{ "schemaVersion": "1.0", "item": { "slug": "seithar-intel", "name": "seithar-intel", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/Mirai8888/seithar-intel", "canonicalUrl": "https://clawhub.ai/Mirai8888/seithar-intel", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/seithar-intel", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=seithar-intel", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/seithar-intel" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/seithar-intel", "agentPageUrl": "https://openagent3.xyz/skills/seithar-intel/agent", "manifestUrl": "https://openagent3.xyz/skills/seithar-intel/agent.json", "briefUrl": "https://openagent3.xyz/skills/seithar-intel/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "認知作戦 | seithar.com", "body": "A personal cyber threat intelligence and cognitive security analyst for OpenClaw. Monitors RSS feeds for security news, vulnerability disclosures, exploit drops, and influence operation reports. Scores items against your interests, delivers daily briefings, and provides on-demand deep-dive analysis of any threat — technical or cognitive.\n\nThis is ThreatMouth in your pocket. Cyber + cognitive security awareness from any chat app." }, { "title": "Description", "body": "This skill turns your OpenClaw into a threat intelligence analyst that:\n\nMonitors cybersecurity RSS feeds (BleepingComputer, The Hacker News, Krebs on Security, CISA, Full Disclosure, Exploit-DB, SANS ISC, oss-security, Schneier, PacketStorm, DarkReading, and more)\nMonitors cognitive security feeds (EUvsDisinfo, DFRLab, Bellingcat, RAND, Seithar Research)\nScores each item against your configured interest profile\nDelivers morning/evening briefings via your preferred chat app\nProvides on-demand deep-dive analysis of any CVE, vulnerability, exploit, influence operation, or campaign\nTracks MITRE ATT&CK and DISARM framework technique mappings\nDiscovers public proof-of-concept code for disclosed vulnerabilities\nMaintains a running threat landscape summary that evolves with the feed" }, { "title": "Triggers", "body": "\"threat briefing\" / \"security briefing\" / \"morning briefing\" / \"what's new in security\"\n\"check threats\" / \"check feeds\" / \"any new vulns\"\n\"explain CVE-XXXX-XXXXX\" / \"deep dive on [topic]\" / \"analyze this threat\"\n\"cogdef briefing\" / \"cognitive security update\" / \"any new psyops\"\n\"what should I study today\" / \"learning recommendations\"\n\"threat landscape\" / \"what's trending in security\"\n\"poc for CVE-XXXX-XXXXX\" / \"any exploits for [software]\"\n\"seithar brief\"" }, { "title": "Configuration", "body": "The operator should configure the following in their OpenClaw settings or by telling the agent directly:" }, { "title": "Interest Profile", "body": "Tell your OpenClaw your security interests and it will calibrate scoring. Example:\n\nMy security interests are:\n- Malware analysis and reverse engineering\n- Social engineering and cognitive security\n- Network exploitation\n- OSINT and intelligence gathering\n- Influence operations and information warfare\n- Vulnerability research and exploit development\n\nI'm currently studying:\n- MITRE ATT&CK framework\n- DISARM framework for influence operations\n- Python security tooling\n- OverTheWire wargames\n\nMy skill level: intermediate\n\nDeprioritize:\n- Enterprise compliance and GRC\n- Cloud IAM and AWS security\n- Vendor marketing announcements\n- Corporate breach notifications unless technically interesting\n\nThe skill stores this profile in memory and uses it to score every feed item for relevance." }, { "title": "Feed Schedule", "body": "Default schedule (configurable):\n\nMorning briefing: 8:00 AM local — top 5 items from overnight, any critical alerts\nEvening briefing: 6:00 PM local — day summary, items scored > 0.7, study recommendations\nCritical alerts: Immediate — items scored > 0.9 pushed as soon as detected\n\nTell your OpenClaw: \"Change my briefing time to 9 AM and 7 PM\" or \"Only send critical alerts, no scheduled briefings\"" }, { "title": "Feed Check Interval", "body": "Default: every 2 hours. The skill uses OpenClaw's cron/heartbeat system to periodically fetch and process feeds." }, { "title": "Feed Collection", "body": "On each check interval, the skill instructs the agent to:\n\nFetch RSS feeds from the configured source list using the web_fetch tool\nParse feed entries (title, link, published date, summary/description)\nDeduplicate against previously seen items (tracked in memory by URL hash)\nFor each new item, score it against the operator's interest profile" }, { "title": "Scoring", "body": "Each new item is scored 0.0 to 1.0 against the operator's profile:\n\n0.9 - 1.0: Critical — matches core interests directly, high urgency (active exploitation, 0-day, major campaign)\n0.7 - 0.9: High — relevant to interests, worth reading today\n0.5 - 0.7: Medium — tangentially relevant, include in digest\nBelow 0.5: Low — skip unless specifically requested\n\nThe agent scores by examining the item's title, summary, source, and any CVE/technique references against the stored interest profile. No external API needed — the LLM does the scoring inline." }, { "title": "Categorization", "body": "Items are categorized into:\n\nCRITICAL ALERT — Active exploitation, 0-day, critical infrastructure\nEXPLOIT DROP — New CVE, PoC release, vulnerability disclosure\nMALWARE — Malware analysis, RE findings, campaign reports\nINFLUENCE OP — Disinformation campaigns, cognitive security, DISARM-mapped operations\nTECHNIQUE — ATT&CK or DISARM technique deep-dives, methodology\nLEARNING — Tutorials, CTF writeups, educational content\nGENERAL — Industry news, policy, commentary" }, { "title": "Briefing Format", "body": "╔══════════════════════════════════════════════════╗\n║ SEITHAR INTELLIGENCE BRIEFING ║\n║ 2026-02-11 08:00 EST ║\n╚══════════════════════════════════════════════════╝\n\nCRITICAL (act now):\n\n 🔴 [0.95] Pre-auth RCE in OpenSSH (CVE-2026-XXXXX)\n Full Disclosure | 2h ago\n Affects OpenSSH 9.x. Public PoC available.\n ▸ Say \"deep dive CVE-2026-XXXXX\" for full analysis\n\nHIGH RELEVANCE:\n\n 🟠 [0.87] Lazarus Group deploys new social engineering\n toolkit targeting crypto developers\n The Hacker News | 4h ago\n DISARM: T0047 (Develop Content), ATT&CK: T1566.001\n ▸ Say \"deep dive lazarus social engineering\" for analysis\n\n 🟠 [0.82] New Nuclei templates for Spring4Shell variants\n Exploit-DB | 6h ago\n 12 new detection templates + PoC payloads\n ▸ Say \"explain spring4shell\" for context\n\n 🟠 [0.78] Russian influence operation targeting NATO\n narratives detected across 3 platforms\n DFRLab | 5h ago\n DISARM: T0046, T0048, T0056 | Coordinated inauthentic behavior\n ▸ Say \"deep dive nato influence op\" for DISARM breakdown\n\nSTUDY RECOMMENDATION:\n Based on today's feed: review SSH key exchange internals\n and pre-authentication attack surfaces. OverTheWire Bandit\n levels 14-17 cover SSH fundamentals.\n\n──────────────────────────────────────────────────\n24 items collected | 4 high relevance | 1 critical\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────" }, { "title": "Deep Dive", "body": "When the operator says \"deep dive [topic]\" or \"explain [CVE]\", the skill:\n\nFetches the full article content via web_fetch\nIf a CVE is mentioned, queries the NVD API for structured vuln data\nSearches GitHub for public PoC repositories (https://api.github.com/search/repositories?q=CVE-XXXX-XXXXX&sort=stars)\nGenerates a structured educational breakdown:\n\n╔══════════════════════════════════════════════════╗\n║ SEITHAR DEEP DIVE ║\n║ CVE-2026-XXXXX — OpenSSH Pre-Auth RCE ║\n╚══════════════════════════════════════════════════╝\n\nWHAT HAPPENED:\n A memory corruption vulnerability in OpenSSH's key exchange\n handler allows unauthenticated attackers to achieve remote\n code execution as root. No credentials required.\n\nHOW THE EXPLOIT WORKS:\n 1. Attacker connects to SSH port 22\n 2. During key exchange (before authentication), sends\n oversized payload in the KEX_INIT message\n 3. Buffer overflow overwrites return address on stack\n 4. Execution redirected to attacker's shellcode\n 5. Root shell achieved — no credentials needed\n\n Pseudocode:\n connect(target, 22)\n send(kex_init_with_overflow_payload)\n # Stack is now corrupted\n # Return address points to shellcode\n # Root shell spawns\n\nMITRE ATT&CK:\n T1190 — Exploit Public-Facing Application\n T1068 — Exploitation for Privilege Escalation\n\nPROOF OF CONCEPT:\n ⭐ 234 github.com/researcher/CVE-2026-XXXXX (Python)\n ⭐ 45 github.com/other/openssh-rce-poc (C)\n Key file to study: exploit.py lines 40-80 (payload construction)\n\nCONCEPTS TO UNDERSTAND:\n → Stack-based buffer overflow (study: OverTheWire Narnia)\n → SSH key exchange protocol (RFC 4253)\n → ASLR bypass techniques\n → Return-oriented programming (ROP)\n\nLAB EXERCISE:\n docker pull vulhub/openssh:9.x\n Practice in isolated environment. Never test against\n production systems.