seithar-intel — Threat Intelligence & Cognitive Security Feed

Seithar Group — Intelligence Division

認知作戦 | seithar.com

A personal cyber threat intelligence and cognitive security analyst for OpenClaw. Monitors RSS feeds for security news, vulnerability disclosures, exploit drops, and influence operation reports. Scores items against your interests, delivers daily briefings, and provides on-demand deep-dive analysis of any threat — technical or cognitive.

This is ThreatMouth in your pocket. Cyber + cognitive security awareness from any chat app.

---

Description

This skill turns your OpenClaw into a threat intelligence analyst that:

• Monitors cybersecurity RSS feeds (BleepingComputer, The Hacker News, Krebs on Security, CISA, Full Disclosure, Exploit-DB, SANS ISC, oss-security, Schneier, PacketStorm, DarkReading, and more)
• Monitors cognitive security feeds (EUvsDisinfo, DFRLab, Bellingcat, RAND, Seithar Research)
• Scores each item against your configured interest profile
• Delivers morning/evening briefings via your preferred chat app
• Provides on-demand deep-dive analysis of any CVE, vulnerability, exploit, influence operation, or campaign
• Tracks MITRE ATT&CK and DISARM framework technique mappings
• Discovers public proof-of-concept code for disclosed vulnerabilities
• Maintains a running threat landscape summary that evolves with the feed

---

Triggers

• "threat briefing" / "security briefing" / "morning briefing" / "what's new in security"
• "check threats" / "check feeds" / "any new vulns"
• "explain CVE-XXXX-XXXXX" / "deep dive on [topic]" / "analyze this threat"
• "cogdef briefing" / "cognitive security update" / "any new psyops"
• "what should I study today" / "learning recommendations"
• "threat landscape" / "what's trending in security"
• "poc for CVE-XXXX-XXXXX" / "any exploits for [software]"
• "seithar brief"

---

Configuration

The operator should configure the following in their OpenClaw settings or by telling the agent directly:

Interest Profile

Tell your OpenClaw your security interests and it will calibrate scoring. Example:

My security interests are:
- Malware analysis and reverse engineering
- Social engineering and cognitive security
- Network exploitation
- OSINT and intelligence gathering
- Influence operations and information warfare
- Vulnerability research and exploit development

I'm currently studying:
- MITRE ATT&CK framework
- DISARM framework for influence operations
- Python security tooling
- OverTheWire wargames

My skill level: intermediate

Deprioritize:
- Enterprise compliance and GRC
- Cloud IAM and AWS security
- Vendor marketing announcements
- Corporate breach notifications unless technically interesting

The skill stores this profile in memory and uses it to score every feed item for relevance.

Feed Schedule

Default schedule (configurable):

• Morning briefing: 8:00 AM local — top 5 items from overnight, any critical alerts
• Evening briefing: 6:00 PM local — day summary, items scored > 0.7, study recommendations
• Critical alerts: Immediate — items scored > 0.9 pushed as soon as detected

Tell your OpenClaw: "Change my briefing time to 9 AM and 7 PM" or "Only send critical alerts, no scheduled briefings"

Feed Check Interval

Default: every 2 hours. The skill uses OpenClaw's cron/heartbeat system to periodically fetch and process feeds.

---

How It Works

Feed Collection

On each check interval, the skill instructs the agent to:

1. Fetch RSS feeds from the configured source list using the web_fetch tool
2. Parse feed entries (title, link, published date, summary/description)
3. Deduplicate against previously seen items (tracked in memory by URL hash)
4. For each new item, score it against the operator's interest profile

Scoring

Each new item is scored 0.0 to 1.0 against the operator's profile:

• 0.9 - 1.0: Critical — matches core interests directly, high urgency (active exploitation, 0-day, major campaign)
• 0.7 - 0.9: High — relevant to interests, worth reading today
• 0.5 - 0.7: Medium — tangentially relevant, include in digest
• Below 0.5: Low — skip unless specifically requested

The agent scores by examining the item's title, summary, source, and any CVE/technique references against the stored interest profile. No external API needed — the LLM does the scoring inline.

