Discord OSINT Assistant is a self-hosted Discord intelligence bot for Open Source Intelligence (OSINT) investigations. It exposes 32 investigation workflows as Discord slash commands for reconnaissance, attribution, enrichment, and analysis.
git clone https://github.com/gl0bal01/discord-osint-assistant.git
cd discord-osint-assistant
bun install # or: npm install
cp .env.example .env # set DISCORD_TOKEN and CLIENT_ID
bun run deploy
bun run start- Standardize OSINT workflows for teams working inside Discord
- Reduce setup overhead for investigators and analysts
- Keep operational controls close to command execution (validation, permissions, rate limits)
- Integrate API-based and CLI-based data sources behind one command surface
- 31 slash commands across identity, network, media, blockchain, transport, business, analysis, and operations workflows
/bob-chatsupports multi-model chat, code generation, OSINT analysis, and speech-to-text transcription- Optional integrations with third-party APIs and local external tools
- Security-focused runtime controls for process execution and URL handling
- Container-ready deployment and CI validation
flowchart LR
U[Discord User] --> S[Slash Command]
S --> B[Bot Command Handler]
B --> V[Input Validation and Permission Gate]
V --> A[API Integrations]
V --> C[External CLI Tools]
A --> F[Normalized Output]
C --> F
F --> R[Discord Response]
The bot currently provides 32 commands across 8 functional areas. Run /bob-help in Discord to list every command live with its description.
/bob-sherlock, /bob-maigret, /bob-linkook, /bob-ghunt, /bob-generate-usernames, /bob-nuclei
/bob-dns, /bob-whoxy, /bob-hostio, /bob-recon-web, /bob-redirect-chain, /bob-favicons
/bob-exif, /bob-rekognition
/bob-blockchain, /bob-blockchain-detect
/bob-aviation, /bob-airport, /bob-flight-number, /bob-vessels
/bob-pappers, /bob-vpic, /bob-nike
/bob-chat, /bob-jwt, /bob-xeuledoc, /bob-extract-links, /bob-dork
General AI assistance with optional context presets.
| Parameter | Required | Description |
|---|---|---|
message |
Yes | Your question or request (max 2000 chars) |
model |
No | qwen3-vl-flash (default), gpt-5.4-mini, sonar-reasoning-pro, grok-4-fast-reasoning |
context |
No | general (default), osint, data, investigation, technical, report |
Example
/bob-chat ask message:"Analyze this breach data for patterns" model:sonar-reasoning-pro context:osint
Generate code for OSINT automation and data analysis.
| Parameter | Required | Description |
|---|---|---|
request |
Yes | Describe the code you need (max 2000 chars) |
language |
No | python (default), javascript, bash, powershell, sql, other |
model |
No | qwen3-coder-plus (default), claude-sonnet-4-6, gemini-3.1-pro-preview, gpt-5.4, grok-code-fast-1 |
new-context |
No | Start a fresh code conversation (false by default) |
Example
/bob-chat code request:"Script that fetches subdomains from crt.sh" language:python model:qwen3-coder-plus
Structured OSINT analysis of findings or raw data.
| Parameter | Required | Description |
|---|---|---|
data |
Yes | The data or findings to analyze (max 2000 chars) |
analysis-type |
No | summary (default), pattern, threat, link, timeline, risk |
Example
/bob-chat analyze data:"IP 198.51.100.5 contacted our honeypot 42 times using user-agent 'Mozilla/5.0 CustomBot'" analysis-type:threat
Analysis types
pattern– Pattern recognition and anomaly detectionthreat– Threat assessment and security implicationslink– Relationship and connection mappingtimeline– Timeline reconstruction from eventsrisk– Risk assessmentsummary– High-level summary and key insights
Speech-to-text via 1min.ai audio models.
| Parameter | Required | Description |
|---|---|---|
audio-url |
Yes | Asset path returned by the 1min.ai Asset API (e.g. fileContent.path) |
stt-model |
No | qwen3-asr-flash (default) or phone_call |
language |
Cond. | Required for phone_call (BCP-47 style, e.g. en-US, vi-VN, zh-CN). Optional for qwen3-asr-flash (e.g. en, zh, ja; auto-detect if omitted) |
enable-itn |
No | Qwen3 only: enable inverse text normalization (false by default) |
Transcription workflow
- Upload your audio file to the 1min.ai Asset API (
POST /api/assets). - Copy the returned asset path (usually inside
fileContent.path). - Run the slash command with that path.
