Is the pack really free?

Yes. MIT-licensed, no account needed, no telemetry. Fork it, ship it in a product, teach a class with it — whatever you need.

Do I need API keys to use it?

No. Skills without keys skip the enrichments that would have used them and keep working. API keys unlock the lookup skills, and most services offer generous free tiers — VirusTotal, AbuseIPDB, OTX, GreyNoise, URLScan, Shodan, and Censys all have no-cost options.

Does this work outside Claude Code?

Yes. Skills follow the Agent Skills specification, which is IDE-neutral. Claude Code ships with a plugin marketplace that makes installation a one-liner, but Cursor, Codex, Windsurf, and any other Agent-Skills-compatible environment can load the same skill files.

How is this different from the Liberty91 platform?

The pack is for people who want to build it themselves and enjoy working on the command line — it hands you the skills and gets out of the way. The Liberty91 platform is for professionals who want these capabilities and a lot more — continuous collection, team-ready UI, dashboards, integrations with your SIEM, SOAR and ticketing — without having to stand up and maintain the technical foundation underneath. Same DNA, different product for a different job. You can start a free trial of the platform any time.

Yes. Forks and PRs are welcome from anyone. See CONTRIBUTING.md in the repo for the skill anatomy, validator checks, and PR checklist. Merges are reserved to Liberty91 maintainers.

How do you keep the threat knowledge cells up to date?

Each knowledge cell (China, Russia, Iran, DPRK, ransomware, infostealers, and so on) carries a 'last updated' date in its frontmatter. Agents warn you when a cell is stale. The validator enforces the date field. Contributions that freshen cells are some of the most welcome PRs.

Open source · MIT · v1.8.0

CTI skills for every AI coding agent.

68 Cyber Threat Intelligence skills you can drop into Claude Code, Cursor, Codex, or any Agent Skills–compatible IDE. Built by practitioners. Free to use, fork, and extend.

$ /plugin marketplace add Liberty91LTD/cti-skills
$ /plugin install cti-skills

or $ npx github:Liberty91LTD/cti-skills

View on GitHub →Browse skills

Works withClaude CodeCursorCodexWindsurf

Walkthrough · 8 min

See the skills in action.

Install the pack, point an agent at MISP, and let it run a Diamond Model cluster analysis end-to-end — strategic report, STIX bundles, IOC CSV. Plus a daily SOC alert workflow that enriches IOCs and models them in MISP automatically.

Latest release · v1.8.0

New: ReversingLabs Spectra Analyze.

The pack now speaks ReversingLabs. One call against the A1000 returns a verdict, the threat name, MITRE ATT&CK techniques, sandbox behaviour, and pivot candidates — pre-filling most of a malware-analysis report in a single chain.

New skill · Spectra Analyze (A1000)

/lookup-reversinglabs

Wraps the ReversingLabs Spectra Analyze API. Connect with REVERSINGLABS_USER and REVERSINGLABS_PASSWORD — the SDK handles the token exchange for you.

One detailed-report call returns hash classification, AV detection ratio, threat name, MITRE ATT&CK techniques mapped from TitaniumCore static analysis and dynamic sandboxing, parent-container and extracted-file relationships, sibling samples by family or signature, and network reputation for URLs, domains, and IPs. Submission for fresh analysis is supported too, with optional polling.

Default-when-configured

Investigation skills know about RL natively

When credentials are present, /lookup-reversinglabs joins the always-parallel lookup batch alongside VirusTotal and OTX inside /hash-investigation, /ip-investigation, /domain-investigation, and /url-investigation.

/malware-analysis pre-fills its static, dynamic, MITRE, and IOC sections from the same RL report. /yara-writing validates rules against deployed RL telemetry. No credentials? Every skill degrades gracefully and notes the gap.

Also in recent releases

MISP two-way sync and Ransomware.live leak-site tracking

/lookup-misp writes as well as reads — feed investigation findings back into your MISP as events or STIX bundles in a single chain. /lookup-ransomwarelive puts 27,600+ leak-site claims across 330+ groups at the agent's fingertips, with metadata vs criminal-narrative credibility split flagged on every result.

skills in the pack

external API integrations

1 call

verdict + MITRE + sandbox + IOCs

v1.8

shipped 2026-05-14

Full v1.8.0 release notes on GitHub →

68 skills, organised by job-to-be-done.

Skills compose. Investigation skills chain lookups. Analytical skills prioritise IOCs for further investigation. Production skills apply tradecraft to everything that comes out.

Investigation

Hand over an IP, domain, hash, or URL. The investigation skills chain every supported API, consolidate findings, and prioritise follow-up IOCs.

/ip-investigation/domain-investigation/hash-investigation/url-investigation/ioc-enrichment-workflow

Analytical tradecraft

Structured analytic techniques from the CIA tradecraft primer, available on demand to keep analysis rigorous under pressure.

/ach/red-team-analysis/key-assumptions-check/horizon-scanning/threat-assessment/structured-analytic-techniques

Threat actor & campaign work

Build actor profiles, document campaigns, pivot on indicators, and dig into malware behaviour — with consistent structure every time.

