Skip to main content

Local, privacy-first, MCP-native OSINT exposure scanner.

Project description

Eidolon

Eidolon

Eidolon is a privacy-first approach to finding and understanding your digital footprint. The stack uses OSINT tools to gather information based on your search parameters, then a local LLM compiles it into a report. The LLM runs on your machine, so no data ever reaches an external service or leaves your box — you own your data.

What it does

  • Aggregates ~25 OSINT sources — breaches, leaked credentials, data brokers, account enumeration, public records, phone/email intel, exposed hosts — into a single risk report.
  • Maps findings to MITRE ATT&CK so you see what an attacker could actually do with what's exposed.
  • Flags AI-training exposure (which platforms may train on your data, and how to opt out).
  • Risk scoring and the leaked-credential dossier are deterministic — built from scan state, not the LLM — so the report survives an LLM hiccup. The model only writes narrative.
  • Outputs Markdown, PDF, and JSON.

MCP-native

Eidolon runs as an MCP server, so you can drive it from any MCP client (Claude Desktop, Claude Code) — scan a target, list past scans, and read reports conversationally. It runs locally over stdio; your data never leaves the box.

Tools: scan_target, scan_status, list_scans, get_report, reveal_credentials. A scan takes minutes, so scan_target returns a scan_id immediately and runs in the background — poll scan_status(scan_id) until it reports done, then get_report(scan_id). The leaked-credential dossier (plaintext passwords from breach dumps) is redacted by default and only returned when you explicitly call reveal_credentials.

Requirements

Everything below is optional — Eidolon runs with whatever you give it and tells you, per source, what it couldn't check (no token) versus what it checked and found nothing.

  • Python 3.11+ and uv (required)
  • Ollama for the local LLM narrative: ollama pull llama3.1:8b — if it's down, the report is still produced deterministically (just no written narrative).
  • A running SpiderFoot instance — skipped if unreachable.
  • API keys — see .env.example. Each unlocks one data source and skips cleanly if absent (the report says "not checked — set X"). A scan with no keys is sparse but still runs.

New here? Start with the Setup & Configuration guide — which keys to get, what each one costs, and what it unlocks.

Quickstart

git clone <your-repo-url> eidolon && cd eidolon
uv sync
cp .env.example .env        # fill in your keys

# scan yourself from the CLI
uv run eidolon --email you@example.com

# or run the MCP server (stdio)
uv run eidolon-mcp

Use from Claude Desktop

Option 1 — from a local clone (loads .env from cwd):

{
  "mcpServers": {
    "eidolon": {
      "command": "uv",
      "args": ["run", "eidolon-mcp"],
      "cwd": "/absolute/path/to/eidolon"
    }
  }
}

Option 2 — no clone, via uvx (install straight from GitHub). A uvx launch has no repo cwd, so there's no .env — pass your keys in the env block:

{
  "mcpServers": {
    "eidolon": {
      "command": "uvx",
      "args": ["--from", "git+https://github.com/sudohnim/eidolon", "eidolon-mcp"],
      "env": {
        "HIBP_API_KEY": "...",
        "DEHASHED_API_KEY": "...",
        "OLLAMA_HOST": "http://localhost:11434"
      }
    }
  }
}

Add only the keys you have — the rest skip cleanly. Then ask Claude to "scan my email"; it calls scan_target, polls scan_status, and reads the report.

How it works

A LangGraph pipeline: intake → wave 1 scans → wave 2 scans → MITRE mapping → correlation → analysis → report. Both the CLI and the MCP server call the same run_scan() core; reads go through a small repository layer. See docs/ROADMAP.md for the architecture and where it's headed (stateful history, continuous monitoring).

Intended use

Eidolon is for scanning yourself, or targets you are explicitly authorized to assess (authorized security testing, your own footprint). It surfaces real secrets, including plaintext passwords from breach dumps. Do not use it to profile or surveil people without their consent. You are responsible for complying with the terms of the data sources you configure and with applicable law.

License

AGPL-3.0. If you run a modified version as a network service, you must offer users its source.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

eidolon_osint-0.1.0.tar.gz (880.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

eidolon_osint-0.1.0-py3-none-any.whl (651.9 kB view details)

Uploaded Python 3

File details

Details for the file eidolon_osint-0.1.0.tar.gz.

File metadata

  • Download URL: eidolon_osint-0.1.0.tar.gz
  • Upload date:
  • Size: 880.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.7.19

File hashes

Hashes for eidolon_osint-0.1.0.tar.gz
Algorithm Hash digest
SHA256 923fb0b4ff04a10946ac2625fb81f82038fe60dc22b5abef9ec661abd730ae8c
MD5 1d3d69e7732236d107a5fb7fd9c73be0
BLAKE2b-256 1f90b9a8fa6b148e7d9ed7de10f44424f808a554278d32b541b18d5f04934a9a

See more details on using hashes here.

File details

Details for the file eidolon_osint-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for eidolon_osint-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 76c4bf8d472de7de44dbc0b9d2ad96b8f7d8aee6f98c939215ade33d5594b7bc
MD5 fc5716149e9157097d76df8aa8125181
BLAKE2b-256 8c0342dbf5c782f79ae82f34eeff9f3d91b3b936f211878218f0f0fde296347b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page