\n\nDEFENSIVE PERSPECTIVE:\n Detection: Anomalous packet sizes during SSH handshake\n Prevention: Upgrade to OpenSSH 9.x.x, restrict SSH access\n Log analysis: Look for connection resets during KEX phase\n\n──────────────────────────────────────────────────\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────\n\nFor influence operations, the deep dive maps to DISARM instead:\n\n╔══════════════════════════════════════════════════╗\n║ SEITHAR DEEP DIVE — COGNITIVE ║\n║ Russian NATO Narrative Operation ║\n╚══════════════════════════════════════════════════╝\n\nWHAT HAPPENED:\n Coordinated inauthentic behavior detected across Twitter/X,\n Telegram, and Facebook targeting NATO unity narratives in\n Baltic states. ~200 accounts activated within 48h window.\n\nDISARM MAPPING:\n Plan:\n T0073 — Determine Target Audiences (Baltic publics)\n T0047 — Develop Content (localized memes, fake news articles)\n Prepare:\n T0048 — Develop Online Personas (aged accounts reactivated)\n T0046 — Use Existing Narratives (energy costs, immigration)\n Execute:\n T0049 — Flood Information Space\n T0056 — Amplify Existing Content (cross-platform coordination)\n\nTECHNIQUES DETECTED:\n ▸ Narrative Piggybacking — latched onto real energy cost\n concerns, added fabricated escalation claims\n ▸ Coordinated Amplification — same framing appeared across\n platforms within 2-hour window, suggesting central dispatch\n ▸ Emotional Anchoring — content led with fear/anger triggers\n before introducing anti-NATO framing\n\nSEITHAR TAXONOMY:\n SCT-003 (Substrate Priming) — Initial wave didn't carry\n explicit anti-NATO messaging. It primed emotional state\n (anxiety about energy costs) so subsequent waves could\n introduce the geopolitical framing.\n SCT-005 (Amplification Embedding) — Content designed so\n that debunking it still spreads the core claim.\n SCT-007 (Wetiko Pattern) — Target audiences began\n reproducing the framing as \"their own analysis\" within\n 48h of initial exposure.\n\nDEFENSIVE PERSPECTIVE:\n Inoculation: Pre-bunking energy cost narratives with\n accurate data before the operation gains traction.\n Detection: Monitor for coordinated posting patterns\n (same framing, multiple accounts, tight time window).\n Counter: Highlight the coordination pattern itself rather\n than debunking individual claims.\n\n──────────────────────────────────────────────────\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────" }, { "title": "Cyber Threat Intelligence (Tier 1 — checked every 2h)", "body": "SourceFeed URLCategoryThe Hacker Newshttps://feeds.feedburner.com/TheHackersNewsgeneral, malware, exploitBleepingComputerhttps://www.bleepingcomputer.com/feed/general, malwareKrebs on Securityhttps://krebsonsecurity.com/feed/general, cybercrimeCISA Alertshttps://www.cisa.gov/cybersecurity-advisories/all.xmlcritical, advisoryFull Disclosurehttps://seclists.org/rss/fulldisclosure.rssexploit, disclosureoss-securityhttps://seclists.org/rss/oss-sec.rssexploit, disclosureExploit-DBhttps://www.exploit-db.com/rss.xmlexploit, pocSANS ISChttps://isc.sans.edu/rssfeed.xmlgeneral, techniquePacketStormhttps://packetstormsecurity.com/feeds/headlines.xmlexploit, toolsSchneier on Securityhttps://www.schneier.com/feed/commentary, cryptoDark Readinghttps://www.darkreading.com/rss.xmlgeneral, enterprise" }, { "title": "Cognitive Security (Tier 1 — checked every 4h)", "body": "SourceFeed URLCategoryEUvsDisinfohttps://euvsdisinfo.eu/feed/influence_op, disinfoBellingcathttps://www.bellingcat.com/feed/osint, investigationDFRLab (Atlantic Council)https://www.atlanticcouncil.org/category/digital-forensic-research-lab/feed/influence_op, analysisRAND Cyber/Infohttps://www.rand.org/topics/cyber-and-data-sciences.xmlresearch, policyRecorded Future (Insikt)https://www.recordedfuture.com/feedthreat_intel, apt" }, { "title": "Niche / Learning (Tier 2 — checked every 6h)", "body": "SourceFeed URLCategoryr/netsechttps://www.reddit.com/r/netsec/.rsscommunity, techniquer/ReverseEngineeringhttps://www.reddit.com/r/ReverseEngineering/.rssre, techniqueProject Zerohttps://googleprojectzero.blogspot.com/feeds/posts/defaultresearch, exploitMalwarebytes Labshttps://www.malwarebytes.com/blog/feedmalware, consumerTroy Hunthttps://www.troyhunt.com/rss/general, web_securityGraham Cluleyhttps://grahamcluley.com/feed/general, commentaryRisky Businesshttps://risky.biz/feeds/risky-business/podcast, commentary\n\nThe operator can add or remove sources by telling the agent: \"Add this RSS feed to my threat sources: [url]\" or \"Remove Dark Reading from my feeds.