Investigation Skills for Hades
Specialized investigation skills that enhance your Hades MCP Server investigations with expert methodologies, structured analysis frameworks, and professional report templates.
What are Investigation Skills?
Investigation skills are reusable expert personas that provide:
- Specialized domain knowledge and methodologies
- Structured investigation frameworks
- Consistent output formats
- Best practices and guidelines
When you activate a skill, the AI loads that expertise and applies it to your investigation, automatically using the appropriate Hades MCP tools with proper methodology.
Platform Support: These skills work across all AI platforms that support the Hades MCP Server, including Claude Desktop, Claude CLI, OpenAI (ChatGPT/GPT-4), and Ollama (local models).
Available Skills
1. Hades Analyst
General dark web intelligence analyst for comprehensive investigations
Best for: General investigations, onion site analysis, entity tracking, infrastructure correlation
Confidence Framework: Very High (95%+), High (80-94%), Medium (60-79%), Low (<60%)
What it does:
- Comprehensive dark web intelligence analysis using all 21 Hades MCP tools
- Structured methodology with confidence-based attribution
- Evidence chain building for investigations
- Multi-tool coordination for complex queries
- Professional intelligence summaries
2. Vendor Tracker
Specialized vendor attribution across multiple marketplaces
Best for: Vendor attribution, marketplace vendor tracking, building evidence chains, identifying vendor networks
Confidence Methodology: 4+ indicators = 95%+, 3 indicators = 80-94%, 2 indicators = 60-79%
What it does:
- Tracks vendors across dark web marketplaces
- Correlates cryptocurrency wallets, communication channels, and infrastructure
- Builds high-confidence attribution chains
- Analyzes vendor migration patterns
- Assesses operational security (OPSEC)
- Creates evidence-based investigation reports
3. Threat Reporter
Creates structured threat intelligence reports for SOC teams
Best for: SOC briefings, daily threat briefs, vendor investigation reports, executive summaries, formal documentation
Report Types: Daily Threat Brief, Vendor Investigation Report, Infrastructure Analysis, Cryptocurrency Tracking Report
What it does:
- Transforms Hades data into executive-ready intelligence reports
- Follows intelligence community best practices
- Applies TLP marking and confidence assessments
- Creates SMART recommendations
- Synthesizes complex findings into clear intelligence
- Provides specific IoCs and defensive actions
Using Skills Across Platforms
Claude Desktop / Claude CLI
Activation: Use slash commands to invoke skills
Examples:
# General investigation with Hades Analyst
/hades-analyst investigate darkmarket2023.onion
# Track Bitcoin wallet
/hades-analyst track Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
# Vendor attribution with Vendor Tracker
/vendor-tracker find all sites operated by darkmarket5abc.onion
# Create report with Threat Reporter
/threat-reporter generate vendor investigation report for darkmarket2023.onion
# Daily threat brief
/threat-reporter create daily brief for last 24 hours
Setup: Contact [email protected] for skill installation packages for Claude Desktop/CLI.
OpenAI (ChatGPT / GPT-4 / GPT-3.5)
Activation: Load skill as system prompt at the start of your conversation
Example - Hades Analyst:
System Prompt:
You are an expert Dark Web Intelligence Analyst specializing in Tor hidden service
investigations using the Hades platform. You have access to 21 Hades MCP tools for
querying dark web intelligence.
Use structured methodology with confidence-based attribution:
- Very High Confidence (95%+): 4+ shared indicators
- High Confidence (80-94%): 2-3 shared indicators
- Medium Confidence (60-79%): 1 shared indicator
- Low Confidence (<60%): Circumstantial evidence
For every investigation:
1. Use get_server_details for comprehensive profiles
2. Use vendor_attribution for related operations
3. Use find_shv_matches to check for mirrors
4. Provide structured intelligence summary with confidence scores
Always cite which Hades MCP tools you used for each finding.
User Query:
Investigate darkmarket2023.onion and provide a comprehensive intelligence assessment
Example - Vendor Tracker:
System Prompt:
You are a specialized dark web vendor attribution analyst. Track vendors across
marketplaces by correlating cryptocurrency wallets, communication channels, and
infrastructure using Hades MCP tools.
Confidence scoring:
- 4+ shared indicators = 95%+ confidence (same operator)
- 3 shared indicators = 80-94% confidence (likely related)
- 2 shared indicators = 60-79% confidence (possible relation)
Build evidence chains showing: shared wallets, communication channels, infrastructure
patterns, and temporal correlations. Use vendor_attribution and cross_platform_tracking
tools proactively.
Example - Threat Reporter:
System Prompt:
You are a threat intelligence report writer transforming Hades MCP data into
executive-ready intelligence reports following IC standards.
Report structure:
- Executive Summary (2-3 sentences)
- Key Findings (bulleted, confidence-assessed)
- Technical Details (IoCs, infrastructure, entities)
- Recommendations (SMART format)
- TLP marking (TLP:AMBER by default)
Use threat_intelligence and query_servers tools to gather data, then synthesize into
formal reports with proper confidence assessments.
Setup: Configure Hades MCP Server with OpenAI integration (see MCP Server Setup)
Ollama (Local Models)
Activation: Load skill as system prompt when starting conversation
Example - Hades Analyst (Llama 3 / Mistral):
# Start Ollama with system prompt
ollama run llama3
>>> /set system You are an expert Dark Web Intelligence Analyst specializing in Tor
hidden service investigations using the Hades platform. You have access to 21 Hades
MCP tools. Use structured methodology with confidence-based attribution: Very High
(95%+) for 4+ indicators, High (80-94%) for 2-3 indicators, Medium (60-79%) for 1
indicator. For investigations, use get_server_details first, then vendor_attribution,
then find_shv_matches. Always provide confidence scores and cite which tools you used.
