AI News HubLIVE
In-site rewrite2 min read

Show HN: AnalystAIPack – 118 runnable agent skills for malware analysis and RE

AnalystAIPack is an open-source library of 118 agent skills for malware analysis, reverse engineering, and threat hunting. It addresses the gap where generic AI agents provide plausible-sounding but impractical advice by offering depth-first, runnable scripts that map to real analyst workflows. Each skill includes tested Python scripts, safety constraints (read-only analysis, defanged IOCs), and mappings to MITRE ATT&CK, D3FEND, and CAR. The article demonstrates an end-to-end example from triage to detection using chained skills.

SourceHacker News AIAuthor: sdkhere

Ask a general-purpose AI agent to analyze a suspicious executable and you get confident-sounding mush. It will happily tell you to “check the file for anything malicious,” suggest a plugin that does not exist, or skip the one step that actually matters. The model knows a lot about malware analysis. What it lacks is the analyst’s working knowledge: which Volatility 3 plugin to run on a memory image, how to reach a packer’s original entry point, how to turn a recovered C2 config into a Sigma rule, and, just as important, when not to trust a result.

That gap is what I built AnalystAIPack to close. It is an open, Apache-2.0 library of 118 agent skills for malware analysis, reverse engineering, and threat hunting, and it is now public on GitHub.

What It Is#

AnalystAIPack is a library of ready-to-load skills in the agentskills.io SKILL.md format, so it drops straight into GitHub Copilot, Claude Code, Cursor, Codex CLI, Gemini CLI, or any compatible agent. It is deliberately depth-first: instead of a sprawling catalog that touches everything shallowly, it covers four tightly-scoped subdomains that map to how an analyst actually works.

The library is split into four tightly-scoped subdomains, 118 curated skills in total, arranged around the real analyst workflow.

SubdomainWhat it covers

lab-foundationsSafe handling, lab setup, triage, hashing, file ID, IOC formats, reporting

malware-analysisStatic, dynamic, behavioral, and memory analysis; document and script malware; families

reverse-engineeringDisassembly and decompilation, unpacking, deobfuscation, anti-analysis defeat, language-specific RE

threat-huntingHypothesis-driven hunts, endpoint, network and identity telemetry, detection engineering

Three things separate it from a folder full of prompts.

Every skill is runnable. All 118 skills ship a tested scripts/analyst.py that performs the analysis, not just a description of it. They lean on the Python standard library, degrade gracefully when an optional dependency is missing, and are covered by a repo-wide smoke-test harness and CI gates. The tooling actually works, it does not just read well.

Safe by construction. The scripts perform static, read-only analysis and never execute the sample. IOCs come out defanged (hxxp://, 1[.]2[.]3[.]4), and every sample-handling skill carries an explicit Safety & Handling section that assumes an isolated lab. The repository ships no live malware.

A defender’s framework lens. Skills map to MITRE ATT&CK, MITRE D3FEND, and, for hunts, MITRE CAR, chosen because they fit reverse engineering, malware analysis, and threat hunting far better than compliance checklists. That mapping lets an agent report coverage and slot findings into detection engineering.

Every skill follows the same body contract, When to Use (with an explicit Do not use), Workflow, Validation, and Pitfalls, so the agent always knows the boundaries of a technique instead of applying it blindly.

Each skill pairs an opinionated SKILL.md procedure with a tested, read-only analyst.py that prints structured, defanged JSON.

A Worked Example: From Sample to Detection#

The point of a depth-first library is that the skills chain. Each one is a step, and strung together they cover the full analyst loop. Here is what triaging a suspicious executable looks like end to end:

Eight skills, chained: from an unknown suspicious.exe through to a durable detection, with each script’s JSON feeding the next.

#StageSkill

1Triage the unknown filetriaging-an-unknown-sample

2Static PE inspectionperforming-static-pe-analysis

3Spot packing via entropymeasuring-section-entropy-to-detect-packing

4Unpack to the OEPmanually-unpacking-a-packed-binary

5Recover the C2 configextracting-cobalt-strike-beacon-config

6Defang and package IOCsdefanging-and-sharing-iocs

7Hunt the IOCs in traffichunting-cobalt-strike-traffic

8Write a durable detectionwriting-sigma-detection-rules

Driven from the CLI, the mechanical steps are just:

1. Triage, then 5. recover the beacon config (read-only, never executes the sample)

python tools/analyst-pack.py run triaging-an-unknown-sample -- triage suspicious.exe python tools/analyst-pack.py run extracting-cobalt-strike-beacon-config -- parse beacon.bin

7. Hunt the recovered indicators in proxy/Zeek logs, 8. emit a Sigma rule

python tools/analyst-pack.py run hunting-cobalt-strike-traffic -- hunt http.csv