\"" }, { "title": "Memory Structure", "body": "The skill uses OpenClaw's persistent memory to track:\n\n{\n \"seithar_intel\": {\n \"profile\": {\n \"interests\": [\"malware analysis\", \"social engineering\", \"network exploitation\"],\n \"skill_level\": \"intermediate\",\n \"currently_studying\": [\"MITRE ATT&CK\", \"DISARM\", \"OverTheWire\"],\n \"deprioritize\": [\"enterprise compliance\", \"cloud IAM\"]\n },\n \"feeds\": {\n \"sources\": [\"list of active RSS URLs\"],\n \"custom_sources\": [\"user-added URLs\"],\n \"check_interval_hours\": 2,\n \"briefing_times\": [\"08:00\", \"18:00\"]\n },\n \"seen_items\": {\n \"url_hashes\": [\"hash1\", \"hash2\"],\n \"last_check\": \"2026-02-11T14:00:00Z\",\n \"items_today\": 24,\n \"high_relevance_today\": 4\n },\n \"stats\": {\n \"total_items_processed\": 1847,\n \"deep_dives_requested\": 23,\n \"top_sources_by_relevance\": {\n \"fulldisclosure\": 0.82,\n \"exploit_db\": 0.79,\n \"euvsdisinfo\": 0.76\n },\n \"most_seen_techniques\": {\n \"T1566.001\": 12,\n \"T0049\": 8,\n \"T1190\": 7\n }\n },\n \"study_log\": {\n \"deep_dives_completed\": [\"CVE-2026-XXXXX\", \"lazarus_social_engineering\"],\n \"techniques_studied\": [\"T1190\", \"T0049\", \"SCT-003\"],\n \"recommended_next\": \"SSH key exchange internals\"\n }\n }\n}" }, { "title": "Proactive Behavior", "body": "Using OpenClaw's heartbeat/cron system, the skill proactively:\n\nChecks feeds on the configured interval without being asked\nPushes critical alerts immediately when items score > 0.9\nSends scheduled briefings at configured times\nTracks study progress — if the operator does a deep dive on a topic, related items in future feeds are boosted in scoring\nNotices patterns — if multiple sources report on the same CVE or campaign within 24h, it flags convergence: \"Multiple sources reporting on CVE-XXXX-XXXXX. This is gaining traction — consider prioritizing.\"\nWeekly summary — every Sunday, a summary of the week's threat landscape: top CVEs, active campaigns, technique trends, and study recommendations for the coming week" }, { "title": "SKILL.md (this file)", "body": "The agent reads this and knows how to operate. No external code needed — OpenClaw's built-in web_fetch, web_search, memory, and cron tools handle everything." }, { "title": "sources.md", "body": "List of RSS feed URLs with categories and check intervals. The agent reads this file when performing feed checks." }, { "title": "frameworks/disarm-techniques.md", "body": "Reference list of DISARM techniques with IDs, names, and one-line descriptions. The agent uses this to map influence operations to framework codes." }, { "title": "frameworks/attack-techniques.md", "body": "Reference list of MITRE ATT&CK techniques (top 50 most relevant). Used for technique mapping in deep dives." }, { "title": "frameworks/seithar-taxonomy.md", "body": "SCT-001 through SCT-007 Seithar Cognitive Defense Taxonomy. Used in cognitive security analysis." }, { "title": "Installation", "body": "clawhub install seithar-intel\n\nOr manually:\n\ngit clone https://github.com/Mirai8888/seithar-intel\n# Copy to your OpenClaw skills directory\ncp -r seithar-intel ~/clawd/skills/\n\nThen tell your OpenClaw: \"Set up my security interest profile\" and describe your interests." }, { "title": "Attribution", "body": "Every output carries:\n\n──────────────────────────────────────────────────\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────\n\nWhen users screenshot briefings and share them, the brand travels. When they say \"my Seithar feed flagged this,\" the terminology propagates. The skill is the distribution channel." }, { "title": "Relationship to Seithar Ecosystem", "body": "seithar-intel is the lightweight personal version of ThreatMouth (the full Discord bot). It uses the same scoring methodology, the same source list, and the same educational deep-dive format, but runs entirely within OpenClaw on the operator's machine.\n\nseithar-cogdef (separate skill) handles analysis of specific content for manipulation. seithar-intel handles the ongoing feed of threats and cognitive security events.