vision-one-threat-intel

Query TrendAI Vision One threat intelligence. Use when: looking up IOCs (IP, domain, hash, URL, email), checking threat feeds, reading intelligence reports, managing suspicious objects, or hunting threats by industry/campaign/actor/CVE. Triggers on: threat intel, IOC lookup, threat feed, suspicious object, Vision One, TrendAI, threat hunting, indicator of compromise.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "vision-one-threat-intel" with this command: npx skills add andresark/vision-one-threat-intel

TrendAI Vision One Threat Intelligence

Query threat intelligence from TrendAI Vision One: feed indicators, intelligence reports, suspicious objects, and threat hunting.

Environment

  • VISION_ONE_API_KEY (required) — Vision One API token
  • VISION_ONE_REGION (optional, default: us) — One of: us, eu, jp, sg, au, in, mea

Commands

All commands use: python3 {baseDir}/scripts/v1ti.py [--region REGION] <command> [options]

1. lookup — What do we know about this IOC?

Searches feed indicators and suspicious objects list for a single indicator. Auto-detects IOC type.

python3 {baseDir}/scripts/v1ti.py lookup <indicator> [--days 90]

Examples:

python3 {baseDir}/scripts/v1ti.py lookup 198.51.100.23
python3 {baseDir}/scripts/v1ti.py lookup evil-domain.com --days 30
python3 {baseDir}/scripts/v1ti.py lookup 44d88612fea8a8f36de82e1278abb02f6d1c7e2a
python3 {baseDir}/scripts/v1ti.py lookup "https://malicious.example.com/payload"
python3 {baseDir}/scripts/v1ti.py lookup attacker@phishing.com

2. feed — Latest threat indicators

List recent feed indicators with optional risk/type filtering.

python3 {baseDir}/scripts/v1ti.py feed [--days 7] [--risk high|medium|low] [--type ip|domain|url|fileSha1|fileSha256|senderMailAddress] [--limit 50]

Examples:

python3 {baseDir}/scripts/v1ti.py feed --days 3 --risk high --limit 20
python3 {baseDir}/scripts/v1ti.py feed --type domain --days 14

3. report — Intelligence reports

List or view specific intelligence reports.

python3 {baseDir}/scripts/v1ti.py report [--id REPORT_ID] [--search KEYWORD] [--limit 10]

Examples:

python3 {baseDir}/scripts/v1ti.py report --limit 5
python3 {baseDir}/scripts/v1ti.py report --search "ransomware"
python3 {baseDir}/scripts/v1ti.py report --id RPT-12345

4. suspicious list — View suspicious objects

List indicators on the organization's suspicious objects list.

python3 {baseDir}/scripts/v1ti.py suspicious list [--type TYPE] [--limit 50]

5. suspicious add — Block an IOC

Add an indicator to the suspicious objects list. Requires explicit action and risk level (no defaults for safety).

python3 {baseDir}/scripts/v1ti.py suspicious add <indicator> --action block|log --risk high|medium|low [--description "reason"] [--expiry-days 30]

Examples:

python3 {baseDir}/scripts/v1ti.py suspicious add evil.com --action block --risk high --description "Phishing campaign C2"
python3 {baseDir}/scripts/v1ti.py suspicious add 198.51.100.23 --action log --risk medium --expiry-days 30

6. hunt — Threat hunt by criteria

Search for threat indicators by campaign, actor, industry, country, or CVE.

python3 {baseDir}/scripts/v1ti.py hunt [--campaign NAME] [--actor NAME] [--industry NAME] [--country NAME] [--cve CVE-ID] [--days 90] [--limit 50]

Examples:

python3 {baseDir}/scripts/v1ti.py hunt --industry Finance --days 30
python3 {baseDir}/scripts/v1ti.py hunt --actor APT29 --limit 20
python3 {baseDir}/scripts/v1ti.py hunt --cve CVE-2024-3400 --days 60
python3 {baseDir}/scripts/v1ti.py hunt --country "United States" --industry Healthcare

Output Format

All output is structured plain text with clear section headers and key-value pairs. No raw JSON is returned.

Error Format

Errors follow a three-part template:

ERROR: <what went wrong>
EXPECTED: <what was expected>
EXAMPLE: <correct usage example>

Supported IOC Types

The lookup and suspicious add commands auto-detect these indicator types from the raw value:

  • IPv4/IPv6 addresses
  • Domain names
  • URLs (http:// or https://)
  • SHA-256 hashes (64 hex chars)
  • SHA-1 hashes (40 hex chars)
  • Email addresses

Notes

  • All GET operations are read-only and safe to run
  • suspicious add is a write operation — always confirm the action with the user before running
  • Results are paginated internally — the --limit flag controls max results returned
  • Use --days to control the lookback window for time-based queries
  • For advanced filter syntax, read {baseDir}/references/filter-examples.md

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Proof-of-Quality - BTC PoW Verifiable Excellence

BTC PoW grind nonce till skill/output benchmark score > threshold. Verifiable excellence for antifragile meritocracy—no hype, pure quality proof. Use for skill evaluation, fork scoring, collab verification.

Registry SourceRecently Updated
1.6K0kunoiiv
Security

pr-reviewer

Automated GitHub PR code review with diff analysis, lint integration, and structured reports. Use when reviewing pull requests, checking for security issues,...

Registry SourceRecently Updated
6.5K0briancolinger
Security

Guardrails

Interactively configure, review, and monitor security guardrails for your OpenClaw workspace by discovering risks, interviewing users, and generating GUARDRA...

Registry SourceRecently Updated
2.2K0dgriffin831
Security

HiveFence

Collective immunity network for AI agents. When one agent detects a prompt injection attack, all connected agents become immune. Real-time pattern detection, community voting, and distributed threat intelligence. Built on top of prompt-guard.

Registry SourceRecently Updated
1.9K0seojoonkim