npx claudepluginhub buriedsignals/skills --plugin osintThis skill uses the workspace's default tool permissions.
Systematic approaches for investigating social media: authenticating accounts, detecting coordinated behavior, and tracking how narratives spread.
Decomposes social media claims into atomic verifiable facts, classifies components, resolves entities and timelines, and guides systematic verification. For fact-checking viral content or multi-part assertions.
Recommends 150+ OSINT tools and methodologies for investigations like reverse image search, geolocation, domain WHOIS, social media intel, and threat analysis. Routes to specialized skills.
Tracks emerging trends, viral content, hashtags, momentum, and sentiment across Twitter/X, Reddit, YouTube, LinkedIn, Instagram using anysite MCP server. Useful for social listening and market shift analysis.
Share bugs, ideas, or general feedback.
Systematic approaches for investigating social media: authenticating accounts, detecting coordinated behavior, and tracking how narratives spread.
Adapted from jamditis/claude-skills-journalism by Jay Amditis (MIT License). Extended for integration with the OSINT investigation pipeline.
Before trusting a social media account as a source, assess its authenticity. Work through these red flags systematically.
| Signal | Red flag threshold | How to check |
|---|---|---|
| Account age | Created < 30 days ago | Profile creation date |
| Follower/following ratio | Ratio < 0.1 (follows 10x more than follows back) | Profile stats |
| Posting volume | > 50 posts/day sustained | Post count ÷ account age |
| Profile photo | Generic, stock-looking, or AI-generated | Reverse image search (TinEye, Google Lens) |
| Bio content | Keyword-stuffed, no personal details, copied text | Read and search bio phrases |
| Personal content ratio | Mostly reshares, < 10% original content | Scroll recent posts |
| Engagement rate | Unusually high (> 20%) or unusually low (< 0.1%) | Likes + comments ÷ followers |
Tally red flags. Three or more warrants explicit low confidence on any finding sourced from this account.
Document in confidence_rationale: "Account shows [N] authenticity red flags: [list them]."
Coordinated inauthentic behavior is when multiple accounts act together to artificially amplify content. Check these signals when you see multiple accounts pushing the same narrative.
0–1 signals: Normal variation. Note and move on. 2–3 signals: Flag for further investigation. Do not cite these accounts as independent sources. 4+ signals: Strong coordination indicator. Treat as a single source, not multiple. Document all signals explicitly in the investigation log.
When investigating how a claim spread, reconstruct the propagation chain.
Search for the earliest known instance of the claim or content:
curl "http://web.archive.org/cdx/search/cdx?url={URL}&output=json&limit=3&fl=timestamp,original"For each major appearance of the claim, record:
{
"appearance_id": "A1",
"platform": "X|Facebook|Telegram|etc",
"author": "account handle",
"url": "post URL",
"timestamp": "ISO 8601",
"archive_url": "Wayback or Archive.today URL",
"engagement": { "likes": 0, "shares": 0, "comments": 0 },
"source_of_claim": "original|reshare|paraphrase"
}
Who has the largest reach in the spread? Are they:
Fast spread (viral in hours) vs. slow build (days/weeks) tells you different things. Slow, coordinated spread from low-credibility accounts seeding to high-credibility ones is a classic astroturfing pattern.
| Platform | Best approach | Notes |
|---|---|---|
| X (Twitter) | Advanced search, Apify X scraper | API severely restricted; Apify actor bypasses this for public data |
| CrowdTangle (academic) or Apify | Direct API effectively closed; pages and public groups accessible | |
| Apify Instagram scraper | No public search API; stories disappear in 24h — archive immediately | |
| TikTok | Exolyt, Pentos, Apify TikTok scraper | Limited historical data |
| Pushshift (partial), Arctic Shift | Historical data access varies | |
| YouTube | YouTube Data API v3 | Good metadata; search YOUTUBE_API_KEY in env |
| Bluesky | AT Protocol Firehose | Open, real-time, no auth required for public data |
| Telegram | TGStat, Telemetrio, Telepathy | Public channels searchable; private groups inaccessible |
If the configured search library is Apify:
# X/Twitter posts by keyword
apify call apify/twitter-scraper --input '{"searchTerms": ["keyword"], "maxItems": 100}'
# Instagram profile posts
apify call apify/instagram-scraper --input '{"directUrls": ["https://instagram.com/username"]}'
# TikTok by hashtag
apify call apify/tiktok-scraper --input '{"hashtags": ["hashtag"], "resultsPerPage": 50}'
Social content disappears. Archive before you cite.
Archive every post that supports a finding using Skill(spotlight:web-archiving). For social media specifically:
In findings.json, add social media evidence using the standard source schema with type: "social_media":
{
"url": "https://x.com/username/status/12345",
"type": "social_media",
"platform": "X",
"author": "username",
"accessed": "2026-03-15T14:20:00Z",
"archive_url": "https://web.archive.org/web/20260315142200/https://x.com/...",
"access_method": "full_text",
"authenticity_flags": ["account created 2026-02-01", "high posting volume"],
"coordination_signals": []
}
Flag findings that rest on socially amplified claims: note in confidence_rationale whether the account shows authenticity red flags or is part of a suspected coordination cluster.
Adapted from claude-skills-journalism by Jay Amditis, released under MIT License. Methodology for account authenticity assessment, coordination detection, and narrative tracking is based on his original social-media-intelligence skill, adapted here for integration with the Spotlight investigation pipeline.