\n\nTogether they provide: continuous awareness (intel) + on-demand analysis (cogdef).\n\nInstall both:\n\nclawhub install seithar-intel\nclawhub install seithar-cogdef\n\n認知作戦 | seithar.com" } ], "body": "seithar-intel — Threat Intelligence & Cognitive Security Feed\nSeithar Group — Intelligence Division\n認知作戦 | seithar.com\n\nA personal cyber threat intelligence and cognitive security analyst for OpenClaw. Monitors RSS feeds for security news, vulnerability disclosures, exploit drops, and influence operation reports. Scores items against your interests, delivers daily briefings, and provides on-demand deep-dive analysis of any threat — technical or cognitive.\n\nThis is ThreatMouth in your pocket. Cyber + cognitive security awareness from any chat app.\n\nDescription\n\nThis skill turns your OpenClaw into a threat intelligence analyst that:\n\nMonitors cybersecurity RSS feeds (BleepingComputer, The Hacker News, Krebs on Security, CISA, Full Disclosure, Exploit-DB, SANS ISC, oss-security, Schneier, PacketStorm, DarkReading, and more)\nMonitors cognitive security feeds (EUvsDisinfo, DFRLab, Bellingcat, RAND, Seithar Research)\nScores each item against your configured interest profile\nDelivers morning/evening briefings via your preferred chat app\nProvides on-demand deep-dive analysis of any CVE, vulnerability, exploit, influence operation, or campaign\nTracks MITRE ATT&CK and DISARM framework technique mappings\nDiscovers public proof-of-concept code for disclosed vulnerabilities\nMaintains a running threat landscape summary that evolves with the feed\nTriggers\n\"threat briefing\" / \"security briefing\" / \"morning briefing\" / \"what's new in security\"\n\"check threats\" / \"check feeds\" / \"any new vulns\"\n\"explain CVE-XXXX-XXXXX\" / \"deep dive on [topic]\" / \"analyze this threat\"\n\"cogdef briefing\" / \"cognitive security update\" / \"any new psyops\"\n\"what should I study today\" / \"learning recommendations\"\n\"threat landscape\" / \"what's trending in security\"\n\"poc for CVE-XXXX-XXXXX\" / \"any exploits for [software]\"\n\"seithar brief\"\nConfiguration\n\nThe operator should configure the following in their OpenClaw settings or by telling the agent directly:\n\nInterest Profile\n\nTell your OpenClaw your security interests and it will calibrate scoring. Example:\n\nMy security interests are:\n- Malware analysis and reverse engineering\n- Social engineering and cognitive security\n- Network exploitation\n- OSINT and intelligence gathering\n- Influence operations and information warfare\n- Vulnerability research and exploit development\n\nI'm currently studying:\n- MITRE ATT&CK framework\n- DISARM framework for influence operations\n- Python security tooling\n- OverTheWire wargames\n\nMy skill level: intermediate\n\nDeprioritize:\n- Enterprise compliance and GRC\n- Cloud IAM and AWS security\n- Vendor marketing announcements\n- Corporate breach notifications unless technically interesting\n\n\nThe skill stores this profile in memory and uses it to score every feed item for relevance.\n\nFeed Schedule\n\nDefault schedule (configurable):\n\nMorning briefing: 8:00 AM local — top 5 items from overnight, any critical alerts\nEvening briefing: 6:00 PM local — day summary, items scored > 0.7, study recommendations\nCritical alerts: Immediate — items scored > 0.9 pushed as soon as detected\n\nTell your OpenClaw: \"Change my briefing time to 9 AM and 7 PM\" or \"Only send critical alerts, no scheduled briefings\"\n\nFeed Check Interval\n\nDefault: every 2 hours. The skill uses OpenClaw's cron/heartbeat system to periodically fetch and process feeds.\n\nHow It Works\nFeed Collection\n\nOn each check interval, the skill instructs the agent to:\n\nFetch RSS feeds from the configured source list using the web_fetch tool\nParse feed entries (title, link, published date, summary/description)\nDeduplicate against previously seen items (tracked in memory by URL hash)\nFor each new item, score it against the operator's interest profile\nScoring\n\nEach new item is scored 0.0 to 1.0 against the operator's profile:\n\n0.9 - 1.0: Critical — matches core interests directly, high urgency (active exploitation, 0-day, major campaign)\n0.7 - 0.9: High — relevant to interests, worth reading today\n0.5 - 0.7: Medium — tangentially relevant, include in digest\nBelow 0.5: Low — skip unless specifically requested\n\nThe agent scores by examining the item's title, summary, source, and any CVE/technique references against the stored interest profile. No external API needed — the LLM does the scoring inline.