Analyzing Malicious Url With Urlscan
Produce a consistent URLScan-driven malicious URL analysis report with redirects, TLS, VT cross-checks, IOCs, and blocklist actions.
Overview
analyzing-malicious-url-with-urlscan is an agent skill for the Ship phase that structures URLScan-based malicious URL investigation reports with IOCs and response actions.
Install
npx skills add https://github.com/mukul975/anthropic-cybersecurity-skills --skill analyzing-malicious-url-with-urlscanWhat is this skill?
- Structured report template: analyst metadata, case ID, defanged URL, URLScan UUID
- Page, server, ASN, country, and login-form detection fields
- TLS certificate table with issuer, validity, and certificate age
- Redirect chain table from original through final URL
- Threat intel cross-reference: URLScan verdict, VirusTotal, PhishTank, Safe Browsing, AbuseIPDB
- Report sections: Analysis Info, URL Details, Page Analysis, TLS, Redirect Chain, Threat Intel, IOCs, Classification, Rec
Adoption & trust: 1 installs on skills.sh; 14.9k GitHub stars; 2/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You received a suspicious URL alert and need a complete, defensible analysis report without reinventing sections every time.
Who is it for?
Solo founders or indie devs doing incident triage on phishing links with URLScan and common TI feeds before blocking at the edge.
Skip if: Fully automated SOAR playbooks without human review or malware binary reverse engineering beyond URL delivery pages.
When should I use this skill?
User investigates suspicious URLs with URLScan, needs a structured analysis report, IOC list, or phishing classification workflow.
What do I get? / Deliverables
You fill a full URL analysis report with redirects, TLS, intel scores, extracted IOCs, classification, and prioritized blocklist actions.
- Completed URL analysis report
- IOC tables for domains, IPs, and hashes
- Classification and recommended block actions
Recommended Skills
Journey fit
How it compares
Analyst report template for URLScan triage, not a generic web scraper or passive DNS-only lookup skill.
Common Questions / FAQ
Who is analyzing-malicious-url-with-urlscan for?
Builders and small security-minded teams documenting phishing or malicious URL cases with URLScan and standard threat-intel lookups.
When should I use analyzing-malicious-url-with-urlscan?
Use it in Ship security when investigating user-reported links, email gateway hits, or SIEM URL alerts before blocking domains and IPs.
Is analyzing-malicious-url-with-urlscan safe to install?
The skill guides external scans and intel API use—review the Security Audits panel on this page and avoid submitting live credentials into unknown URLs.
SKILL.md
READMESKILL.md - Analyzing Malicious Url With Urlscan
# URL Analysis Report Template ## Analysis Information - **Analyst**: [Name] - **Date**: [YYYY-MM-DD] - **Case ID**: [CASE-XXXX] - **Source**: [User report / Email gateway / SIEM alert] ## URL Details | Field | Value | |---|---| | Original URL | | | Defanged URL | hxxps://... | | Final URL (after redirects) | | | URLScan UUID | | | Scan visibility | private/public | ## Page Analysis | Field | Value | |---|---| | Page Title | | | HTTP Status | | | Server | | | Domain | | | IP Address | | | ASN | | | Country | | | Login Form Detected | Yes/No | ## TLS Certificate | Field | Value | |---|---| | Issuer | | | Subject | | | Valid From | | | Valid To | | | Certificate Age | | ## Redirect Chain | # | URL | Status | |---|---|---| | 1 (original) | | | | 2 | | | | 3 (final) | | | ## Threat Intelligence Cross-Reference | Source | Result | Score | |---|---|---| | URLScan Verdict | | | | VirusTotal | /XX engines | | | PhishTank | | | | Google Safe Browsing | | | | AbuseIPDB | | | ## IOCs Extracted ### Domains | Domain | Role | Reputation | |---|---|---| | | | | ### IP Addresses | IP | ASN | Country | Reputation | |---|---|---|---| | | | | | ### File Hashes | Hash (SHA-256) | Type | Size | |---|---|---| | | | | ## Classification - [ ] Phishing - Credential Harvesting - [ ] Phishing - Malware Delivery - [ ] Scam / Fraud - [ ] Benign - [ ] Inconclusive ## Recommended Actions - [ ] Block domain at proxy/firewall - [ ] Block IP at firewall - [ ] Add to email gateway blocklist - [ ] Submit to PhishTank / APWG - [ ] Notify affected users - [ ] Request domain takedown ## Notes [Additional analysis observations] Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall m