Source linked

118 Agent Skills That Turn AI Into a Real Malware Analyst

meltedinhex.com@systems_wire3 hours ago·Cybersecurity·1 comments

An open, Apache-2.0 library of 118 runnable skills gives AI agents the working knowledge a real reverse engineer uses-from Volatility plugin selection to writing Sigma rules-without executing samples.

analystaipackmelted in hexmalware analysisreverse engineeringthreat huntingagent skills

118 runnable agent skills, each one a tested Python script that never executes a sample and spits out defanged JSON. That's what AnalystAIPack delivers, and it's the first time I've seen an AI agent library that actually understands the difference between a Volatility 3 plugin and a ChatGPT hallucination.

Melted in Hex just open-sourced AnalystAIPack under Apache-2.0 on GitHub. It's not a folder of prompts. Every skill ships a scripts/analyst.py that performs real analysis—static PE inspection, entropy measurement for packer detection, manual unpacking to OEP, Cobalt Strike beacon config extraction, and Sigma rule generation. The tooling works, it does not just read well.

Depth Over Breadth, Real Workflows

Four tightly-scoped subdomains map to how an analyst actually works: lab-foundations, malware-analysis, reverse-engineering, and threat-hunting. 118 skills total, each with explicit "When to Use", "Do not use", "Workflow", "Validation", and "Pitfalls" sections. The agent knows the boundaries of a technique instead of applying it blindly.

The skills chain end-to-end. The blog post walks through an eight-skill pipeline from an unknown suspicious.exe to a durable Sigma detection: triage → static PE inspection → entropy-based packing detection → manual unpacking → C2 config recovery → IOC defanging → traffic hunt → write detection rule. Every step's JSON feeds the next, into a report, or straight into a SIEM.

Safe by Construction, Defender-Framed

All scripts perform static, read-only analysis. IOCs come out defanged (hxxp://, 1[.]2[.]3[.]4). Every sample-handling skill carries an explicit "Safety & Handling" section assuming an isolated lab. The repo ships no live malware.

Skills map to MITRE ATT&CK, MITRE D3FEND, and MITRE CAR. That's a defender's lens, not a compliance checklist. The mapping lets an agent report coverage and slot findings into detection engineering directly.

Drop It Into Any Agent

The library uses the agentskills.io SKILL.md format, so it works with GitHub Copilot, Claude Code, Cursor, Codex CLI, Gemini CLI, or any compatible agent. Open the repo in VS Code and Copilot Chat automatically reads copilot-instructions.md. In Agent mode you just ask: "Triage this unknown file and pull IOCs" chains triage into IOC extraction automatically.

The CLI front door is a single analyst-pack command: python tools/analyst-pack.py run triaging-an-unknown-sample -- triage suspicious.exe. Output is structured, defanged JSON.

This is the first library I've seen that gives an AI agent the working knowledge of a real malware analyst—not just a list of techniques, but the judgment of when to use them and when to distrust the result.


Source: Show HN: AnalystAIPack - 118 runnable agent skills for malware analysis and RE
Domain: meltedinhex.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.