY
  • Censys250 queries/month
    CENSYS_API_ID + CENSYS_API_SECRET
  • MISPSelf-hosted · two-way
    MISP_URL + MISP_API_KEY
  • OpenCTISelf-hosted or SaaS · two-way
    OPENCTI_URL + OPENCTI_TOKEN
  • Ransomware.livePRO: 3,000 calls/day
    RANSOMWARELIVE_API_KEY
  • ReversingLabsSpectra Analyze (A1000)
    REVERSINGLABS_USER + REVERSINGLABS_PASSWORD
  • CrowdStrikeFalcon Intelligence sub
    CROWDSTRIKE_CLIENT_ID + CROWDSTRIKE_CLIENT_SECRET

Five ways to install.

Pick whichever fits your workflow. All five land the same 72 skills in the same layout.

Claude Code plugin

Recommended for Claude Code. Two commands and you're running.

/plugin marketplace add Liberty91LTD/cti-skills
/plugin install cti-skills

npx (one-shot)

Drops the whole pack into any project directory. No global install.

npx github:Liberty91LTD/cti-skills

Git clone

If you want to read the code, run the setup script, and iterate locally.

git clone git@github.com:Liberty91LTD/cti-skills.git
cd cti-skills
./scripts/setup.sh
claude

Git submodule

Embed the pack inside an existing repo under your own skills directory.

git submodule add https://github.com/Liberty91LTD/cti-skills.git skills/cti

Fork or direct copy

Hit Fork on GitHub, or copy the skills/ directory straight into your project. Every skill is self-contained.

# Each skill is a folder under skills/
# Grab the ones you want, leave the rest.

Full install docs and the setup script live in the README.

Frequently Asked Questions.

Pack or platform, which is for you?

Same tradecraft under the hood. Two different products for two different jobs.

The open-source pack: you want to build it yourself.

You’re comfortable on the command line. You want the skills handed to you as building blocks so you can compose, fork, and ship your own workflows. Total control, no opinions you didn’t ask for.

  • Free and MIT-licensed
  • Runs inside your coding agent
  • Bring your own API keys and infrastructure
View on GitHub →

The Liberty91 platform: you want the outcomes, not the plumbing.

You’re a security professional who wants these capabilities, and a lot more, running against your organisation every day, with a team-ready UI, without having to maintain the technical foundation underneath.

  • Continuous collection + analysis, 24/7
  • Dashboards, reports, and alerting out of the box
  • Integrations for SIEM, SOAR, and ticketing
Start for Free →

Still deciding? See what the Liberty91 platform does →