DEV Community

Cover image for Tool #23: Teaching Halo to Play Detective with Sherlock
XenoCoreGiger31
XenoCoreGiger31

Posted on

Tool #23: Teaching Halo to Play Detective with Sherlock

The short version:

Yesterday I added Sherlock as the 23rd tool integration into Halo’s mcp_server.py, tagged the release v0.2.0, and sorted out a nagging git remote issue in the process (turns out origin had drifted — it’s correctly pointed at GEMMA-by-GOOGLE again). Small housekeeping win, big capability unlock.
If you’re new here: Halo (formerly PenMaster) is the autonomous pentesting agent I’ve been building solo over the last year — a Flask-based MCP server that exposes a growing arsenal of security tools to an LLM-driven agent loop, so it can plan, execute, and reason through an engagement on its own.

Why Sherlock?

Every pentest — automated or human-driven — benefits from a solid reconnaissance phase before the loud stuff (scanning, brute-forcing, exploitation) even starts. Up to now, Halo’s recon toolkit leaned heavily on infrastructure-side tools: subfinder, httpx, nuclei, katana, ffuf. Great for mapping attack surface, but blind to the human side of a target — usernames, aliases, and the digital footprint that comes with them.
That’s exactly Sherlock’s lane. Point it at a username, and it sweeps a huge swath of the web — dozens upon dozens of platforms — checking for account presence in a fraction of the time a human analyst would need to do it by hand. For an agent trying to build a complete picture of a target organization or individual, that’s a meaningful new signal source feeding into the decision loop. 87 platforms isn't a stopping point by design. Sherlock does much - much more in its capabilities. It simply depends on how many spaces the target username is found. In a previous test the target username was found on 92 separate platforms.

What changed under the hood

• mcp_server.py now exposes Sherlock as a first-class tool, joining the existing lineup (nmap, masscan, sqlmap, nikto, hydra, gobuster, enum4linux, medusa, ncrack, searchsploit, subfinder, nuclei, katana, ffuf, httpx, and more).
• Version bump to v0.2.0 — 23 tools now sit behind the agent’s decision-making, all routed through the same failure-caching layer (agent_cache.py) so a bad Sherlock run on one engagement won’t quietly blacklist it on the next engagement.
Enter fullscreen mode Exit fullscreen mode

Why this matters for the bigger picture

Halo’s whole thesis is that an LLM-driven agent can chain reconnaissance, scanning, and exploitation tools together the way a human operator would — building context, avoiding repeated dead ends, and escalating intelligently. Every new tool isn’t just “one more integration,” it’s one more dimension of the target the agent can reason about before it acts.
OSINT-level username recon is a small piece, but it’s the kind of piece that makes the difference between an agent that scans a target and one that actually understands it.

RESULTS:

sherlock torvalds --print-found --output sherlock_results.txt

[*] Checking username torvalds on:

[+] 9GAG: https://www.9gag.com/u/torvalds
[+] Arduino Forum: https://forum.arduino.cc/u/torvalds/summary
[+] Audiojungle: https://audiojungle.net/user/torvalds
[+] BitBucket: https://bitbucket.org/torvalds/
[+] Bluesky: https://bsky.app/profile/torvalds.bsky.social
[+] Chess: https://www.chess.com/member/torvalds
[+] Codeberg: https://codeberg.org/torvalds
[+] Codecademy: https://www.codecademy.com/profiles/torvalds
[+] Codechef: https://www.codechef.com/users/torvalds
[+] Codeforces: https://codeforces.com/profile/torvalds
[+] DailyMotion: https://www.dailymotion.com/torvalds
[+] DeviantArt: https://www.deviantart.com/torvalds
[+] Discord: https://discord.com
[+] Disqus: https://disqus.com/torvalds
[+] Docker Hub: https://hub.docker.com/u/torvalds/
[+] Dribbble: https://dribbble.com/torvalds
[+] Duolingo: https://www.duolingo.com/profile/torvalds
[+] Flickr: https://www.flickr.com/people/torvalds
[+] Flipboard: https://flipboard.com/@torvalds
[+] Freelancer: https://www.freelancer.com/u/torvalds
[+] Freesound: https://freesound.org/people/torvalds/
[+] GitHub: https://www.github.com/torvalds
[+] Gitea: https://gitea.com/torvalds
[+] Gitee: https://gitee.com/torvalds
[+] Hackaday: https://hackaday.io/torvalds
[+] HackerRank: https://hackerrank.com/torvalds
[+] Hive Blog: https://hive.blog/@torvalds
[+] HudsonRock: https://cavalier.hudsonrock.com/api/json/v2/osint-tools/search-by-username?username=torvalds
[+] Hugging Face: https://huggingface.co/torvalds
[+] IFTTT: https://www.ifttt.com/p/torvalds
[+] Imgur: https://imgur.com/user/torvalds
[+] Instagram: https://instagram.com/torvalds
[+] kaskus: https://www.kaskus.co.id/@torvalds
[+] Keybase: https://keybase.io/torvalds
[+] Kick: https://kick.com/torvalds
[+] Launchpad: https://launchpad.net/~torvalds
[+] Lichess: https://lichess.org/@/torvalds
[+] LiveJournal: https://torvalds.livejournal.com
[+] Medium: https://medium.com/@torvalds
[+] Memrise: https://www.memrise.com/user/torvalds/
[+] MixCloud: https://www.mixcloud.com/torvalds/
[+] Naver: https://blog.naver.com/torvalds
[+] Pastebin: https://pastebin.com/u/torvalds
[+] Patreon: https://www.patreon.com/torvalds
[+] Periscope: https://www.periscope.tv/torvalds/
[+] pixelfed.social: https://pixelfed.social/torvalds/
[+] Plurk: https://www.plurk.com/torvalds
[+] Pokemon Showdown: https://pokemonshowdown.com/users/torvalds
[+] Redbubble: https://www.redbubble.com/people/torvalds
[+] RubyGems: https://rubygems.org/profiles/torvalds
[+] Scratch: https://scratch.mit.edu/users/torvalds
[+] Snapchat: https://www.snapchat.com/add/torvalds
[+] SoundCloud: https://soundcloud.com/torvalds
[+] SpaceHey: https://spacehey.com/torvalds
[+] Steam Community (User): https://steamcommunity.com/id/torvalds/
[+] Substack: https://torvalds.substack.com/
[+] TETR.IO: https://ch.tetr.io/u/torvalds
[+] TheMovieDB: https://www.themoviedb.org/u/torvalds
[+] TikTok: https://www.tiktok.com/@torvalds
[+] Telegram: https://t.me/torvalds
[+] ThemeForest: https://themeforest.net/user/torvalds
[+] TradingView: https://www.tradingview.com/u/torvalds/
[+] Twitch: https://www.twitch.tv/torvalds
[+] Trovo: https://trovo.live/s/torvalds/
[+] VK: https://vk.com/torvalds
[+] VirusTotal: https://www.virustotal.com/gui/user/torvalds
[+] Wikipedia: https://en.wikipedia.org/wiki/Special:CentralAuth/torvalds?uselang=qqx
[+] WordPress: https://torvalds.wordpress.com/
[+] Wykop: https://www.wykop.pl/ludzie/torvalds
[+] Xbox Gamertag: https://xboxgamertag.com/search/torvalds
[+] couchsurfing: https://www.couchsurfing.com/people/torvalds
[+] datingRU: http://dating.ru/torvalds
[+] devRant: https://devrant.com/users/torvalds
[+] drive2: https://www.drive2.ru/users/torvalds
[+] fl: https://www.fl.ru/users/torvalds
[+] geocaching: https://www.geocaching.com/p/default.aspx?u=torvalds
[+] habr: https://habr.com/ru/users/torvalds
[+] jbzd.com.pl: https://jbzd.com.pl/uzytkownik/torvalds
[+] jeuxvideo: https://www.jeuxvideo.com/profil/torvalds
[+] last.fm: https://last.fm/user/torvalds
[+] livelib: https://www.livelib.ru/reader/torvalds
[+] osu!: https://osu.ppy.sh/users/torvalds
[+] pikabu: https://pikabu.ru/@torvalds
[+] Pinterest: https://www.pinterest.com/torvalds/
[+] threads: https://www.threads.net/@torvalds
[+] tumblr: https://torvalds.tumblr.com/
[+] Wowhead: https://wowhead.com/user=torvalds

[*] Search completed with 87 results

What’s next
Tool #23 is shipped, but the to-do list hasn’t slowed down — cache cleanup, wordlist reviews, and a README overhaul are all queued up next, along with evaluating a couple of community projects for tools worth cherry-picking into the server. More on that soon.
For now: 23 tools, one agent, zero manual recon. Onward.

Top comments (1)

Collapse
 
xenocoregiger31 profile image
XenoCoreGiger31

Welcoming ideas, comments and contributions to the discussion.