Passive domain reconnaissance using Python stdlib. Subdomain discovery, SSL certificate inspection, WHOIS lookups, DNS records, domain availability checks, and bulk multi-domain analysis. No API keys
Real data. Real impact.
Emerging
Developers
Per week
Excellent
Skills give you superpowers. Install in 30 seconds.
Passive domain reconnaissance using only Python stdlib. Zero dependencies. Zero API keys. Works on Linux, macOS, and Windows.
This skill includes
scripts/domain_intel.py# Subdomain discovery via Certificate Transparency logs python3 SKILL_DIR/scripts/domain_intel.py subdomains example.com # SSL certificate inspection (expiry, cipher, SANs, issuer) python3 SKILL_DIR/scripts/domain_intel.py ssl example.com # WHOIS lookup (registrar, dates, name servers — 100+ TLDs) python3 SKILL_DIR/scripts/domain_intel.py whois example.com # DNS records (A, AAAA, MX, NS, TXT, CNAME) python3 SKILL_DIR/scripts/domain_intel.py dns example.com # Domain availability check (passive: DNS + WHOIS + SSL signals) python3 SKILL_DIR/scripts/domain_intel.py available coolstartup.io # Bulk analysis — multiple domains, multiple checks in parallel python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com google.com python3 SKILL_DIR/scripts/domain_intel.py bulk example.com github.com --checks ssl,dns
SKILL_DIR| Command | What it does | Data source |
|---|---|---|
| Find subdomains from certificate logs | crt.sh (HTTPS) |
| Inspect TLS certificate details | Direct TCP:443 to target |
| Registration info, registrar, dates | WHOIS servers (TCP:43) |
| A, AAAA, MX, NS, TXT, CNAME records | System DNS + Google DoH |
| Check if domain is registered | DNS + WHOIS + SSL signals |
| Run multiple checks on multiple domains | All of the above |
web_searchweb_extractterminalcurl -I| Task | Better tool | Why |
|---|---|---|
| "What does example.com do?" | | Gets page content, not DNS/WHOIS data |
| "Find info about a company" | | General research, not domain-specific |
| "Is this website safe?" | | Reputation checks need web context |
| "Check if a URL is reachable" | | Simple HTTP check |
| "Find subdomains of X" | This skill | Only passive source for this |
| "When does the SSL cert expire?" | This skill | Built-in tools can't inspect TLS |
| "Who registered this domain?" | This skill | WHOIS data not in web search |
| "Is coolstartup.io available?" | This skill | Passive availability via DNS+WHOIS+SSL |
Pure Python stdlib (
socketsslurllibjsonconcurrent.futuresAll queries are passive — no port scanning, no vulnerability testing:
Contributed by @FurkanL0
MIT
mkdir -p ~/.hermes/skills/research/domain-intel && curl -o ~/.hermes/skills/research/domain-intel/SKILL.md https://raw.githubusercontent.com/NousResearch/hermes-agent/main/optional-skills/research/domain-intel/SKILL.md
4,600+ AI skills, agents & workflows. Install in 60 seconds. Part of the Torly.ai family.
© 2026 Torly.ai. All rights reserved.