Skip to main content

Talon CLI: phishing URL analysis with Playwright, Ollama/OpenAI, and evidence capture.

Project description

🦅 Talon (Alpha)

The Autonomous AI Phishing Hunter Detonate suspicious URLs, capture evidence, and get a fast phishing-risk verdict.

License: MIT Python 3.9+ Engine: Playwright Sandbox: Docker

Talon is a practical phishing URL analysis tool that:

  • detonates suspicious links in headless Chromium,
  • captures forensic evidence (screenshot + DOM snapshot),
  • returns an LLM-assisted phishing risk verdict (with heuristic fallback).

✨ Features (V1)

  • 🕵️ URL detonation: opens a target URL safely in Playwright.
  • 🔁 Redirect awareness: records the final resolved URL after redirects.
  • 🧾 Evidence capture: stores full-page screenshot and DOM snapshot.
  • 🤖 LLM analysis: uses an LLM for smarter risk reasoning.
  • 📊 Structured output: writes a JSON report with score, level, reasons, and method.
  • 🧱 Docker sandbox mode: runs analysis in a hardened container profile.

⚙️ How It Works

  1. Ingest: receive a URL input.
  2. Detonate: load it in headless Chromium.
  3. Collect: save final URL, HTTP status, title, screenshot, and DOM.
  4. Verdict: run LLM analysis (ollama / openai) with heuristic fallback.

📁 Project Structure

.
├── talon_v1.py
├── requirements.txt
├── Dockerfile
├── docker-compose.sandbox.yml
├── .gitignore
└── evidence/              # generated at runtime (ignored by git)

🚀 Local Setup

git clone https://github.com/tejkdno1/Talon.git
cd Talon
python3 -m pip install -r requirements.txt
python3 -m playwright install chromium

📥 Install As CLI Package (sectalon)

You can install Talon on another machine as a CLI package and run it via sectalon.

From GitHub:

python3 -m pip install "git+https://github.com/tejkdno1/Talon.git"

Or with pipx (recommended for CLI tools):

pipx install "git+https://github.com/tejkdno1/Talon.git"

Then run:

sectalon "https://example.com" --llm-provider ollama --llm-model gemma4

Notes:

  • Package name is sectalon, command name is sectalon.
  • First run auto-downloads Chromium if missing.

📦 One-File Executable (Open-Source Friendly)

Build a single binary (no Python required on target machine):

./build_onefile.sh

Output:

dist/sectalon

Run it directly:

./dist/sectalon "https://example.com" --llm-provider ollama --llm-model gemma4

Notes:

  • Keep Ollama running locally when using --llm-provider ollama.
  • For OpenAI provider, set OPENAI_API_KEY as usual.
  • On first run, Chromium auto-installs to ~/.cache/ms-playwright.

▶️ Quick Start (Host Run)

python3 talon_v1.py "https://example.com"

Local Ollama (Gemma4) - recommended for your setup

Start Ollama and pull model:

ollama pull gemma4

Run Talon using Ollama backend:

export TALON_LLM_PROVIDER="ollama"
export TALON_LLM_MODEL="gemma4"
export OLLAMA_HOST="http://localhost:11434"
export OLLAMA_TIMEOUT_SEC="180"
python3 talon_v1.py "https://example.com"

OpenAI (optional)

If you want cloud LLM instead:

export OPENAI_API_KEY="your_api_key_here"
export TALON_LLM_PROVIDER="openai"
python3 talon_v1.py "https://example.com"

Optional:

python3 talon_v1.py "example.com/login" --output-dir evidence --timeout-ms 20000

Force heuristic-only mode:

python3 talon_v1.py "https://example.com" --no-llm

Optional model override:

export TALON_LLM_MODEL="gemma4"

Optional provider override per run:

python3 talon_v1.py "https://example.com" --llm-provider ollama --llm-model gemma4

🛡️ Docker Sandbox Run (Recommended)

Build once:

docker compose -f docker-compose.sandbox.yml build

Run analysis:

TARGET_URL="https://leadscruise.com" docker compose -f docker-compose.sandbox.yml run --rm talon

For Docker + host Ollama, default OLLAMA_HOST is set to:

http://host.docker.internal:11434

You can override it if needed:

OLLAMA_HOST="http://host.docker.internal:11434" TARGET_URL="https://example.com" docker compose -f docker-compose.sandbox.yml run --rm talon

The sandbox profile includes:

  • read-only root filesystem,
  • all Linux capabilities dropped,
  • no-new-privileges,
  • CPU/memory/PID limits,
  • output only through mounted ./evidence.

📦 Output Artifacts

Each scan now creates a dedicated run folder:

  • evidence/run_<timestamp>/report.json
  • evidence/run_<timestamp>/screenshot.png
  • evidence/run_<timestamp>/dom.html

Each report.json includes analysis_method:

  • llm-ollama
  • llm-openai
  • heuristic

Run logs are also appended to:

  • logs/runs.jsonl (one JSON entry per scan)

🔐 Security Note

Docker sandboxing significantly reduces risk compared to running directly on the host, but no sandbox is perfect. For high-risk investigations, use a dedicated VM and isolated network segment.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sectalon-0.1.1.tar.gz (7.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sectalon-0.1.1-py3-none-any.whl (8.2 kB view details)

Uploaded Python 3

File details

Details for the file sectalon-0.1.1.tar.gz.

File metadata

  • Download URL: sectalon-0.1.1.tar.gz
  • Upload date:
  • Size: 7.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for sectalon-0.1.1.tar.gz
Algorithm Hash digest
SHA256 30e36c8bb72443d2a1ccd4a08fbf2944e3df0df7cc4c517681763be0b34229ab
MD5 7dac075f57c2fa613c3a6a99c5422bf5
BLAKE2b-256 1cafab89561513bad32599ac7345de7f8afaa69b130f86d86cd1af803e0a712c

See more details on using hashes here.

File details

Details for the file sectalon-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: sectalon-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 8.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for sectalon-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 548efc7697c77294609fcdb313359c5a36e7ff0cd72eb61b370b5e85c9c878e5
MD5 c57c17042be70b4965caabd20b439e85
BLAKE2b-256 e4b0f3e94c0dcbe3e9ebacc5ab2c1d309e1c82097a26057a399a37a8bb79f302

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page