>>> Investigate darkmarket2023.onion
Example - Vendor Tracker:
ollama run llama3
>>> /set system You are a dark web vendor attribution analyst tracking vendors across
marketplaces. Use Hades MCP tools to correlate cryptocurrency wallets, communication
channels, and infrastructure. Confidence: 4+ indicators = 95%+, 3 indicators = 80-94%,
2 indicators = 60-79%. Build evidence chains with vendor_attribution and
cross_platform_tracking tools.
>>> Find all operations related to vendor using Bitcoin bc1qxy2... and Telegram @darkvendor
Example - Threat Reporter:
ollama run llama3
>>> /set system You are a threat intelligence report writer. Transform Hades MCP data
into executive-ready reports with: Executive Summary, Key Findings (with confidence),
Technical Details (IoCs), Recommendations (SMART), TLP marking. Use threat_intelligence
and query_servers tools, synthesize into formal IC-standard reports.
>>> Create a daily threat brief for the last 24 hours
Setup: Configure Hades MCP Server with Ollama integration (see MCP Server Setup)
Model Recommendations:
- llama3:70b - Best quality for complex investigations
- llama3:latest (8B) - Good balance of speed and quality
- mistral:latest - Fast, good for simple queries
Skill Comparison
| Skill | Best For | Output Style | Confidence Method | Tools Used |
|---|---|---|---|---|
| Hades Analyst | General investigations | Structured analysis | Evidence-based (4-tier) | All 21 tools |
| Vendor Tracker | Vendor attribution | Evidence chains | Indicator count (4+ = 95%+) | Attribution-focused |
| Threat Reporter | Formal reports | Executive briefs | IC standards (Very High→Low) | Analysis + reporting |
When to Use Each Skill
Use Hades Analyst when:
- General dark web investigations
- Need comprehensive analysis
- Exploring unknown targets
- Building initial intelligence picture
Use Vendor Tracker when:
- Tracking vendors across marketplaces
- Building attribution cases
- Need high-confidence vendor identification
- Law enforcement evidence chains
Use Threat Reporter when:
- Creating deliverables for stakeholders
- SOC team briefings
- Executive summaries needed
- Formal documentation required
- Need TLP-marked reports
Combining Skills
You can use skills in sequence for comprehensive investigations:
Claude Desktop/CLI:
# Step 1: General investigation
/hades-analyst investigate darkmarket2023.onion
# Step 2: Vendor attribution
/vendor-tracker find all operations for this vendor
# Step 3: Create formal report
/threat-reporter generate vendor investigation report
OpenAI/Ollama:
Step 1: Start with Hades Analyst system prompt, investigate target
Step 2: Switch to Vendor Tracker system prompt, build attribution
Step 3: Switch to Threat Reporter system prompt, create formal report
Platform-Specific Tips
Claude Desktop/CLI
- Pros: Easiest to use, best skill integration, slash command activation
- Cons: Requires Claude subscription
- Best for: Interactive investigations, rapid skill switching
OpenAI (ChatGPT/GPT-4)
- Pros: Familiar interface, excellent reasoning, API access available
- Cons: Need to paste system prompts manually, no native skill support
- Best for: Custom integrations, programmatic access, GPT-specific features
Ollama (Local Models)
- Pros: Fully local, no data leaves your system, cost-effective at scale
- Cons: Requires powerful hardware, system prompts need manual loading
- Best for: Air-gapped environments, privacy-sensitive investigations, high-volume usage
Getting Access
Investigation skills are available with the Hades MCP Server. Contact [email protected] for:
- Claude Skills Package - Pre-configured skills for Claude Desktop/CLI
- System Prompt Library - Optimized prompts for OpenAI and Ollama
- Setup Guidance - Platform-specific configuration assistance
- Support - Technical assistance with skill deployment
Example Investigation Workflows
Workflow 1: Cryptocurrency Wallet Investigation
Claude:
/hades-analyst track Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
OpenAI/Ollama:
[Load Hades Analyst system prompt]
User: Track Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh across all
dark web servers and provide attribution analysis
Workflow 2: Vendor Attribution
Claude:
/vendor-tracker create vendor attribution report for darkmarket2023.onion
OpenAI/Ollama:
[Load Vendor Tracker system prompt]
User: Analyze darkmarket2023.onion and build a comprehensive vendor attribution report
with all related operations, shared indicators, and confidence scores
Workflow 3: Daily Threat Brief
Claude:
/threat-reporter create daily brief for last 24 hours
OpenAI/Ollama:
[Load Threat Reporter system prompt]
User: Create a daily threat intelligence brief covering all high-risk discoveries in
the last 24 hours with TLP:AMBER marking
Privacy & Security Note
These skills contain NO sensitive information:
- No API keys or credentials
- No proprietary data
- No classified information
- Just methodological frameworks and report templates
They are safe to use across all platforms and in any environment.
Support
For questions about investigation skills:
- Support - [email protected]
- Pricing & General Inquiries - [email protected]
- Documentation - https://hades.aikostek.com
- GitHub Issues - Report issues and request features
Contributing
Have improvements to the skills? Contact [email protected] to suggest:
- Investigation methodologies
- Report templates
- Confidence scoring frameworks
- Platform-specific optimizations
Ready to enhance your Hades investigations with expert skills across any AI platform!