A set of browser bookmarklets that turn social-media pages into one-window OSINT toolkits.
Each bookmarklet drops a draggable, tabbed window onto the current page that pulls every useful OSINT signal it can find — IDs, profile pictures, banners, timestamps, post grids, collaborators, cross-platform pivots — out of page source, DOM, and platform APIs.
The site at bookmarklets.notalex.sh auto-discovers every .js file in bookmarklets/, parses its // title: and // description: lines, runs the source through Markletsmith-style minification, and renders each one as a miniature of its actual in-page window with a real, compiled javascript:… drag button.
| File | Title | Description | Account needed? |
|---|---|---|---|
instagram/master.js |
Instagram Profile OSINT | Runs on an Instagram profile. Returns IDs, location, HD pic (live-scraped GraphQL doc_id), post-grid timestamps, collab links, anonymous story reels, and cross-platform pivots. | Logged in for HD pic, posts pagination, collabs, and stories. About tab works logged-out on public profiles. |
facebook/master.js |
Facebook Profile OSINT | Runs on a Facebook profile. Returns IDs, unmasked og:image profile photo, full-res cover banner, name search, and cross-platform pivots. | Logged in — Facebook only embeds profile ID + og: meta tags in the DOM for authenticated viewers. fbclarity offered as an anonymous fallback. |
facebook/expand-comments.js |
Facebook Comments OSINT | Runs on a Facebook post. Unfolds every hidden, collapsed, and 'See more' comment or reply, multi-language and recursive. | Logged in — "All comments" sort, hidden-comment reveal, and reply loaders are only rendered for authenticated viewers. |
x/master.js |
X Profile OSINT | Runs on an X profile. Returns banner-derived user ID, snowflake-decoded profile-pic upload time, max-res banner and avatar, and pivot links. | Logged in — on most profiles the banner, avatar, and header metadata are only rendered for authenticated viewers. |
youtube/master.js |
YouTube Channel OSINT | Runs on a YouTube channel or video. Returns IDs, max-res banner and avatar, exact upload times, plus Filmot, Geofind, and Socialblade deep links. | None — YouTube renders channel + video metadata for logged-out viewers. |
Anonymous by design: the Instagram stories tab reads the active reel without firing the seen-mutation, so the account owner never sees you in their viewer list. (You still need to be logged in to instagram.com to hit the endpoint — but the read is invisible.)
Each .js source has a sibling .bookmarklet.txt containing the pre-compiled javascript:… URI for direct copy/paste into a bookmark.
From the site (recommended)
- Visit bookmarklets.notalex.sh.
- Show your bookmarks bar (
⌘⇧B/Ctrl+Shift+B). - Drag any card's named button (e.g.
Instagram Profile OSINT) onto the bar. The bookmark is saved with that exact name. - Open a target page and click the bookmarklet.
Direct paste
Each bookmarklets/<platform>/<file>.bookmarklet.txt is the full javascript:… URI — copy it, create a new bookmark, paste it as the URL.
Every bookmarklet uses the same shell so they feel like one suite:
- Pulsing mint status dot + bookmarklet title + platform context badge in the top bar
- Animated tab strip with a mint underline that slides between tabs
▸ section markersin monospace + fading gradient rules- UTC timestamps with
Zsuffix; hover for local-time tooltip - Hover-lift cards on pivot links
- Trusted-Types-safe DOM (works on YouTube which blocks
innerHTMLsetters) - Note banners — green
ANONYMOUSrail for read-only ops that don't notify the target (IG stories), amberREQUIRES LOGINrail for tabs that hit endpoints which reject anonymous requests - Unified error messages:
You must be on a <X> to use this.for wrong-page state,<Thing> not found in DOM. Log in to <platform>.com in this tab and refresh.for missing data on login-gated platforms
bookmarklets-main/
├── README.md
├── logo.png
│
├── bookmarklets/ ← source files (read by the site at runtime)
│ ├── instagram/master.{js,bookmarklet.txt}
│ ├── facebook/master.{js,bookmarklet.txt}
│ ├── facebook/expand-comments.{js,bookmarklet.txt}
│ ├── x/master.{js,bookmarklet.txt}
│ └── youtube/master.{js,bookmarklet.txt}
│
└── web/ ← SvelteKit site → bookmarklets.notalex.sh
├── package.json
└── src/
├── app.html · app.css
├── lib/generator.ts ← terser + URL-encode → javascript:…
└── routes/
├── +layout.{svelte,ts} · +page.svelte
└── api/
├── manifest/+server.ts ← dev: lists bookmarklets/**/*.js
└── file/[...path]/+server.ts ← dev: serves one source file
The site reads from GitHub raw + tree API in all environments. Source of truth is the Project-Eyrie/bookmarklets repo on the main branch — the local clone in this directory is not a git repo; copy changes into the upstream checkout to push.
Each new bookmarklet is a single .js file with these two structured comment lines at the top:
// title: "X Profile OSINT"
// description: "Runs on an X profile. Returns …"
(function() {
// … your bookmarklet body …
})();That's enough — drop the file under bookmarklets/<platform>/ and the site picks it up automatically.
To regenerate the .bookmarklet.txt companion file:
npx terser bookmarklets/<platform>/<file>.js --compress --mangle -o /tmp/m.min.js
node -e 'process.stdout.write("javascript:"+encodeURIComponent(require("fs").readFileSync("/tmp/m.min.js","utf8")))' > bookmarklets/<platform>/<file>.bookmarklet.txtcd web
npm install
npm run devThe dev server serves at http://localhost:5173 (or the next free port). Edits to bookmarklets/**/*.js are picked up live — refresh to see new titles, descriptions, and recompiled drag buttons.
- Browser support — Tested on Chrome/Brave/Edge/Firefox. Bookmarklet execution behavior is consistent across all four.
- YouTube — Enforces Trusted Types via CSP; the bookmarklets use a
clearNodehelper instead ofinnerHTML = ''to comply. - Live doc_id scraping — Instagram rotates the relay
doc_idforPolarisProfilePageContentQueryon every web release. The IG Picture tab scrapes the current value from__d("…RelayOperation",[],…{a.exports="…"})in loaded JS bundles each run, so it doesn't go stale. - Re-drag after updates — Each dragged bookmark is a snapshot of the compiled
javascript:…URI at the time of drag. When source changes, drag again from the site to get the latest version.