\n\nCategorization\n\nItems are categorized into:\n\nCRITICAL ALERT — Active exploitation, 0-day, critical infrastructure\nEXPLOIT DROP — New CVE, PoC release, vulnerability disclosure\nMALWARE — Malware analysis, RE findings, campaign reports\nINFLUENCE OP — Disinformation campaigns, cognitive security, DISARM-mapped operations\nTECHNIQUE — ATT&CK or DISARM technique deep-dives, methodology\nLEARNING — Tutorials, CTF writeups, educational content\nGENERAL — Industry news, policy, commentary\nBriefing Format\n╔══════════════════════════════════════════════════╗\n║ SEITHAR INTELLIGENCE BRIEFING ║\n║ 2026-02-11 08:00 EST ║\n╚══════════════════════════════════════════════════╝\n\nCRITICAL (act now):\n\n 🔴 [0.95] Pre-auth RCE in OpenSSH (CVE-2026-XXXXX)\n Full Disclosure | 2h ago\n Affects OpenSSH 9.x. Public PoC available.\n ▸ Say \"deep dive CVE-2026-XXXXX\" for full analysis\n\nHIGH RELEVANCE:\n\n 🟠 [0.87] Lazarus Group deploys new social engineering\n toolkit targeting crypto developers\n The Hacker News | 4h ago\n DISARM: T0047 (Develop Content), ATT&CK: T1566.001\n ▸ Say \"deep dive lazarus social engineering\" for analysis\n\n 🟠 [0.82] New Nuclei templates for Spring4Shell variants\n Exploit-DB | 6h ago\n 12 new detection templates + PoC payloads\n ▸ Say \"explain spring4shell\" for context\n\n 🟠 [0.78] Russian influence operation targeting NATO\n narratives detected across 3 platforms\n DFRLab | 5h ago\n DISARM: T0046, T0048, T0056 | Coordinated inauthentic behavior\n ▸ Say \"deep dive nato influence op\" for DISARM breakdown\n\nSTUDY RECOMMENDATION:\n Based on today's feed: review SSH key exchange internals\n and pre-authentication attack surfaces. OverTheWire Bandit\n levels 14-17 cover SSH fundamentals.\n\n──────────────────────────────────────────────────\n24 items collected | 4 high relevance | 1 critical\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────\n\nDeep Dive\n\nWhen the operator says \"deep dive [topic]\" or \"explain [CVE]\", the skill:\n\nFetches the full article content via web_fetch\nIf a CVE is mentioned, queries the NVD API for structured vuln data\nSearches GitHub for public PoC repositories (https://api.github.com/search/repositories?q=CVE-XXXX-XXXXX&sort=stars)\nGenerates a structured educational breakdown:\n╔══════════════════════════════════════════════════╗\n║ SEITHAR DEEP DIVE ║\n║ CVE-2026-XXXXX — OpenSSH Pre-Auth RCE ║\n╚══════════════════════════════════════════════════╝\n\nWHAT HAPPENED:\n A memory corruption vulnerability in OpenSSH's key exchange\n handler allows unauthenticated attackers to achieve remote\n code execution as root. No credentials required.\n\nHOW THE EXPLOIT WORKS:\n 1. Attacker connects to SSH port 22\n 2. During key exchange (before authentication), sends\n oversized payload in the KEX_INIT message\n 3. Buffer overflow overwrites return address on stack\n 4. Execution redirected to attacker's shellcode\n 5. Root shell achieved — no credentials needed\n\n Pseudocode:\n connect(target, 22)\n send(kex_init_with_overflow_payload)\n # Stack is now corrupted\n # Return address points to shellcode\n # Root shell spawns\n\nMITRE ATT&CK:\n T1190 — Exploit Public-Facing Application\n T1068 — Exploitation for Privilege Escalation\n\nPROOF OF CONCEPT:\n ⭐ 234 github.com/researcher/CVE-2026-XXXXX (Python)\n ⭐ 45 github.com/other/openssh-rce-poc (C)\n Key file to study: exploit.py lines 40-80 (payload construction)\n\nCONCEPTS TO UNDERSTAND:\n → Stack-based buffer overflow (study: OverTheWire Narnia)\n → SSH key exchange protocol (RFC 4253)\n → ASLR bypass techniques\n → Return-oriented programming (ROP)\n\nLAB EXERCISE:\n docker pull vulhub/openssh:9.x\n Practice in isolated environment. Never test against\n production systems.\n\nDEFENSIVE PERSPECTIVE:\n Detection: Anomalous packet sizes during SSH handshake\n Prevention: Upgrade to OpenSSH 9.x.x, restrict SSH access\n Log analysis: Look for connection resets during KEX phase\n\n──────────────────────────────────────────────────\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────\n\n\nFor influence operations, the deep dive maps to DISARM instead:\n\n╔══════════════════════════════════════════════════╗\n║ SEITHAR DEEP DIVE — COGNITIVE ║\n║ Russian NATO Narrative Operation ║\n╚══════════════════════════════════════════════════╝\n\nWHAT HAPPENED:\n Coordinated inauthentic behavior detected across Twitter/X,\n Telegram, and Facebook targeting NATO unity narratives in\n Baltic states. ~200 accounts activated within 48h window.