Example – Qwen3 ASR Flash (auto-detect language)
/bob-chat transcribe audio-url:"https://cdn.1min.ai/.../recording.wav"
Example – Qwen3 ASR Flash (explicit language + ITN)
/bob-chat transcribe audio-url:"https://cdn.1min.ai/.../recording.wav" language:en enable-itn:true
Example – Phone Call model
/bob-chat transcribe audio-url:"https://cdn.1min.ai/.../call.wav" stt-model:phone_call language:en-US
Clear conversation context so the next interaction starts fresh.
| Parameter | Required | Description |
|---|---|---|
model |
No | all (default), chat, code, analysis |
Example
/bob-chat reset model:code
/bob-monitor, /bob-health, /bob-upload, /bob-help
Upload a Discord attachment to the 1min.ai Asset API so it can be referenced by AI features (e.g. /bob-chat transcribe).
| Parameter | Required | Description |
|---|---|---|
file |
Yes | The file to upload (max 50 MB) |
Supported file types
- Images: PNG, JPEG, WEBP, GIF, SVG
- Documents: PDF, DOC, DOCX, TXT
- Data: JSON, CSV, XML
- Audio: WAV, MP3, OGG, M4A (for transcription)
Example
/bob-upload file:<attach your audio file>
Response fields
- Asset Path (
fileContent.path) — the value you pass toaudio-urlin/bob-chat transcribe - UUID — unique identifier for the uploaded asset
- Direct URL — full S3 location (requires authentication)
Workflow for transcription
- Run
/bob-uploadand attach your audio file. - Copy the Asset Path from the response.
- Run
/bob-chat transcribe audio-url:<asset-path>.
GHunt requires a valid Google session before it can perform lookups. The bot can detect login status and accept fresh credentials directly from Discord.
| Operation | Parameter | Description |
|---|---|---|
type:check-login |
— | Verify whether GHunt credentials exist and are valid |
type:login |
query or token |
Save a new base64 token from GHunt Companion |
type:email |
query |
Lookup an email address |
type:gaia |
query |
Lookup a Gaia ID |
type:drive |
query |
Analyze a Google Drive file/folder URL |
type:geolocate |
query |
Geolocate a BSSID (XX:XX:XX:XX:XX:XX) |
type:spiderdal |
query |
Find assets using Digital Asset Links |
How to authenticate
- Install the GHunt Companion browser extension (Firefox or Chrome).
- Log in to your Google account in the browser.
- Click the extension icon and copy the base64 string.
- Run the login command:
/bob-ghunt type:login query:<paste-base64-here>
Check your session
/bob-ghunt type:check-login
Run a lookup
/bob-ghunt type:email query:target@gmail.com
Environment variable
GHUNT_CREDS_PATH— custom path for the credentials file (default:~/.malfrats/ghunt/creds.m)
- Node.js 20+
- Discord bot application and token
- Bun (optional)
- Docker (optional)
See the unified clone/install/deploy/start snippet under In Two Minutes. Bun is preferred; npm works for every script.
cp .env.example .env
docker compose up -d # or: make upCopy .env.example to .env and configure at minimum:
DISCORD_TOKENCLIENT_ID
Optional integrations unlock additional commands:
- API services such as Whoxy, DNSDumpster, Host.io, AviationStack, and AWS Rekognition
- External CLI tools such as Sherlock, Maigret, Nuclei, ExifTool, GHunt, xeuledoc, Linkook, and jwt_tool
If an optional dependency is missing, the related command returns a descriptive runtime error.
The bot uses pino for structured JSON logging.
| Variable | Default | Accepted values |
|---|---|---|
LOG_LEVEL |
info |
trace, debug, info, warn, error, fatal |
In development (non-production and interactive TTY) logs are pretty-printed via pino-pretty. In production, raw JSON is written to stdout for ingestion by log aggregators.
Sensitive fields (token, authorization, password, api_key, headers.authorization, headers.cookie) are automatically redacted to [REDACTED] before output.
This project executes investigations against user-provided input and applies defensive controls by default.
- Argument-array process execution with restricted child-process environments
- SSRF protections on URL-capable commands
- Centralized validators for usernames, domains, URLs, emails, and IP addresses
- Permission gating for high-impact commands
- Per-user rate limits and daily usage controls
See SECURITY.md for full details.
bun run dev # nodemon hot-reload
bun run test # vitest
bun run lint # eslint
bun run smoke # quick boot/health probeSlash command registration (deploy, deploy:global, clear, clear:global, clear:all, clear:list) and other scripts live in package.json. Run bun run with no args to see them all.
Contribution guidance is available in CONTRIBUTING.md.
The bot exits with code 1 on uncaughtException or unhandledRejection, so it must run under a supervisor that restarts on failure. A Makefile wraps both supported paths.
The repository ships a unit at deploy/discord-osint-assistant.service with Restart=always and full sandboxing.
make install # creates botuser, copies repo to /opt, installs unit, enables service
make restart # restart after code update
make update # git pull + bun install + restart
make logs-tail # follow journaldOverride the install path with make INSTALL_DIR=/srv/bot install. Run make help to list every target.
make up # build + start (or: docker compose up -d --build)
make dlogs # follow logs
make dhealth # show healthcheck state
make down # stop and removeThe container runs read-only with cap_drop: ALL, tmpfs for /app/temp, and a built-in healthcheck (scripts/healthcheck.js).
PM2 is not supported — it needs a writable ~/.pm2 which conflicts with the hardened read_only container and systemd ProtectHome=true.
MIT. See LICENSE.