Reverse-engineer a company's sales and marketing tech stack from public signals. Detects CRMs, cold email tools, people databases, ad pixels, email delivery services, and outbound sending domains via DNS records, website source inspection, Apify technology profiling, blacklist checks, and public spam complaint searches. Works on single companies or batches. Outputs a structured markdown report per company.
npx gooseworks install --all # then, in Claude Code, Cursor, or Codex: /gooseworks use the tech-stack-teardown skill
Reverse-engineer a company's sales, marketing, and outbound infrastructure from public signals. No login, no API access to their tools needed — everything is derived from DNS records, website source code, technology profiling, blacklist databases, and public complaints.
| Category | Tools Detected |
|---|---|
| CRM | HubSpot, Salesforce (via SPF, website pixels, DNS) |
| Cold Email Tools | Smartlead, Instantly, Outreach, Salesloft, Lemlist (via SPF, DKIM, TXT records, website source) |
| People Databases | Apollo, ZoomInfo, Clearbit, 6sense (via website tracker scripts) |
| Email Delivery | SendGrid, Amazon SES, Postmark, Mailgun, Mandrill (via SPF includes, DKIM selectors) |
| Email Marketing | Mailchimp, Brevo, ActiveCampaign, Klaviyo (via DKIM selectors) |
| Ad Retargeting | LinkedIn Insight Tag, Facebook Pixel, AdRoll, Reddit Ads, Twitter Ads (via Apify profiler + source) |
| Website Builder | Webflow, Framer, Next.js, WordPress (via Apify profiler + source) |
| Chat / Support | Intercom, Drift, Crisp, Zendesk (via website source) |
| Analytics | Google Analytics, Segment, Mixpanel, Amplitude, PostHog, Heap (via website source) |
| Outbound Domains | Separate cold sending domains (via SPF-only Google Workspace + redirect to primary) |
The skill runs 5 layers of detection, each revealing different signals:
MX → Primary email provider (Google Workspace, Microsoft 365, etc.)
SPF → Every service authorized to send email on their behalf
DKIM → Cryptographic proof of which tools actually send email
DMARC → Email authentication policy (how strict they are)
TXT → Misc verifications (Smartlead tracking domains, tool verifications)
CNAME → Subdomains pointing to third-party servicesThis is the highest-signal layer. SPF and DKIM don't lie — if SendGrid is in their SPF, they use SendGrid.
Fetches the target website and searches HTML for:
Runs justa/technology-profiling-engine actor for deep detection of 7,000+ technologies using 8-tier inspection with confidence scores. Catches tools that don't appear in source code (loaded dynamically, via GTM, etc.).
Queries 6 major DNS-based blacklists:
Web searches for spam complaints on Trustpilot, Reddit, SpamCop forums, and general web. Also searches for the company + tool names to find public mentions of their stack.
| Component | Cost |
|---|---|
| DNS queries | Free |
| Website source fetch | Free |
| Blacklist checks | Free |
| Web searches | Free |
| Apify Technology Profiler | ~$0.005 per domain |
Typical costs:
| Scenario | Domains | Est. Cost |
|---|---|---|
| Single company | 1 | ~$0.005 |
| Small batch | 5 | ~$0.025 |
| Large batch | 20 | ~$0.10 |
Skip the Apify profiler with --no-apify for free-only analysis (DNS + source + blacklists).
# dig (DNS lookups) — included on macOS/Linux
which dig
# curl (website source fetch) — included on macOS/Linux
which curl
# Python 3 with requests + dotenv
pip3 install requests python-dotenv# Get your token at https://console.apify.com/account/integrations
# Add to .env:
APIFY_API_TOKEN=apify_api_YOUR_TOKEN_HEREpython3 scripts/recon.py --domains pump.copython3 scripts/recon.py --domains "dili.ai,pump.co,runautomat.com"python3 scripts/recon.py --domains pump.co --no-apifypython3 scripts/recon.py --domains "dili.ai,pump.co" --output /path/to/report.mdpython3 scripts/recon.py --domains pump.co --jsonFor each domain:
When using this skill as an agent, follow this flow:
recon.py for all domains (confirm Apify cost if > 5 domains)The agent can perform all checks manually using built-in tools:
DNS checks — Use Bash tool:
dig +short MX example.com
dig +short TXT example.com
dig +short TXT _dmarc.example.com
dig +short TXT selector._domainkey.example.com
dig +short CNAME subdomain.example.comWebsite source scan — Use Bash tool:
curl -sL https://www.example.com | grep -oi 'pattern1\|pattern2\|pattern3' | sort -uBlacklist checks — Use Bash tool:
dig +short example.com.zen.spamhaus.org AApify profiler — Use Bash tool with Python:
# See scripts/recon.py for the full implementationSpam complaints — Use WebSearch tool:
"example.com" spam OR unsolicited OR "cold email" OR blacklist| SPF Include | Tool |
|---|---|
_spf.google.com | Google Workspace |
spf.protection.outlook.com | Microsoft 365 |
sendgrid.net | SendGrid |
amazonses.com | Amazon SES |
*.hubspotemail.net | HubSpot |
*.rsgsv.net or servers.mcsv.net | Mailchimp/Mandrill |
spf.mandrillapp.com | Mandrill (Mailchimp transactional) |
mail.zendesk.com | Zendesk |
*.freshdesk.com | Freshdesk |
spf.mailjet.com | Mailjet |
spf.brevo.com | Brevo (Sendinblue) |
