Stats
Actions
Tags
From osint
Assesses social media account authenticity with red-flag checklists, detects coordinated inauthentic behavior via timing/content patterns, and tracks narrative spread. For bot detection, campaign analysis, and evidence trails.
How this skill is triggered — by the user, by Claude, or both
Slash command
/osint:social-media-intelligenceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Systematic approaches for investigating social media: authenticating accounts, detecting coordinated behavior, and tracking how narratives spread.
Systematic approaches for investigating social media: authenticating accounts, detecting coordinated behavior, and tracking how narratives spread.
Adapted from jamditis/claude-skills-journalism by Jay Amditis (MIT License). Extended for integration with the OSINT investigation pipeline.
Before trusting a social media account as a source, assess its authenticity. Work through these red flags systematically.
| Signal | Red flag threshold | How to check |
|---|---|---|
| Account age | Created < 30 days ago | Profile creation date |
| Follower/following ratio | Ratio < 0.1 (follows 10x more than follows back) | Profile stats |
| Posting volume | > 50 posts/day sustained | Post count ÷ account age |
| Profile photo | Generic, stock-looking, or AI-generated | Reverse image search (TinEye, Google Lens) |
| Bio content | Keyword-stuffed, no personal details, copied text | Read and search bio phrases |
| Personal content ratio | Mostly reshares, < 10% original content | Scroll recent posts |
| Engagement rate | Unusually high (> 20%) or unusually low (< 0.1%) | Likes + comments ÷ followers |
Tally red flags. Three or more warrants explicit low confidence on any finding sourced from this account.
Document in confidence_rationale: "Account shows [N] authenticity red flags: [list them]."
Coordinated inauthentic behavior is when multiple accounts act together to artificially amplify content. Check these signals when you see multiple accounts pushing the same narrative.
0–1 signals: Normal variation. Note and move on. 2–3 signals: Flag for further investigation. Do not cite these accounts as independent sources. 4+ signals: Strong coordination indicator. Treat as a single source, not multiple. Document all signals explicitly in the investigation log.
When investigating how a claim spread, reconstruct the propagation chain.
Search for the earliest known instance of the claim or content:
curl "http://web.archive.org/cdx/search/cdx?url={URL}&output=json&limit=3&fl=timestamp,original"For each major appearance of the claim, record:
{
"appearance_id": "A1",
"platform": "X|Facebook|Telegram|etc",
"author": "account handle",
"url": "post URL",
"timestamp": "ISO 8601",
"archive_url": "Wayback or Archive.today URL",
"engagement": { "likes": 0, "shares": 0, "comments": 0 },
"source_of_claim": "original|reshare|paraphrase"
}
Who has the largest reach in the spread? Are they:
Fast spread (viral in hours) vs. slow build (days/weeks) tells you different things. Slow, coordinated spread from low-credibility accounts seeding to high-credibility ones is a classic astroturfing pattern.
| Platform | Best approach | Notes |
|---|---|---|
| X (Twitter) | Advanced search, Apify X scraper | API severely restricted; Apify actor bypasses this for public data |
| CrowdTangle (academic) or Apify | Direct API effectively closed; pages and public groups accessible | |
| Apify Instagram scraper | No public search API; stories disappear in 24h — archive immediately | |
| TikTok | Exolyt, Pentos, Apify TikTok scraper | Limited historical data |
| Pushshift (partial), Arctic Shift | Historical data access varies | |
| YouTube | YouTube Data API v3 | Good metadata; search YOUTUBE_API_KEY in env |
| Bluesky | AT Protocol Firehose | Open, real-time, no auth required for public data |
| Telegram | TGStat, Telemetrio, Telepathy | Public channels searchable; private groups inaccessible |
If the configured search library is Apify:
# X/Twitter posts by keyword
apify call apify/twitter-scraper --input '{"searchTerms": ["keyword"], "maxItems": 100}'
# Instagram profile posts
apify call apify/instagram-scraper --input '{"directUrls": ["https://instagram.com/username"]}'
# TikTok by hashtag
apify call apify/tiktok-scraper --input '{"hashtags": ["hashtag"], "resultsPerPage": 50}'
Social content disappears. Archive before you cite.
Archive every post that supports a finding using Skill(spotlight:web-archiving). For social media specifically:
In findings.json, add social media evidence using the standard source schema with type: "social_media":
{
"url": "https://x.com/username/status/12345",
"type": "social_media",
"platform": "X",
"author": "username",
"accessed": "2026-03-15T14:20:00Z",
"archive_url": "https://web.archive.org/web/20260315142200/https://x.com/...",
"access_method": "full_text",
"authenticity_flags": ["account created 2026-02-01", "high posting volume"],
"coordination_signals": []
}
Flag findings that rest on socially amplified claims: note in confidence_rationale whether the account shows authenticity red flags or is part of a suspected coordination cluster.
Adapted from claude-skills-journalism by Jay Amditis, released under MIT License. Methodology for account authenticity assessment, coordination detection, and narrative tracking is based on his original social-media-intelligence skill, adapted here for integration with the Spotlight investigation pipeline.
npx claudepluginhub buriedsignals/skills --plugin osintAssesses account authenticity, detects coordinated inauthentic behavior, and tracks narrative spread across social platforms. Useful for investigations, fact-checking, and building evidence trails.
Produces an OSINT brief on social media accounts: authenticity analysis, narrative tracking, coordination detection for investigative reporting.
Recommends 150+ OSINT tools and methodologies for investigations like reverse image search, geolocation, domain WHOIS, social media intel, and threat analysis. Routes to specialized skills.