Talon CLI: phishing URL analysis with Playwright, Ollama/OpenAI, and evidence capture.
Project description
🦅 Talon (Alpha)
The Autonomous AI Phishing Hunter Detonate suspicious URLs, capture evidence, and get a fast phishing-risk verdict.
Talon is a practical phishing URL analysis tool that:
- detonates suspicious links in headless Chromium,
- captures forensic evidence (screenshot + DOM snapshot),
- returns an LLM-assisted phishing risk verdict (with heuristic fallback).
✨ Features (V1)
- 🕵️ URL detonation: opens a target URL safely in Playwright.
- 🔁 Redirect awareness: records the final resolved URL after redirects.
- 🧾 Evidence capture: stores full-page screenshot and DOM snapshot.
- 🤖 LLM analysis: uses an LLM for smarter risk reasoning.
- 📊 Structured output: writes a JSON report with score, level, reasons, and method.
- 🧱 Docker sandbox mode: runs analysis in a hardened container profile.
⚙️ How It Works
- Ingest: receive a URL input.
- Detonate: load it in headless Chromium.
- Collect: save final URL, HTTP status, title, screenshot, and DOM.
- Verdict: run LLM analysis (
ollama/openai) with heuristic fallback.
📁 Project Structure
.
├── talon_v1.py
├── requirements.txt
├── Dockerfile
├── docker-compose.sandbox.yml
├── .gitignore
└── evidence/ # generated at runtime (ignored by git)
🚀 Local Setup
git clone https://github.com/tejkdno1/Talon.git
cd Talon
python3 -m pip install -r requirements.txt
python3 -m playwright install chromium
📥 Install As CLI Package (sectalon)
You can install Talon on another machine as a CLI package and run it via sectalon.
From GitHub:
python3 -m pip install "git+https://github.com/tejkdno1/Talon.git"
Or with pipx (recommended for CLI tools):
pipx install "git+https://github.com/tejkdno1/Talon.git"
Then run:
sectalon "https://example.com" --llm-provider ollama --llm-model gemma4
Notes:
- Package name is
sectalon, command name issectalon. - First run auto-downloads Chromium if missing.
📦 One-File Executable (Open-Source Friendly)
Build a single binary (no Python required on target machine):
./build_onefile.sh
Output:
dist/sectalon
Run it directly:
./dist/sectalon "https://example.com" --llm-provider ollama --llm-model gemma4
Notes:
- Keep Ollama running locally when using
--llm-provider ollama. - For OpenAI provider, set
OPENAI_API_KEYas usual. - On first run, Chromium auto-installs to
~/.cache/ms-playwright.
▶️ Quick Start (Host Run)
python3 talon_v1.py "https://example.com"
Local Ollama (Gemma4) - recommended for your setup
Start Ollama and pull model:
ollama pull gemma4
Run Talon using Ollama backend:
export TALON_LLM_PROVIDER="ollama"
export TALON_LLM_MODEL="gemma4"
export OLLAMA_HOST="http://localhost:11434"
export OLLAMA_TIMEOUT_SEC="180"
python3 talon_v1.py "https://example.com"
OpenAI (optional)
If you want cloud LLM instead:
export OPENAI_API_KEY="your_api_key_here"
export TALON_LLM_PROVIDER="openai"
python3 talon_v1.py "https://example.com"
Optional:
python3 talon_v1.py "example.com/login" --output-dir evidence --timeout-ms 20000
Force heuristic-only mode:
python3 talon_v1.py "https://example.com" --no-llm
Optional model override:
export TALON_LLM_MODEL="gemma4"
Optional provider override per run:
python3 talon_v1.py "https://example.com" --llm-provider ollama --llm-model gemma4
🛡️ Docker Sandbox Run (Recommended)
Build once:
docker compose -f docker-compose.sandbox.yml build
Run analysis:
TARGET_URL="https://leadscruise.com" docker compose -f docker-compose.sandbox.yml run --rm talon
For Docker + host Ollama, default OLLAMA_HOST is set to:
http://host.docker.internal:11434
You can override it if needed:
OLLAMA_HOST="http://host.docker.internal:11434" TARGET_URL="https://example.com" docker compose -f docker-compose.sandbox.yml run --rm talon
The sandbox profile includes:
- read-only root filesystem,
- all Linux capabilities dropped,
no-new-privileges,- CPU/memory/PID limits,
- output only through mounted
./evidence.
📦 Output Artifacts
Each scan now creates a dedicated run folder:
evidence/run_<timestamp>/report.jsonevidence/run_<timestamp>/screenshot.pngevidence/run_<timestamp>/dom.html
Each report.json includes analysis_method:
llm-ollamallm-openaiheuristic
Run logs are also appended to:
logs/runs.jsonl(one JSON entry per scan)
🔐 Security Note
Docker sandboxing significantly reduces risk compared to running directly on the host, but no sandbox is perfect. For high-risk investigations, use a dedicated VM and isolated network segment.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sectalon-0.1.1.tar.gz.
File metadata
- Download URL: sectalon-0.1.1.tar.gz
- Upload date:
- Size: 7.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
30e36c8bb72443d2a1ccd4a08fbf2944e3df0df7cc4c517681763be0b34229ab
|
|
| MD5 |
7dac075f57c2fa613c3a6a99c5422bf5
|
|
| BLAKE2b-256 |
1cafab89561513bad32599ac7345de7f8afaa69b130f86d86cd1af803e0a712c
|
File details
Details for the file sectalon-0.1.1-py3-none-any.whl.
File metadata
- Download URL: sectalon-0.1.1-py3-none-any.whl
- Upload date:
- Size: 8.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
548efc7697c77294609fcdb313359c5a36e7ff0cd72eb61b370b5e85c9c878e5
|
|
| MD5 |
c57c17042be70b4965caabd20b439e85
|
|
| BLAKE2b-256 |
e4b0f3e94c0dcbe3e9ebacc5ab2c1d309e1c82097a26057a399a37a8bb79f302
|