mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 03:34:37 +03:00

Files

T

mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

2026-03-10 21:02:12 +01:00

2.9 KiB

Raw Blame History

API Reference: IOC Enrichment Tools

VirusTotal API v3

File Hash Lookup

curl -H "x-apikey: $VT_KEY" \
  "https://www.virustotal.com/api/v3/files/<sha256>"

Domain Lookup

curl -H "x-apikey: $VT_KEY" \
  "https://www.virustotal.com/api/v3/domains/<domain>"

IP Lookup

curl -H "x-apikey: $VT_KEY" \
  "https://www.virustotal.com/api/v3/ip_addresses/<ip>"

Key Response Fields

Field	Description
`last_analysis_stats.malicious`	Number of AV engines detecting as malicious
`last_analysis_stats.undetected`	AV engines finding clean
`reputation`	Community reputation score
`popular_threat_classification`	Threat label consensus

Python (vt-py)

import vt
client = vt.Client("API_KEY")
file_obj = client.get_object(f"/files/{sha256}")
stats = file_obj.last_analysis_stats
client.close()

AbuseIPDB API v2

Check IP

curl -G "https://api.abuseipdb.com/api/v2/check" \
  -H "Key: $ABUSE_KEY" -H "Accept: application/json" \
  -d "ipAddress=1.2.3.4" -d "maxAgeInDays=90"

Response Fields

Field	Description
`abuseConfidenceScore`	0-100 abuse confidence
`totalReports`	Report count in timeframe
`countryCode`	Source country
`isp`	Internet service provider
`isTor`	Tor exit node flag

MalwareBazaar API (abuse.ch)

Hash Lookup

curl -X POST "https://mb-api.abuse.ch/api/v1/" \
  -d "query=get_info" -d "hash=<sha256>"

Response Fields

Field	Description
`signature`	Malware family name
`tags`	Associated tags
`file_type`	File type identification
`first_seen`	First submission date
`reporter`	Submitting analyst

URLScan.io API

Submit URL for Scan

curl -X POST "https://urlscan.io/api/v1/scan/" \
  -H "API-Key: $KEY" -H "Content-Type: application/json" \
  -d '{"url": "http://suspicious.com", "visibility": "private"}'

Retrieve Results

curl "https://urlscan.io/api/v1/result/<uuid>/"

Shodan API

IP Lookup

curl "https://api.shodan.io/shodan/host/<ip>?key=$SHODAN_KEY"

Response Fields

Field	Description
`ports`	Open ports list
`os`	Operating system
`org`	Organization
`asn`	Autonomous system number
`hostnames`	Associated hostnames

IOC Confidence Scoring Framework

Score	Disposition	Criteria
>= 70	BLOCK	15+ VT detections, AbuseIPDB >= 70%, or MalwareBazaar match
40-69	MONITOR	5-14 VT detections, moderate abuse score
< 40	INVESTIGATE	Low detection, no campaign attribution

Defanging Convention

Original	Defanged
`http://`	`hxxp://`
`https://`	`hxxps://`
`.com`	`[.]com`
`evil.com`	`evil[.]com`

2.9 KiB Raw Blame History

API Reference: IOC Enrichment Tools

VirusTotal API v3

File Hash Lookup

Domain Lookup

IP Lookup

Key Response Fields

Python (vt-py)

AbuseIPDB API v2

Check IP

Response Fields

MalwareBazaar API (abuse.ch)

Hash Lookup

Response Fields

URLScan.io API

Submit URL for Scan

Retrieve Results

Shodan API

IP Lookup

Response Fields

IOC Confidence Scoring Framework

Defanging Convention

2.9 KiB

Raw Blame History