/threat-actor-profiling/campaign-tracking/indicator-pivoting/malware-analysis

Detection engineering

Turn intelligence into detections. SIGMA for SIEMs, YARA for files, KQL for Microsoft Sentinel — written to the conventions each format expects.

/sigma-writing/yara-writing/kql-writing

Intelligence production

Write assessments, build IOC exports in CSV / STIX 2.1 / OpenIOC / MISP, and quality-check the finished product before release.

/intelligence-writing/writing-assessments/ioc-export/stix-bundle/quality-control

Living knowledge cells

Self-updating reference cells on the threat groups and categories you need to speak to every week. Each carries a freshness date.

/china-cyber-espionage/russia-cyber-espionage/iran-cyber-espionage/dprk-cyber-espionage/ransomware-ecosystem/infostealers/initial-access-brokers/phishing-social-engineering/supply-chain-threats/carding-financial-fraud/hacktivism

Lookups (external APIs)

Zero-dependency wrappers around the threat-intel APIs you already pay for. Free tiers work. Missing keys degrade gracefully. /lookup-misp now writes as well as reads.

/lookup-virustotal/lookup-urlscan/lookup-shodan/lookup-abuseipdb/lookup-greynoise/lookup-otx/lookup-censys/lookup-misp/lookup-ransomwarelive/lookup-reversinglabs/mitre-attack

Management & methodology

The programme-level scaffolding that turns a library of skills into a running intelligence function: requirements, stakeholders, feedback, SOPs.

/pir-management/stakeholder-management/feedback-loops/sops/maturity-assessment/intelligence-sharing/cti-hyperloop

See the full skill index on GitHub →

Try it in 30 seconds.

Type a natural request. The /cti-orchestrator skill routes it to the right investigation or analysis skill, then auto-applies rigor on the output — source rating, TLP marking, MISP confidence, and standard likelihood language.

Or direct-invoke a skill with a slash command when you know exactly what you want.

> Investigate 203.0.113.42
→ routes to /ip-investigation

> Profile APT28
→ routes to /threat-actor-profiling

> /ach
→ direct-invoke Analysis of Competing Hypotheses

Works with the tools you already use.

Skills follow the Agent Skills specification, so anywhere the spec is supported, the pack is supported.

AI coding agents

Claude Code
First-class plugin install via marketplace
Cursor
Drop into your agent skills directory
Codex
Agent Skills spec compatible
Windsurf
Agent Skills spec compatible

Threat-intel APIs

Optional. Skills degrade gracefully — no key, no enrichment, no crash.

VirusTotal4 req/min, 500/day
VIRUSTOTAL_API_KEY
URLScan.io100 scans/day
URLSCAN_API_KEY
Shodan1 req/sec
SHODAN_API_KEY
AbuseIPDB1,000 checks/day
ABUSEIPDB_API_KEY
GreyNoise50 req/day
GREYNOISE_API_KEY
AlienVault OTX10,000 req/hour
OTX_API_KEY
Censys250 queries/month
CENSYS_API_ID + CENSYS_API_SECRET
MISPSelf-hosted · two-way
MISP_URL + MISP_API_KEY
Ransomware.livePRO: 3,000 calls/day
RANSOMWARELIVE_API_KEY
ReversingLabsSpectra Analyze (A1000)
REVERSINGLABS_USER + REVERSINGLABS_PASSWORD

Five ways to install.

Pick whichever fits your workflow. All five land the same 68 skills in the same layout.

Claude Code plugin

Recommended for Claude Code. Two commands and you're running.

/plugin marketplace add Liberty91LTD/cti-skills
/plugin install cti-skills

npx (one-shot)

Drops the whole pack into any project directory. No global install.

npx github:Liberty91LTD/cti-skills

Git clone

If you want to read the code, run the setup script, and iterate locally.

git clone git@github.com:Liberty91LTD/cti-skills.git
cd cti-skills
./scripts/setup.sh
claude

Git submodule

Embed the pack inside an existing repo under your own skills directory.

git submodule add https://github.com/Liberty91LTD/cti-skills.git skills/cti

Fork or direct copy

Hit Fork on GitHub, or copy the skills/ directory straight into your project. Every skill is self-contained.

# Each skill is a folder under skills/
# Grab the ones you want, leave the rest.

Full install docs and the setup script live in the README.

Frequently Asked Questions.

Pack or platform — which is for you?

Same tradecraft under the hood. Two different products for two different jobs.

Open-source pack

You want to build it yourself.

You’re comfortable on the command line. You want the skills handed to you as building blocks so you can compose, fork, and ship your own workflows. Total control, no opinions you didn’t ask for.

•Free and MIT-licensed
•Runs inside your coding agent
•Bring your own API keys and infrastructure

View on GitHub →

Liberty91 platform

You want the outcomes, not the plumbing.

You’re a security professional who wants these capabilities — and a lot more — running against your organisation every day, with a team-ready UI, without having to maintain the technical foundation underneath.

•Continuous collection + analysis, 24/7
•Dashboards, reports, and alerting out of the box
•Integrations for SIEM, SOAR, and ticketing

Start Free Trial →

Still deciding? See what the Liberty91 platform does →