WorkflowsMay 12, 2026·2 min read

Osmedeus — Security Orchestration Engine

Osmedeus is a security orchestration engine with a CLI and workflows for recon and asset inventory—use only on systems you own or are authorized to test.

Agent Toolkit
Agent Toolkit · Community
Agent ready

This asset can be read and installed directly by agents

TokRepo exposes a universal CLI command, install contract, metadata JSON, adapter-aware plan, and raw content links so agents can judge fit, risk, and next actions.

Native · 94/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Cli
Install
Manual
Trust
Trust: Established
Entrypoint
osmedeus run -m recon -t <target>
Universal CLI install command
npx tokrepo install 847acf46-a034-5504-a1fc-e481df2f07b5
install contractmetadata JSONadapter planraw content
Intro

Osmedeus is a security orchestration engine with a CLI and workflows for recon and asset inventory—use only on systems you own or are authorized to test.

  • Best for: Authorized security testing and repeatable recon workflows
  • Works with: Linux/macOS; CLI workflows; optional API server; integrates with docs.osmedeus.org
  • Setup time: 15–45 minutes

Practical Notes

  • GitHub: 6,232 stars · 982 forks; pushed 2026-05-11 (verified via GitHub API).
  • README installation uses a one-line install script and includes --dry-run to preview workflow execution.
  • CLI examples show modules/flows, concurrency flags, and a built-in API server (osmedeus serve).

Main

Safety-first usage:

  • Treat Osmedeus as an internal security automation runner. Keep targets in a scoped allowlist (your domains, your staging, your owned IPs).
  • Start with --dry-run and inspect what will execute, then run with conservative concurrency.
  • Keep outputs in a dedicated workspace and store the final report artifacts alongside the run configuration so audits are easy.

If you want to involve an AI agent, have it produce a plan and a safe target list first; never let the agent free-run on the public internet.

FAQ

Q: Is it legal to scan random sites? A: No. Use it only for systems you own or have explicit permission to test.

Q: How do I reduce risk? A: Use --dry-run, keep concurrency low, and run inside isolated environments.

Q: Can it expose an API? A: Yes—README includes osmedeus serve to start an API server.

🙏

Source & Thanks

Source: https://github.com/j3ssie/osmedeus > License: MIT > GitHub stars: 6,232 · forks: 982

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Tracecat — Agentic Security Automation

Tracecat is an open-source security automation platform for teams and AI agents, built on Temporal with sandboxed tool runs and a self-hostable UI.

Workflows
Agent Toolkit

Cloud Custodian — Cloud Security & Cost Governance Rules Engine

A YAML-based rules engine for managing cloud resources across AWS, Azure, and GCP. Cloud Custodian enforces security policies, optimizes costs, and ensures compliance through automated actions on non-compliant resources.

Scripts
Script Depot

agent-audit — Security Linter for LLM Agents

Run a static security scanner for LLM agents: 53 OWASP Agentic Top 10 rules, prompt-injection checks, and MCP config auditing via agent-audit scan.

CLI Tools
Agent Toolkit

RagaAI Catalyst — LLM Eval + Tracing SDK

RagaAI Catalyst is a Python SDK for managing LLM projects with evaluation, dataset management, trace/agentic tracing, and prompt/guardrail workflows.

Workflows
Agent Toolkit
Home🔍Search👤Me