CTI skills for every AI coding agent.
72 Cyber Threat Intelligence skills you can drop into Claude Code, Cursor, Codex, or any Agent Skills-compatible IDE. Built by practitioners. Free to use, fork, and extend.
$ /plugin marketplace add Liberty91LTD/cti-skills $ /plugin install cti-skills
or $ npx github:Liberty91LTD/cti-skills
See the skills in action.
Install the pack, point an agent at MISP, and let it run a Diamond Model cluster analysis end-to-end, strategic report, STIX bundles, IOC CSV. Plus a daily SOC alert workflow that enriches IOCs and models them in MISP automatically.
New: OpenCTI, read and write.
The pack now speaks OpenCTI in both directions. Your agent can check whether an indicator is already in your knowledge base, pull the actors, reports, and campaigns you hold on a subject, and write vetted findings back as indicators, relationships, TLP markings, or whole STIX 2.1 bundles.
/lookup-opencti
Talks to your OpenCTI instance over GraphQL. Connect with OPENCTI_URL and OPENCTI_TOKEN, self-hosted or SaaS, localhost included.
One lookup checks observables and indicators at once. Global search spans every entity type, filtered listing covers ten of them, and single-entity reads walk the relationship graph. On the write side it creates indicators and observables, applies labels and TLP markings, relates entities, and imports STIX 2.1 bundles as-is, because OpenCTI is STIX-native. Writes are deliberate: destructive operations confirm first, and every command has a dry-run mode.
Read the full /lookup-opencti page →Your knowledge base becomes the pack's memory
When credentials are present, /ip-investigation and the other three investigation skills check OpenCTI automatically, /ioc-enrichment-workflow correlates every indicator against it and pushes confirmed findings back at the end, and /threat-actor-profiling reuses the intrusion sets and reports you already hold before rebuilding a profile from scratch.
/campaign-tracking publishes clusters into it and /stix-bundle output imports without rework. No OpenCTI yet? It runs locally with Docker in an afternoon.
Also recent: CrowdStrike Falcon Intelligence, ReversingLabs Spectra Analyze, MISP two-way sync, and Ransomware.live tracking
/lookup-crowdstrike returns a vendor-authoritative verdict on an indicator or a full adversary profile with origin, targeting, and MITRE ATT&CK TTPs. /lookup-reversinglabs wraps the Spectra Analyze (A1000) API for hash classification, sandbox behaviour, and pivot candidates. /lookup-misp writes as well as reads, and /lookup-ransomwarelive puts 27,600+ leak-site claims across 330+ groups at the agent's fingertips.
72 skills, organised by job-to-be-done.
Skills compose. Investigation skills chain lookups. Analytical skills prioritise IOCs for further investigation. Production skills apply tradecraft to everything that comes out.
Investigation
Hand over an IP, domain, hash, or URL. The investigation skills chain every supported API, consolidate findings, and prioritise follow-up IOCs.
Analytical tradecraft
Structured analytic techniques from the CIA tradecraft primer, available on demand to keep analysis rigorous under pressure. The same disciplines run continuously inside the Liberty91 platform's tradecraft agents.
Threat actor & campaign work
Build actor profiles, document campaigns, pivot on indicators, and dig into malware behaviour, with consistent structure every time.
Detection engineering
Turn intelligence into detections. SIGMA for SIEMs, YARA for files, KQL for Microsoft Sentinel, written to the conventions each format expects.
Intelligence production
Write assessments, build IOC exports in CSV / STIX 2.1 / OpenIOC / MISP, and quality-check the finished product before release.
Living knowledge cells
Self-updating reference cells on the threat groups and categories you need to speak to every week. Each carries a freshness date.
Lookups (external APIs)
Zero-dependency wrappers around the threat-intel APIs you already pay for. Free tiers work. Missing keys degrade gracefully. /lookup-misp and /lookup-opencti write as well as read.