Categorization

Items are categorized into:

• CRITICAL ALERT — Active exploitation, 0-day, critical infrastructure
• EXPLOIT DROP — New CVE, PoC release, vulnerability disclosure
• MALWARE — Malware analysis, RE findings, campaign reports
• INFLUENCE OP — Disinformation campaigns, cognitive security, DISARM-mapped operations
• TECHNIQUE — ATT&CK or DISARM technique deep-dives, methodology
• LEARNING — Tutorials, CTF writeups, educational content
• GENERAL — Industry news, policy, commentary

Briefing Format

╔══════════════════════════════════════════════════╗
║  SEITHAR INTELLIGENCE BRIEFING                   ║
║  2026-02-11 08:00 EST                            ║
╚══════════════════════════════════════════════════╝

CRITICAL (act now):

  🔴 [0.95] Pre-auth RCE in OpenSSH (CVE-2026-XXXXX)
     Full Disclosure | 2h ago
     Affects OpenSSH 9.x. Public PoC available.
     ▸ Say "deep dive CVE-2026-XXXXX" for full analysis

HIGH RELEVANCE:

  🟠 [0.87] Lazarus Group deploys new social engineering
     toolkit targeting crypto developers
     The Hacker News | 4h ago
     DISARM: T0047 (Develop Content), ATT&CK: T1566.001
     ▸ Say "deep dive lazarus social engineering" for analysis

  🟠 [0.82] New Nuclei templates for Spring4Shell variants
     Exploit-DB | 6h ago
     12 new detection templates + PoC payloads
     ▸ Say "explain spring4shell" for context

  🟠 [0.78] Russian influence operation targeting NATO
     narratives detected across 3 platforms
     DFRLab | 5h ago
     DISARM: T0046, T0048, T0056 | Coordinated inauthentic behavior
     ▸ Say "deep dive nato influence op" for DISARM breakdown

STUDY RECOMMENDATION:
  Based on today's feed: review SSH key exchange internals
  and pre-authentication attack surfaces. OverTheWire Bandit
  levels 14-17 cover SSH fundamentals.

──────────────────────────────────────────────────
24 items collected | 4 high relevance | 1 critical
Seithar Intelligence Division v1.0
認知作戦 | seithar.com/research
──────────────────────────────────────────────────

Deep Dive

When the operator says "deep dive [topic]" or "explain [CVE]", the skill:

1. Fetches the full article content via web_fetch
2. If a CVE is mentioned, queries the NVD API for structured vuln data
3. Searches GitHub for public PoC repositories (https://api.github.com/search/repositories?q=CVE-XXXX-XXXXX&sort=stars)
4. Generates a structured educational breakdown:

╔══════════════════════════════════════════════════╗
║  SEITHAR DEEP DIVE                               ║
║  CVE-2026-XXXXX — OpenSSH Pre-Auth RCE           ║
╚══════════════════════════════════════════════════╝

WHAT HAPPENED:
  A memory corruption vulnerability in OpenSSH's key exchange
  handler allows unauthenticated attackers to achieve remote
  code execution as root. No credentials required.

HOW THE EXPLOIT WORKS:
  1. Attacker connects to SSH port 22
  2. During key exchange (before authentication), sends
     oversized payload in the KEX_INIT message
  3. Buffer overflow overwrites return address on stack
  4. Execution redirected to attacker's shellcode
  5. Root shell achieved — no credentials needed

  Pseudocode:
    connect(target, 22)
    send(kex_init_with_overflow_payload)
    # Stack is now corrupted
    # Return address points to shellcode
    # Root shell spawns

MITRE ATT&CK:
  T1190 — Exploit Public-Facing Application
  T1068 — Exploitation for Privilege Escalation

...