Recorded Future Intelligence
CleanQuery threat intelligence from Recorded Future. Use for (1) IP, Domain, Hash, or URL risk enrichment, (2) Fetching indicator risk scores and evidence, (3) Threat actor and malware intelligence lookup.
SKILL.md
--- name: recorded-future-intelligence description: Query threat intelligence from Recorded Future. Use for (1) IP, Domain, Hash, or URL risk enrichment, (2) Fetching indicator risk scores and evidence, (3) Threat actor and malware intelligence lookup. --- # Recorded Future Intelligence This skill interacts with Recorded Future's Intelligence Cloud to provide real-time threat data. ## Requirements - Python `rfapi` package installed - `RECORDED_FUTURE_API_KEY` environment variable set ## Core Workflows ### 1. Enrich Indicators (IPs, Domains, Hashes, URLs) To look up risk details for a single indicator: - **Command**: `python3 scripts/rf_lookup.py [type] [value]` - **Types**: `ip`, `domain`, `hash`, `url` **Example**: Check risk for IP: ```bash python3 scripts/rf_lookup.py ip 8.8.8.8 ``` ### 2. Analyze Output The output will include a "risk" object with: - `score`: Numeric risk score (0-100) - `level`: Qualitative risk (Critical, High, Medium, Low, Very Low) - `evidenceDetails`: Specific reasons for the risk score ## Best Practices - **Batch Indicators**: If the user provides a list of IPs or Domains, run individual lookups and summarize common patterns. - **Explain Evidence**: Don't just report the score; explain the evidence (e.g., "This IP is associated with a known Command & Control node").
Version History
v1.0.0latest
Initial release - IP/Domain/Hash/URL risk lookup via Recorded Future API
Mar 26, 2026
Clean.zip
SHA-256 (latest)
1d3b107606af9622859fb213c0e10b784530839fc54f189a469d687cbcbc6326