Show HN: AnalystAIPack – 118 runnable agent skills for malware analysis and RE

sdkhere1 pts0 comments

AnalystAIPack: Giving an AI Agent a Malware Analyst's Working Knowledge | Melted in HexAnalystAIPack: Giving an AI Agent a Malware Analyst's Working Knowledge<br>AnalystAIPack is an open, Apache-2.0 library of runnable agent skills that give an AI agent a malware analyst's working knowledge across analysis, RE, and threat hunting.<br>July 1, 2026 · 5 min · 1041 words · Melted in Hex<br>Table of ContentsWhat It Is<br>A Worked Example: From Sample to Detection<br>How to Use It<br>A Note on Safety<br>Try It

Ask a general-purpose AI agent to analyze a suspicious executable and you get<br>confident-sounding mush. It will happily tell you to &ldquo;check the file for<br>anything malicious,&rdquo; suggest a plugin that does not exist, or skip the one step<br>that actually matters. The model knows a lot about malware analysis. What it<br>lacks is the analyst&rsquo;s working knowledge: which Volatility 3 plugin to run on a<br>memory image, how to reach a packer&rsquo;s original entry point, how to turn a<br>recovered C2 config into a Sigma rule, and, just as important, when not to<br>trust a result.<br>That gap is what I built AnalystAIPack to close. It is an open, Apache-2.0<br>library of 118 agent skills for malware analysis, reverse engineering, and<br>threat hunting, and it is now public on GitHub.<br>What It Is#<br>AnalystAIPack is a library of ready-to-load skills in the<br>agentskills.io<br>SKILL.md format, so it drops straight<br>into GitHub Copilot, Claude Code, Cursor, Codex CLI, Gemini CLI, or any<br>compatible agent. It is deliberately depth-first : instead of a sprawling<br>catalog that touches everything shallowly, it covers four tightly-scoped<br>subdomains that map to how an analyst actually works.

The library is split into four tightly-scoped subdomains, 118 curated skills in<br>total, arranged around the real analyst workflow.<br>SubdomainWhat it coverslab-foundationsSafe handling, lab setup, triage, hashing, file ID, IOC formats, reportingmalware-analysisStatic, dynamic, behavioral, and memory analysis; document and script malware; familiesreverse-engineeringDisassembly and decompilation, unpacking, deobfuscation, anti-analysis defeat, language-specific REthreat-huntingHypothesis-driven hunts, endpoint, network and identity telemetry, detection engineeringThree things separate it from a folder full of prompts.<br>Every skill is runnable. All 118 skills ship a tested scripts/analyst.py<br>that performs the analysis, not just a description of it. They lean on the Python<br>standard library, degrade gracefully when an optional dependency is missing, and<br>are covered by a repo-wide smoke-test harness and CI gates. The tooling actually<br>works, it does not just read well.<br>Safe by construction. The scripts perform static, read-only analysis and<br>never execute the sample . IOCs come out defanged (hxxp://, 1[.]2[.]3[.]4),<br>and every sample-handling skill carries an explicit Safety & Handling section<br>that assumes an isolated lab. The repository ships no live malware.<br>A defender&rsquo;s framework lens. Skills map to MITRE ATT&CK , MITRE D3FEND ,<br>and, for hunts, MITRE CAR , chosen because they fit reverse engineering,<br>malware analysis, and threat hunting far better than compliance checklists. That<br>mapping lets an agent report coverage and slot findings into detection<br>engineering.<br>Every skill follows the same body contract, When to Use (with an explicit<br>Do not use ), Workflow, Validation, and Pitfalls, so the agent always<br>knows the boundaries of a technique instead of applying it blindly.

Each skill pairs an opinionated SKILL.md procedure with a tested, read-only<br>analyst.py that prints structured, defanged JSON.<br>A Worked Example: From Sample to Detection#<br>The point of a depth-first library is that the skills chain. Each one is a step,<br>and strung together they cover the full analyst loop. Here is what triaging a<br>suspicious executable looks like end to end:

Eight skills, chained: from an unknown suspicious.exe through to a durable<br>detection, with each script&rsquo;s JSON feeding the next.<br>#StageSkill1Triage the unknown filetriaging-an-unknown-sample2Static PE inspectionperforming-static-pe-analysis3Spot packing via entropymeasuring-section-entropy-to-detect-packing4Unpack to the OEPmanually-unpacking-a-packed-binary5Recover the C2 configextracting-cobalt-strike-beacon-config6Defang and package IOCsdefanging-and-sharing-iocs7Hunt the IOCs in traffichunting-cobalt-strike-traffic8Write a durable detectionwriting-sigma-detection-rulesDriven from the CLI, the mechanical steps are just:<br># 1. Triage, then 5. recover the beacon config (read-only, never executes the sample)<br>python tools/analyst-pack.py run triaging-an-unknown-sample -- triage suspicious.exe<br>python tools/analyst-pack.py run extracting-cobalt-strike-beacon-config -- parse beacon.bin

# 7. Hunt the recovered indicators in proxy/Zeek logs, 8. emit a Sigma rule<br>python tools/analyst-pack.py run hunting-cobalt-strike-traffic -- hunt http.csv

Every script prints structured, defanged JSON, so the output of one step feeds<br>straight into the next, into...

analyst agent skills malware analysis library

Related Articles