_spf.salesforce.com | Salesforce |
mktomail.com | Marketo |
postmarkapp.com | Postmark |
mailgun.org | Mailgun |
| Selector Pattern | Tool |
|---|---|
google._domainkey | Google Workspace |
selector1._domainkey / selector2._domainkey | Microsoft 365 |
s1._domainkey / s2._domainkey → *.sendgrid.net | SendGrid |
k1._domainkey → *.mcsv.net or dkim.mcsv.net | Mailchimp |
k2._domainkey / k3._domainkey → dkim2.mcsv.net / dkim3.mcsv.net | Mailchimp |
mandrill._domainkey | Mandrill |
pm._domainkey | Postmark |
smtp._domainkey | Generic SMTP |
em._domainkey | Various (check CNAME target) |
| TXT Pattern | Tool |
|---|---|
open.sleadtrack.com | Smartlead (custom tracking domain) |
hubspot-developer-verification=* | HubSpot |
anthropic-domain-verification-* | Anthropic (Claude) |
MS=* | Microsoft 365 |
google-site-verification=* | Google Search Console |
slack-domain-verification=* | Slack |
atlassian-domain-verification=* | Atlassian (Jira/Confluence) |
docusign=* | DocuSign |
facebook-domain-verification=* | Facebook/Meta |
_github-pages-challenge-* | GitHub Pages |
stripe-verification=* | Stripe |
| Pattern in HTML | Tool |
|---|---|
assets.apollo.io/micro/website-tracker | Apollo.io (visitor tracking) |
hs-script or js.hs-scripts.com | HubSpot |
px.ads.linkedin.com | LinkedIn Insight Tag |
connect.facebook.net or fbq( | Facebook Pixel |
snap.licdn.com | LinkedIn Insight Tag |
cdn.segment.com | Segment |
cdn.mxpnl.com or mixpanel | Mixpanel |
cdn.amplitude.com | Amplitude |
app.posthog.com or posthog | PostHog |
widget.intercom.io | Intercom |
js.driftt.com | Drift |
client.crisp.chat | Crisp |
static.zdassets.com | Zendesk |
s3-us-west-2.amazonaws.com + reb2b | REB2B |
clearbit.com/tag.js or reveal | Clearbit Reveal |
6sc.co or 6sense | 6sense |
tag.demandbase.com | Demandbase |
d.adroll.com | AdRoll |
googletagmanager.com | Google Tag Manager |
gtag('config', 'G-*') | Google Analytics 4 |
A separate domain is being used for cold email if it has:
_spf.google.com (sending from raw mailboxes)[brand]reach.com, get[brand].com, try[brand].com, meet[brand].com, [brand]hq.com| Policy | Meaning | Assessment |
|---|---|---|
p=reject | Reject unauthenticated email | Strong — best practice |
p=quarantine | Send to spam if unauthenticated | Good — enforcing |
p=none | Monitor only, don't enforce | Weak — anyone can spoof the domain |
| No DMARC record | No policy at all | Missing — wide open to spoofing |
open.sleadtrack.com in TXT records or website source as confirmation..co, .com, .io.Render a 'model comparison grid' video from a config — a fal-style "same prompt, N contenders" showcase — a dark real-DOM stage where per beat a monospace prompt fades in centered, docks to a small top strip, then a labeled 2-4 panel grid (static images OR muted video clips, mixable per cell) staggers in and holds for comparison, plus a minimal end card — frame-stepped via Playwright (video cells are frame-seeked deterministically) and encoded with FFmpeg. Deterministic assembly, FREE (cell media comes from create-image-fal / create-video-fal, music from create-music-elevenlabs), text stays pixel-crisp. Use for the model-comparison-grid format.
Render a punchy ~12s vertical (9:16) music-only direct-response OFFER ad as a 4-beat kinetic-typography film — HEADLINE slam → real PRODUCT drop → CLAIM/proof → CTA pill — from one config of copy slots, a real product photo, a brand palette, fonts, bpm, and beat split. DETERMINISTIC + FREE (a bundled Remotion project; springs + interpolate, no AI-gen for visuals). Backgrounds are engine gradient divs off the palette, props are inline SVG, the ONLY composited bitmap is the REAL product photo (objectFit:contain, never stretched), and ALL headline/claim/CTA/URL/wordmark text is typeset in the engine — never AI-rendered (the format's credibility guard). A driver binds the config to Remotion input props, renders the 9:16 master, and derives a 1:1 center-crop with ffmpeg. Two gating checks run before render (claim verbs must match the product's physical format; the claim beat needs an edge-entry mechanism prop). Use for the motion-graphics-offer-ad format.
Assemble a myth-vs-fact kinetic-typography explainer video ad (≈29.5s, 9:16) from N myth/fact pairs + hook / turn / punch copy + palette + a brand end-card PNG + a VO track — a hook, 3 red-strike MYTH cards that flip to teal-check FACT cards (per-line strikethrough that crosses EVERY wrapped line), a "what actually works" turn, an optional proof reveal, a punch line, and a static end card. DETERMINISTIC assembly with ZERO AI-gen visuals — HTML hyperframes rendered frame-exact via Playwright (`window.renderAt(t)`, animation a pure function of beat-local time), Whisper beat-snap to VO word onsets, concat at a uniform fps, karaoke `.ass` captions burned last (suppressed on the proof + end-card beats), and a VO + optional music mix (music −20 dB, `amix normalize=0`, tail fade). FREE (Python + Playwright + ffmpeg); the recipe supplies the copy / palette / end-card / VO and gates the paid VO / music / Whisper calls to their own capabilities. Use for the myth-vs-fact format.