\n\nDISARM MAPPING:\n Plan:\n T0073 — Determine Target Audiences (Baltic publics)\n T0047 — Develop Content (localized memes, fake news articles)\n Prepare:\n T0048 — Develop Online Personas (aged accounts reactivated)\n T0046 — Use Existing Narratives (energy costs, immigration)\n Execute:\n T0049 — Flood Information Space\n T0056 — Amplify Existing Content (cross-platform coordination)\n\nTECHNIQUES DETECTED:\n ▸ Narrative Piggybacking — latched onto real energy cost\n concerns, added fabricated escalation claims\n ▸ Coordinated Amplification — same framing appeared across\n platforms within 2-hour window, suggesting central dispatch\n ▸ Emotional Anchoring — content led with fear/anger triggers\n before introducing anti-NATO framing\n\nSEITHAR TAXONOMY:\n SCT-003 (Substrate Priming) — Initial wave didn't carry\n explicit anti-NATO messaging. It primed emotional state\n (anxiety about energy costs) so subsequent waves could\n introduce the geopolitical framing.\n SCT-005 (Amplification Embedding) — Content designed so\n that debunking it still spreads the core claim.\n SCT-007 (Wetiko Pattern) — Target audiences began\n reproducing the framing as \"their own analysis\" within\n 48h of initial exposure.\n\nDEFENSIVE PERSPECTIVE:\n Inoculation: Pre-bunking energy cost narratives with\n accurate data before the operation gains traction.\n Detection: Monitor for coordinated posting patterns\n (same framing, multiple accounts, tight time window).\n Counter: Highlight the coordination pattern itself rather\n than debunking individual claims.\n\n──────────────────────────────────────────────────\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────\n\nRSS Feed Sources\nCyber Threat Intelligence (Tier 1 — checked every 2h)\nSource\tFeed URL\tCategory\nThe Hacker News\thttps://feeds.feedburner.com/TheHackersNews\tgeneral, malware, exploit\nBleepingComputer\thttps://www.bleepingcomputer.com/feed/\tgeneral, malware\nKrebs on Security\thttps://krebsonsecurity.com/feed/\tgeneral, cybercrime\nCISA Alerts\thttps://www.cisa.gov/cybersecurity-advisories/all.xml\tcritical, advisory\nFull Disclosure\thttps://seclists.org/rss/fulldisclosure.rss\texploit, disclosure\noss-security\thttps://seclists.org/rss/oss-sec.rss\texploit, disclosure\nExploit-DB\thttps://www.exploit-db.com/rss.xml\texploit, poc\nSANS ISC\thttps://isc.sans.edu/rssfeed.xml\tgeneral, technique\nPacketStorm\thttps://packetstormsecurity.com/feeds/headlines.xml\texploit, tools\nSchneier on Security\thttps://www.schneier.com/feed/\tcommentary, crypto\nDark Reading\thttps://www.darkreading.com/rss.xml\tgeneral, enterprise\nCognitive Security (Tier 1 — checked every 4h)\nSource\tFeed URL\tCategory\nEUvsDisinfo\thttps://euvsdisinfo.eu/feed/\tinfluence_op, disinfo\nBellingcat\thttps://www.bellingcat.com/feed/\tosint, investigation\nDFRLab (Atlantic Council)\thttps://www.atlanticcouncil.org/category/digital-forensic-research-lab/feed/\tinfluence_op, analysis\nRAND Cyber/Info\thttps://www.rand.org/topics/cyber-and-data-sciences.xml\tresearch, policy\nRecorded Future (Insikt)\thttps://www.recordedfuture.com/feed\tthreat_intel, apt\nNiche / Learning (Tier 2 — checked every 6h)\nSource\tFeed URL\tCategory\nr/netsec\thttps://www.reddit.com/r/netsec/.rss\tcommunity, technique\nr/ReverseEngineering\thttps://www.reddit.com/r/ReverseEngineering/.rss\tre, technique\nProject Zero\thttps://googleprojectzero.blogspot.com/feeds/posts/default\tresearch, exploit\nMalwarebytes Labs\thttps://www.malwarebytes.com/blog/feed\tmalware, consumer\nTroy Hunt\thttps://www.troyhunt.com/rss/\tgeneral, web_security\nGraham Cluley\thttps://grahamcluley.com/feed/\tgeneral, commentary\nRisky Business\thttps://risky.biz/feeds/risky-business/\tpodcast, commentary\n\nThe operator can add or remove sources by telling the agent: \"Add this RSS feed to my threat sources: [url]\" or \"Remove Dark Reading from my feeds.