Management & methodology
The programme-level scaffolding that turns a library of skills into a running intelligence function: requirements, stakeholders, feedback, SOPs.
Try it in 30 seconds.
Type a natural request. The /cti-orchestrator skill routes it to the right investigation or analysis skill, then auto-applies rigour on the output, source rating, TLP marking, MISP confidence, and standard likelihood language.
Or direct-invoke a skill with a slash command when you know exactly what you want.
> Investigate 203.0.113.42 → routes to /ip-investigation
> Profile APT28 → routes to /threat-actor-profiling
> /ach → direct-invoke Analysis of Competing Hypotheses
Works with the tools you already use.
Skills follow the Agent Skills specification, so anywhere the spec is supported, the pack is supported.
AI coding agents
- Claude CodeFirst-class plugin install via marketplace
- CursorDrop into your agent skills directory
- CodexAgent Skills spec compatible
- WindsurfAgent Skills spec compatible
Threat-intel APIs
Optional. Skills degrade gracefully, no key, no enrichment, no crash.
- VirusTotal4 req/min, 500/dayVIRUSTOTAL_API_KEY
- URLScan.io100 scans/dayURLSCAN_API_KEY
- Shodan1 req/secSHODAN_API_KEY
- AbuseIPDB1,000 checks/dayABUSEIPDB_API_KEY
- GreyNoise50 req/dayGREYNOISE_API_KEY
- AlienVault OTX10,000 req/hourOTX_API_KEY
- Censys250 queries/monthCENSYS_API_ID + CENSYS_API_SECRET
- MISPSelf-hosted · two-wayMISP_URL + MISP_API_KEY
- OpenCTISelf-hosted or SaaS · two-wayOPENCTI_URL + OPENCTI_TOKEN
- Ransomware.livePRO: 3,000 calls/dayRANSOMWARELIVE_API_KEY
- ReversingLabsSpectra Analyze (A1000)REVERSINGLABS_USER + REVERSINGLABS_PASSWORD
- CrowdStrikeFalcon Intelligence subCROWDSTRIKE_CLIENT_ID + CROWDSTRIKE_CLIENT_SECRET
Five ways to install.
Pick whichever fits your workflow. All five land the same 72 skills in the same layout.
Claude Code plugin
Recommended for Claude Code. Two commands and you're running.
/plugin marketplace add Liberty91LTD/cti-skills /plugin install cti-skills
npx (one-shot)
Drops the whole pack into any project directory. No global install.
npx github:Liberty91LTD/cti-skills
Git clone
If you want to read the code, run the setup script, and iterate locally.
git clone git@github.com:Liberty91LTD/cti-skills.git cd cti-skills ./scripts/setup.sh claude
Git submodule
Embed the pack inside an existing repo under your own skills directory.
git submodule add https://github.com/Liberty91LTD/cti-skills.git skills/cti
Fork or direct copy
Hit Fork on GitHub, or copy the skills/ directory straight into your project. Every skill is self-contained.
# Each skill is a folder under skills/ # Grab the ones you want, leave the rest.
Full install docs and the setup script live in the README.
Frequently Asked Questions.
Pack or platform, which is for you?
Same tradecraft under the hood. Two different products for two different jobs.
The open-source pack: you want to build it yourself.
You’re comfortable on the command line. You want the skills handed to you as building blocks so you can compose, fork, and ship your own workflows. Total control, no opinions you didn’t ask for.
- •Free and MIT-licensed
- •Runs inside your coding agent
- •Bring your own API keys and infrastructure
The Liberty91 platform: you want the outcomes, not the plumbing.
You’re a security professional who wants these capabilities, and a lot more, running against your organisation every day, with a team-ready UI, without having to maintain the technical foundation underneath.
- •Continuous collection + analysis, 24/7
- •Dashboards, reports, and alerting out of the box
- •Integrations for SIEM, SOAR, and ticketing
Still deciding? See what the Liberty91 platform does →