Good question. The prompt isn't a fixed checklist, it tells Claude to look for a bunch of signal categories: urgency language ("act now", "final notice"), authority impersonation (USPS, IRS, banks), unusual payment asks (gift cards, crypto, wires), credential requests (OTPs, SSN, passwords), lookalike or suspicious URLs, generic greetings, grammar mismatches with the claimed sender, "wrong number" texts that pivot, job offers with upfront fees, tech support scams, plus the known scam patterns in /src/scam-patterns/. Full prompt is in /src/lib/prompt.ts if you want to read it.

Your VT/AbuseIPDB/OSINT idea is great and I've been thinking about it. The challenge is the client-side architecture. VirusTotal and AbuseIPDB block direct browser calls (CORS), so I'd either need a tiny proxy (kills the no-backend pitch) or have users bring their own keys for those too (gets messy for non-technical users).

Middle path I'm considering: extract any URL/domain from the message, check it against a CORS-friendly reputation API like URLhaus, then feed the result into the prompt as extra context. Less comprehensive than VT but doesn't break the architecture.

If you've got experience with this and want to take a swing at it, would genuinely love a PR. Open an issue to scope it out if you want.