Advanced ARG (Alternate Reality Game) investigation toolkit for Claude Code. Specialized agents for steganography, cryptanalysis, OSINT, media forensics, web analysis, and timeline reconstruction.
Investigate directly first, search community later. ARGBuster's agents probe, analyze, decode, and follow puzzle chains themselves before looking up existing solutions. This ensures original discovery and avoids spoilers.
ARGBuster uses Claude Code's flat agent architecture β no hierarchical orchestration. Each agent works independently, reports findings with structured output, and recommends which agent Claude Code should spawn next.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β FLAT AGENT ARCHITECTURE β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β User Request β β β β β βΌ β β βββββββββββ β β β Claude β Decides which specialist to spawn based on input β β β Code β β β ββββββ¬βββββ β β β β β βΌ Spawns ONE agent at a time β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β SELF-SUFFICIENT AGENTS (work independently) β β β β β β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β β β stego β β crypto β β osint β β media β β β β β β analyst β β decoder β β recon β β forensic β β β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β β β web β β arg β β timeline β β β β β β analyst β βorchestr. β β reconstr.β β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β βΌ Returns structured findings β β βββββββββββ β β β Claude β Reads report, decides next agent to spawn β β β Code β β β ββββββ¬βββββ β β β β β βΌ Spawns next recommended agent... β β β β π ~/Downloads/${ARG_NAME}_ARG_Investigation/ β β βββ All findings saved to ARG-specific folder β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | Agent | Model | Color | Purpose |
|---|---|---|---|
| arg-orchestrator | opus | magenta | Investigation guide + direct browser recon |
| web-analyst | opus | blue | HTML source, JavaScript, hidden elements, path fuzzing |
| crypto-decoder | opus | yellow | 50+ cipher types, multi-layer decoding, automated cracking |
| stego-analyst | opus | cyan | LSB extraction, spectrograms, color channel analysis |
| media-forensics | opus | red | File forensics, binwalk, metadata, QR/OCR |
| osint-recon | opus | green | WHOIS, DNS, crt.sh, Wayback Machine, username search |
| timeline-reconstructor | opus | white | Temporal analysis, narrative reconstruction, event correlation |
| Command | Description |
|---|---|
/arg [target] | Full ARG investigation workflow β spawns agents in parallel |
/decode [text] | Quick multi-encoding decode (Base64, ROT, hex, Atbash, Morse, A1Z26) |
/stego:spectrogram [audio] | Generate 5+ spectrogram variants from audio |
/sweep [--install] | Check/install all required ARG analysis tool dependencies |
| Skill | Description |
|---|---|
| arg-patterns | Common ARG hiding techniques and puzzle patterns |
| cipher-identification | Quick cipher type identification by character set |
| puzzle-chain-tracking | Multi-stage investigation state management |
| timeline-reconstruction | Temporal pattern analysis and event correlation |
| Script | Description |
|---|---|
lsb-extract.py | LSB steganography extraction with entropy analysis, sweep mode, bit-plane visualization, zlib decompression, and multiple extraction orders (row/col/zigzag) |
metadata-extract.sh | Comprehensive metadata extraction with SHA256, GPS coordinate extraction, entropy analysis, deep mode, and support for images/audio/video/PDF |
git clone https://github.com/CMLKevin/ClaudeCode_ARGBuster.gitOption A: Run with --plugin-dir
claude --plugin-dir ./ClaudeCode_ARGBusterOption B: Install to local plugins
mkdir -p ~/.claude/plugins/local cp -r ClaudeCode_ARGBuster ~/.claude/plugins/local/arg-investigationThen enable in ~/.claude/settings.json:
{ "enabledPlugins": { "arg-investigation@local": true } }Run the built-in dependency checker:
/sweep --install Or install manually:
# macOS (Homebrew) brew install exiftool binwalk sox ffmpeg zbar tesseract imagemagick foremost mediainfo pngcheck poppler jq wget # Python pip3 install pillowAdd to ~/.claude/settings.json for frictionless investigation:
{ "permissions": { "allow": [ "Bash(curl:*)", "Bash(wget:*)", "Bash(exiftool:*)", "Bash(binwalk:*)", "Bash(sox:*)", "Bash(ffprobe:*)", "Bash(ffmpeg:*)", "Bash(tesseract:*)", "Bash(zbarimg:*)", "Bash(strings:*)", "Bash(xxd:*)", "Bash(file:*)", "Bash(convert:*)", "Bash(dig:*)", "Bash(whois:*)", "Bash(foremost:*)", "Bash(mediainfo:*)", "Bash(pdftotext:*)", "Bash(python3:*)", "Bash(base64:*)", "Bash(md5:*)", "Bash(shasum:*)", "Bash(mkdir:*)", "Bash(brew install:*)", "Bash(pip3 install:*)" ] } }/arg https://mysterious-arg.com /decode SGVsbG8gV29ybGQ= /decode ".... . .-.. .-.. ---" /stego:spectrogram ~/Downloads/mysterious_audio.ogg /sweep /sweep --install python3 scripts/lsb-extract.py image.png --sweep python3 scripts/lsb-extract.py image.png 1 r --mode=col --entropy python3 scripts/lsb-extract.py image.png --bitplane python3 scripts/lsb-extract.py image.png 2 all --decompressbash scripts/metadata-extract.sh suspicious_file.png --deepEach ARG creates its own organized folder:
~/Downloads/${ARG_NAME}_ARG_Investigation/ βββ extracted/ β Downloaded files, binwalk extractions βββ spectrograms/ β Audio spectrograms at multiple ranges βββ clues/ β KEY FINDINGS from all agents β βββ MASTER_INDEX.md β βββ decoded_messages.txt β βββ discovered_urls.txt β βββ hidden_content.txt β βββ encoded_strings.txt βββ timeline/ β Chronological event maps βββ reports/ β Investigation reports βββ logs/ β Raw data dumps - New agent:
timeline-reconstructorfor temporal analysis and narrative reconstruction - New command:
/sweepfor checking and installing all tool dependencies - New skill:
timeline-reconstructionfor temporal pattern analysis - Improved
/decode: Added Atbash, A1Z26, and Morse code decoding; fixed timestamp bug - Improved
lsb-extract.py: Added--sweepmode,--entropyanalysis,--bitplanevisualization,--decompressfor zlib,--mode=col/zigzagextraction orders, file signature detection, email/GPS pattern matching - Improved
metadata-extract.sh: Added SHA256 hashing, GPS coordinate extraction with Google Maps links, entropy analysis, video support, deep mode (--deep), JPEG/PNG EOF data detection, EXIF thumbnail extraction - Fixed:
decode.mdtimestamp bug (was creating multiple output files per run) - Fixed:
stego-analysthardcoded paths now use$ARG_DIRconsistently - Updated: Plugin version and metadata
| Category | Tools |
|---|---|
| Core | exiftool, binwalk, foremost, strings, xxd, file |
| Image | imagemagick (convert), zbar (zbarimg), tesseract, pngcheck |
| Audio/Video | sox, ffmpeg/ffprobe, mediainfo |
| Network | curl, wget, dig, whois, jq |
| Documents | poppler (pdftotext, pdfimages, pdfdetach) |
| Python | pillow (PIL) |
Kevin Lin
MIT