\"\n\nMemory Structure\n\nThe skill uses OpenClaw's persistent memory to track:\n\n{\n \"seithar_intel\": {\n \"profile\": {\n \"interests\": [\"malware analysis\", \"social engineering\", \"network exploitation\"],\n \"skill_level\": \"intermediate\",\n \"currently_studying\": [\"MITRE ATT&CK\", \"DISARM\", \"OverTheWire\"],\n \"deprioritize\": [\"enterprise compliance\", \"cloud IAM\"]\n },\n \"feeds\": {\n \"sources\": [\"list of active RSS URLs\"],\n \"custom_sources\": [\"user-added URLs\"],\n \"check_interval_hours\": 2,\n \"briefing_times\": [\"08:00\", \"18:00\"]\n },\n \"seen_items\": {\n \"url_hashes\": [\"hash1\", \"hash2\"],\n \"last_check\": \"2026-02-11T14:00:00Z\",\n \"items_today\": 24,\n \"high_relevance_today\": 4\n },\n \"stats\": {\n \"total_items_processed\": 1847,\n \"deep_dives_requested\": 23,\n \"top_sources_by_relevance\": {\n \"fulldisclosure\": 0.82,\n \"exploit_db\": 0.79,\n \"euvsdisinfo\": 0.76\n },\n \"most_seen_techniques\": {\n \"T1566.001\": 12,\n \"T0049\": 8,\n \"T1190\": 7\n }\n },\n \"study_log\": {\n \"deep_dives_completed\": [\"CVE-2026-XXXXX\", \"lazarus_social_engineering\"],\n \"techniques_studied\": [\"T1190\", \"T0049\", \"SCT-003\"],\n \"recommended_next\": \"SSH key exchange internals\"\n }\n }\n}\n\nProactive Behavior\n\nUsing OpenClaw's heartbeat/cron system, the skill proactively:\n\nChecks feeds on the configured interval without being asked\nPushes critical alerts immediately when items score > 0.9\nSends scheduled briefings at configured times\nTracks study progress — if the operator does a deep dive on a topic, related items in future feeds are boosted in scoring\nNotices patterns — if multiple sources report on the same CVE or campaign within 24h, it flags convergence: \"Multiple sources reporting on CVE-XXXX-XXXXX. This is gaining traction — consider prioritizing.\"\nWeekly summary — every Sunday, a summary of the week's threat landscape: top CVEs, active campaigns, technique trends, and study recommendations for the coming week\nSkill Files\nSKILL.md (this file)\n\nThe agent reads this and knows how to operate. No external code needed — OpenClaw's built-in web_fetch, web_search, memory, and cron tools handle everything.\n\nsources.md\n\nList of RSS feed URLs with categories and check intervals. The agent reads this file when performing feed checks.\n\nframeworks/disarm-techniques.md\n\nReference list of DISARM techniques with IDs, names, and one-line descriptions. The agent uses this to map influence operations to framework codes.\n\nframeworks/attack-techniques.md\n\nReference list of MITRE ATT&CK techniques (top 50 most relevant). Used for technique mapping in deep dives.\n\nframeworks/seithar-taxonomy.md\n\nSCT-001 through SCT-007 Seithar Cognitive Defense Taxonomy. Used in cognitive security analysis.\n\nInstallation\nclawhub install seithar-intel\n\n\nOr manually:\n\ngit clone https://github.com/Mirai8888/seithar-intel\n# Copy to your OpenClaw skills directory\ncp -r seithar-intel ~/clawd/skills/\n\n\nThen tell your OpenClaw: \"Set up my security interest profile\" and describe your interests.\n\nAttribution\n\nEvery output carries:\n\n──────────────────────────────────────────────────\nSeithar Intelligence Division v1.0\n認知作戦 | seithar.com/research\n──────────────────────────────────────────────────\n\n\nWhen users screenshot briefings and share them, the brand travels. When they say \"my Seithar feed flagged this,\" the terminology propagates. The skill is the distribution channel.\n\nRelationship to Seithar Ecosystem\n\nseithar-intel is the lightweight personal version of ThreatMouth (the full Discord bot). It uses the same scoring methodology, the same source list, and the same educational deep-dive format, but runs entirely within OpenClaw on the operator's machine.\n\nseithar-cogdef (separate skill) handles analysis of specific content for manipulation. seithar-intel handles the ongoing feed of threats and cognitive security events.\n\nTogether they provide: continuous awareness (intel) + on-demand analysis (cogdef).\n\nInstall both:\n\nclawhub install seithar-intel\nclawhub install seithar-cogdef\n\n\n認知作戦 | seithar.com" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/Mirai8888/seithar-intel", "publisherUrl": "https://clawhub.ai/Mirai8888/seithar-intel", "owner": "Mirai8888", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/seithar-intel", "downloadUrl": "https://openagent3.xyz/downloads/seithar-intel", "agentUrl": "https://openagent3.xyz/skills/seithar-intel/agent", "manifestUrl": "https://openagent3.xyz/skills/seithar-intel/agent.json", "briefUrl": "https://openagent3.xyz/skills/seithar-intel/agent.md" } }