ReddRadar
Agent skill
domain-intel
Passive domain reconnaissance using Python stdlib. Subdomain discovery, SSL certificate inspection, WHOIS lookups, DNS records, domain availability checks, and bulk multi-domain analysis. No API keys required.
Install this agent skill to your Project
npx add-skill https://github.com/NousResearch/hermes-agent/tree/main/optional-skills/research/domain-intel
SKILL.md
Domain Intelligence — Passive OSINT
Passive domain reconnaissance using only Python stdlib. Zero dependencies. Zero API keys. Works on Linux, macOS, and Windows.
Helper script
This skill includes scripts/domain_intel.py — a complete CLI tool for all domain intelligence operations.
# Subdomain discovery via Certificate Transparency logs
python3 SKILL_DIR/scripts/domain_intel.py subdomains example.com
# SSL certificate inspection (expiry, cipher, SANs, issuer)
python3 SKILL_DIR/scripts/domain_intel.py ssl example.com
# WHOIS lookup (registrar, dates, name servers — 100+ TLDs)
python3 SKILL_DIR/scripts/domain_intel.py whois example.com
# DNS records (A, AAAA, MX, NS, TXT, CNAME)
python3 SKILL_DIR/scripts/domain_intel.py dns example.com
# Domain availability check (passive: DNS + WHOIS + SSL signals)
python3 SKILL_DIR/scripts/domain_intel.py available coolstartup.io
# Bulk analysis — multiple domains, multiple checks in parallel
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com google.com
python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com --checks ssl,dns
SKILL_DIR is the directory containing this SKILL.md file. All output is structured JSON.
Available commands
| Command | What it does | Data source |
|---|---|---|
subdomains |
Find subdomains from certificate logs | crt.sh (HTTPS) |
ssl |
Inspect TLS certificate details | Direct TCP:443 to target |
whois |
Registration info, registrar, dates | WHOIS servers (TCP:43) |
dns |
A, AAAA, MX, NS, TXT, CNAME records | System DNS + Google DoH |
available |
Check if domain is registered | DNS + WHOIS + SSL signals |
bulk |
Run multiple checks on multiple domains | All of the above |
When to use this vs built-in tools
- Use this skill for infrastructure questions: subdomains, SSL certs, WHOIS, DNS records, availability
- Use
web_searchfor general research about what a domain/company does - Use
web_extractto get the actual content of a webpage - Use
terminalwithcurl -Ifor a simple "is this URL reachable" check
| Task | Better tool | Why |
|---|---|---|
| "What does example.com do?" | web_extract |
Gets page content, not DNS/WHOIS data |
| "Find info about a company" | web_search |
General research, not domain-specific |
| "Is this website safe?" | web_search |
Reputation checks need web context |
| "Check if a URL is reachable" | terminal with curl -I |
Simple HTTP check |
| "Find subdomains of X" | This skill | Only passive source for this |
| "When does the SSL cert expire?" | This skill | Built-in tools can't inspect TLS |
| "Who registered this domain?" | This skill | WHOIS data not in web search |
| "Is coolstartup.io available?" | This skill | Passive availability via DNS+WHOIS+SSL |
Platform compatibility
Pure Python stdlib (socket, ssl, urllib, json, concurrent.futures).
Works identically on Linux, macOS, and Windows with no dependencies.
- crt.sh queries use HTTPS (port 443) — works behind most firewalls
- WHOIS queries use TCP port 43 — may be blocked on restrictive networks
- DNS queries use Google DoH (HTTPS) for MX/NS/TXT — firewall-friendly
- SSL checks connect to the target on port 443 — the only "active" operation
Data sources
All queries are passive — no port scanning, no vulnerability testing:
- crt.sh — Certificate Transparency logs (subdomain discovery, HTTPS only)
- WHOIS servers — Direct TCP to 100+ authoritative TLD registrars
- Google DNS-over-HTTPS — MX, NS, TXT, CNAME resolution (firewall-friendly)
- System DNS — A/AAAA record resolution
- SSL check is the only "active" operation (TCP connection to target:443)
Notes
- WHOIS queries use TCP port 43 — may be blocked on restrictive networks
- Some WHOIS servers redact registrant info (GDPR) — mention this to the user
- crt.sh can be slow for very popular domains (thousands of certs) — set reasonable expectations
- The availability check is heuristic-based (3 passive signals) — not authoritative like a registrar API
Contributed by @FurkanL0
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
NousResearch/hermes-agent
agentmail
Give the agent its own dedicated email inbox via AgentMail. Send, receive, and manage email autonomously using agent-owned email addresses (e.g. hermes-agent@agentmail.to).
NousResearch/hermes-agent
base
Query Base (Ethereum L2) blockchain data with USD pricing — wallet balances, token info, transaction details, gas analysis, contract inspection, whale detection, and live network stats. Uses Base RPC + CoinGecko. No API key required.
NousResearch/hermes-agent
solana
Query Solana blockchain data with USD pricing — wallet balances, token portfolios with values, transaction details, NFTs, whale detection, and live network stats. Uses Solana RPC + CoinGecko. No API key required.
NousResearch/hermes-agent
one-three-one-rule
Structured decision-making framework for technical proposals and trade-off analysis. When the user faces a choice between multiple approaches (architecture decisions, tool selection, refactoring strategies, migration paths), this skill produces a 1-3-1 format: one clear problem statement, three distinct options with pros/cons, and one concrete recommendation with definition of done and implementation plan. Use when the user asks for a "1-3-1", says "give me options", or needs help choosing between competing approaches.
NousResearch/hermes-agent
fastmcp
Build, test, inspect, install, and deploy MCP servers with FastMCP in Python. Use when creating a new MCP server, wrapping an API or database as MCP tools, exposing resources or prompts, or preparing a FastMCP server for Claude Code, Cursor, or HTTP deployment.
NousResearch/hermes-agent
qdrant-vector-search
High-performance vector similarity search engine for RAG and semantic search. Use when building production RAG systems requiring fast nearest neighbor search, hybrid search with filtering, or scalable vector storage with Rust-powered performance.
Didn't find tool you were looking for?