Skip to main content

Talon CLI: phishing URL analysis with Playwright, Ollama/OpenAI, and evidence capture.

Project description

🦅 Talon (Alpha)

The Autonomous AI Phishing Hunter Detonate suspicious URLs, capture evidence, and get a fast phishing-risk verdict.

License: MIT Python 3.9+ Engine: Playwright Sandbox: Docker

Talon is a practical phishing URL analysis tool that:

  • detonates suspicious links in headless Chromium,
  • captures forensic evidence (screenshot + DOM snapshot),
  • returns an LLM-assisted phishing risk verdict (with heuristic fallback).

✨ Features (V1)

  • 🕵️ URL detonation: opens a target URL safely in Playwright.
  • 🔁 Redirect awareness: records the final resolved URL after redirects.
  • 🧾 Evidence capture: stores full-page screenshot and DOM snapshot.
  • 🤖 LLM analysis: uses an LLM for smarter risk reasoning.
  • 📊 Structured output: writes a JSON report with score, level, reasons, and method.
  • 🧱 Docker sandbox mode: runs analysis in a hardened container profile.

⚙️ How It Works

  1. Ingest: receive a URL input.
  2. Detonate: load it in headless Chromium.
  3. Collect: save final URL, HTTP status, title, screenshot, and DOM.
  4. Verdict: run LLM analysis (ollama / openai) with heuristic fallback.

📁 Project Structure

.
├── talon_v1.py
├── requirements.txt
├── Dockerfile
├── docker-compose.sandbox.yml
├── .gitignore
└── evidence/              # generated at runtime (ignored by git)

🚀 Local Setup

git clone https://github.com/tejkdno1/Talon.git
cd Talon
python3 -m pip install -r requirements.txt
python3 -m playwright install chromium

📥 Install As CLI Package (sectalon)

You can install Talon on another machine as a CLI package and run it via sectalon.

From GitHub:

python3 -m pip install "git+https://github.com/tejkdno1/Talon.git"

Or with pipx (recommended for CLI tools):

pipx install "git+https://github.com/tejkdno1/Talon.git"

Then run:

sectalon "https://example.com" --llm-provider ollama --llm-model gemma4

Notes:

  • Package name is sectalon, command name is sectalon.
  • First run auto-downloads Chromium if missing.

🧠 Onboarding + Intent Mode

Run interactive onboarding (OpenClaw-style) to connect your LLM backend:

sectalon onboard

This stores config at:

~/.config/sectalon/config.json

Then you can parse natural-language intent through your connected LLM:

sectalon intent "check if amezon.in looks like phishing"

Supported intent outputs include:

  • analyze_url
  • onboard
  • help
  • unknown

📦 One-File Executable (Open-Source Friendly)

Build a single binary (no Python required on target machine):

./build_onefile.sh

Output:

dist/sectalon

Run it directly:

./dist/sectalon "https://example.com" --llm-provider ollama --llm-model gemma4

Notes:

  • Keep Ollama running locally when using --llm-provider ollama.
  • For OpenAI provider, set OPENAI_API_KEY as usual.
  • On first run, Chromium auto-installs to ~/.cache/ms-playwright.

▶️ Quick Start (Host Run)

python3 talon_v1.py "https://example.com"

Local Ollama (Gemma4) - recommended for your setup

Start Ollama and pull model:

ollama pull gemma4

Run Talon using Ollama backend:

export TALON_LLM_PROVIDER="ollama"
export TALON_LLM_MODEL="gemma4"
export OLLAMA_HOST="http://localhost:11434"
export OLLAMA_TIMEOUT_SEC="180"
python3 talon_v1.py "https://example.com"

OpenAI (optional)

If you want cloud LLM instead:

export OPENAI_API_KEY="your_api_key_here"
export TALON_LLM_PROVIDER="openai"
python3 talon_v1.py "https://example.com"

Optional:

python3 talon_v1.py "example.com/login" --output-dir evidence --timeout-ms 20000

Force heuristic-only mode:

python3 talon_v1.py "https://example.com" --no-llm

Optional model override:

export TALON_LLM_MODEL="gemma4"

Optional provider override per run:

python3 talon_v1.py "https://example.com" --llm-provider ollama --llm-model gemma4

🛡️ Docker Sandbox Run (Recommended)

Build once:

docker compose -f docker-compose.sandbox.yml build

Run analysis:

TARGET_URL="https://leadscruise.com" docker compose -f docker-compose.sandbox.yml run --rm talon

For Docker + host Ollama, default OLLAMA_HOST is set to:

http://host.docker.internal:11434

You can override it if needed:

OLLAMA_HOST="http://host.docker.internal:11434" TARGET_URL="https://example.com" docker compose -f docker-compose.sandbox.yml run --rm talon

The sandbox profile includes:

  • read-only root filesystem,
  • all Linux capabilities dropped,
  • no-new-privileges,
  • CPU/memory/PID limits,
  • output only through mounted ./evidence.

📦 Output Artifacts

Each scan now creates a dedicated run folder:

  • evidence/run_<timestamp>/report.json
  • evidence/run_<timestamp>/screenshot.png
  • evidence/run_<timestamp>/dom.html

Each report.json includes analysis_method:

  • llm-ollama
  • llm-openai
  • heuristic

Run logs are also appended to:

  • logs/runs.jsonl (one JSON entry per scan)

🔐 Security Note

Docker sandboxing significantly reduces risk compared to running directly on the host, but no sandbox is perfect. For high-risk investigations, use a dedicated VM and isolated network segment.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sectalon-0.1.2.tar.gz (10.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sectalon-0.1.2-py3-none-any.whl (11.0 kB view details)

Uploaded Python 3

File details

Details for the file sectalon-0.1.2.tar.gz.

File metadata

  • Download URL: sectalon-0.1.2.tar.gz
  • Upload date:
  • Size: 10.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for sectalon-0.1.2.tar.gz
Algorithm Hash digest
SHA256 26ba0f4b80b4e5975e79c768bee2504b085b1c0b6162abf09a03665e83fb486f
MD5 469daefd87988a741cc2bb2638a260f8
BLAKE2b-256 0ef3d8c0961ed4f309343a6badcb61f7870e82c5326c283c446a4a8851f7a07c

See more details on using hashes here.

File details

Details for the file sectalon-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: sectalon-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 11.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for sectalon-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 86e3ce444bcb37f81e0903dfb064b140cb69d948bb7d7dd3a7965dc42db8eb41
MD5 9f96a915c524f6ac506c26a34ff6118d
BLAKE2b-256 61971d2f46680245cef6f652e702eb938d836de57cb8d4e3d21db15e886a245d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page