Published: 2026-05-24

Claude Code is a terminal AI assistant with access to your filesystem, shell, and MCP tools. When OpenOSINT is configured as its MCP server, it can run any of the 14 OSINT tools on demand — but it can also do things the OpenOSINT REPL alone cannot: write Python scripts for custom workflows, read and parse output files from previous investigations, cross-reference findings against local data, and generate formatted reports written directly to disk. The combination of terminal AI and OSINT toolset is qualitatively more powerful than either in isolation.

The critical distinction from using the OpenOSINT REPL directly: Claude Code operates in your workspace. It can read a file of targets, run investigations against each, and write structured results to JSON — all in one session without you handling the file I/O manually. It also generates Python scripts on request, letting you build reusable automation around OpenOSINT's tool functions.

Install OpenOSINT at a known absolute path:

git clone https://github.com/OpenOSINT/OpenOSINT.git
cd OpenOSINT
pip install -e .

Register with Claude Code:

claude mcp add openosint python /absolute/path/to/OpenOSINT/openosint/mcp_server.py
claude mcp list
# openosint  python /path/to/mcp_server.py  (connected)

Set environment variables before launching so API-dependent tools work:

export ANTHROPIC_API_KEY=sk-ant-...
export ABUSEIPDB_API_KEY=...       # IP abuse reputation
export IP2LOCATION_API_KEY=...     # Enriched geo + VPN detection
export HIBP_API_KEY=...            # Breach lookup
claude

All 14 OpenOSINT tools now appear in Claude Code's tool palette. Claude Code calls them with JSON parameters, receives real Python-executed output, and uses results to decide next steps. No simulation, no fabrication — the same structural guarantee as the OpenOSINT REPL.

Investigating an unknown suspicious domain from the terminal:

$ claude
> Investigate suspicious-domain.net. Check subdomains,
  WHOIS registration, and IP reputation.

→ search_whois('suspicious-domain.net')
  Registrar: Namecheap Inc.
  Created: 2026-04-18 (37 days ago)
  Registrant: REDACTED FOR PRIVACY

→ search_domain('suspicious-domain.net')
  [+] api.suspicious-domain.net
  [+] mail.suspicious-domain.net
  [+] login.suspicious-domain.net

→ search_ip('185.220.101.47')   [from A record lookup]
  Org: Tor Project Inc. | Country: DE

→ search_abuseipdb('185.220.101.47')
  Abuse Confidence: 96% | Total Reports: 412
  Last Reported: 2026-05-23

Summary: Domain registered 37 days ago with privacy protection.
Resolves to a known Tor exit node with 96% abuse confidence.
Three structured subdomains (api, mail, login) suggest deliberate
infrastructure. High probability of malicious use.

The full investigation ran in under 90 seconds. No manual tool selection, no copying output between commands, no context switching.

Claude Code's most powerful OSINT capability: generating Python automation for tasks OpenOSINT doesn't natively cover. Ask in plain language:

> Write a Python script that reads domains from targets.txt,
  runs WHOIS on each, and outputs a CSV with: domain, registrar,
  creation_date, nameservers, days_since_registration.

Claude Code writes, tests, and saves the script. It uses OpenOSINT's internal async functions directly:

import asyncio, csv
from datetime import datetime, timezone
from openosint.tools.search_whois import run_whois_osint

async def bulk_whois(domains: list[str]) -> list[dict]:
    results = []
    for domain in domains:
        raw = await run_whois_osint(domain)
        results.append(parse_result(domain, raw))
        await asyncio.sleep(1)  # rate limit
    return results

This pattern extends to any workflow: credential exposure monitoring, bulk IP reputation checks, subdomain enumeration pipelines. The combination of AI code generation and live OSINT tool access makes Claude Code a fast way to build investigation infrastructure that doesn't exist yet.

Use Claude Code when investigations involve file I/O (reading target lists, writing results to disk), custom scripting, multi-session work where results need to persist, or workflows that combine OSINT with local data or other tools already in PATH. Claude Code's terminal integration lets it run arbitrary shell commands alongside tool calls.

Use the OpenOSINT REPL for interactive single-session investigations, quick lookups, and exploratory work where you don't know ahead of time what you're looking for. The REPL's Rich-rendered markdown output and slash commands (/history, /export, /model) are optimized for the investigative workflow. The MCP server beneath both is identical — tool availability and execution quality are the same. Only the interaction model differs.

• Model Context Protocol explained — the transport layer connecting Claude Code to OpenOSINT
• OpenOSINT as MCP server — Claude Desktop configuration
• How AI agents are changing OSINT — the agentic loop architecture behind the tool calls