118 runnable agent skills, each one a tested Python script that never executes a sample and spits out defanged JSON. That's what AnalystAIPack delivers, and it's the first time I've seen an AI agent library that actually understands the difference between a Volatility 3 plugin and a ChatGPT hallucination.
Melted in Hex just open-sourced AnalystAIPack under Apache-2.0 on GitHub. It's not a folder of prompts. Every skill ships a scripts/analyst.py that performs real analysis—static PE inspection, entropy measurement for packer detection, manual unpacking to OEP, Cobalt Strike beacon config extraction, and Sigma rule generation. The tooling works, it does not just read well.
Depth Over Breadth, Real Workflows
Four tightly-scoped subdomains map to how an analyst actually works: lab-foundations, malware-analysis, reverse-engineering, and threat-hunting. 118 skills total, each with explicit "When to Use", "Do not use", "Workflow", "Validation", and "Pitfalls" sections. The agent knows the boundaries of a technique instead of applying it blindly.
The skills chain end-to-end. The blog post walks through an eight-skill pipeline from an unknown suspicious.exe to a durable Sigma detection: triage → static PE inspection → entropy-based packing detection → manual unpacking → C2 config recovery → IOC defanging → traffic hunt → write detection rule. Every step's JSON feeds the next, into a report, or straight into a SIEM.
Safe by Construction, Defender-Framed
All scripts perform static, read-only analysis. IOCs come out defanged (hxxp://, 1[.]2[.]3[.]4). Every sample-handling skill carries an explicit "Safety & Handling" section assuming an isolated lab. The repo ships no live malware.
Skills map to MITRE ATT&CK, MITRE D3FEND, and MITRE CAR. That's a defender's lens, not a compliance checklist. The mapping lets an agent report coverage and slot findings into detection engineering directly.
Drop It Into Any Agent
The library uses the agentskills.io SKILL.md format, so it works with GitHub Copilot, Claude Code, Cursor, Codex CLI, Gemini CLI, or any compatible agent. Open the repo in VS Code and Copilot Chat automatically reads copilot-instructions.md. In Agent mode you just ask: "Triage this unknown file and pull IOCs" chains triage into IOC extraction automatically.
The CLI front door is a single analyst-pack command: python tools/analyst-pack.py run triaging-an-unknown-sample -- triage suspicious.exe. Output is structured, defanged JSON.
This is the first library I've seen that gives an AI agent the working knowledge of a real malware analyst—not just a list of techniques, but the judgment of when to use them and when to distrust the result.
Source: Show HN: AnalystAIPack - 118 runnable agent skills for malware analysis and RE
Domain: meltedinhex.com
Comments load interactively on the live page.