Show HN: AnalystAIPack – 118 runnable agent skills for malware analysis and RE
AnalystAIPack is an open-source agent-skills library for malware analysis, reverse engineering, and threat hunting, featuring 118 curated, runnable skills mapped to MITRE ATT&CK, D3FEND, and CAR. Each skill ships a tested Python script, and the library emphasizes depth over breadth with a safety-first design.
Uh oh!
There was an error while loading. Please reload this page.
Notifications You must be signed in to change notification settings
Fork 0
Star 0
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
6 Commits
6 Commits
.github
.github
mappings
mappings
skills
skills
templates/skill-template
templates/skill-template
tools
tools
.gitignore
.gitignore
AGENTS.md
AGENTS.md
CATALOG.md
CATALOG.md
CITATION.cff
CITATION.cff
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
CONTRIBUTING.md
LICENSE
LICENSE
README.md
README.md
SECURITY.md
SECURITY.md
index.json
index.json
requirements-optional.txt
requirements-optional.txt
taxonomy.md
taxonomy.md
Repository files navigation
An open agent-skills library for malware analysis, reverse engineering, and threat hunting.
AnalystAIPack gives an AI agent the working knowledge of a malware analyst and threat hunter: which Volatility 3 plugin to run on a memory image, how to unpack a packed sample, how to hunt C2 beaconing in network logs, and how to turn findings into YARA and Sigma. It is a focused, depth-first library — 118 curated skills across four tightly-scoped subdomains, where every skill ships a tested, runnable analysis script, not just prose.
The name says what it is: a pack of ready-to-load AI agent skills for the security analyst — covering the full workflow to hunt, reverse, and analyze malicious code.
Independent project. Not affiliated with Anthropic, MITRE, or any vendor named here. Built from scratch and synthesized from many primary sources; not copied from any other skills repository. See CONTRIBUTING.md for the sourcing and originality policy.
Personal work. A personal, independent project maintained in a personal capacity. It is not affiliated with, endorsed by, or representative of the maintainer's employer.
What makes it different
Depth over breadth. Four deliberate subdomains (malware analysis, reverse engineering, threat hunting, and shared lab foundations) instead of a sprawling catalog — every skill is curated for the analyst's real workflow.
Every skill is runnable. All 118 skills ship a tested scripts/analyst.py (standard library only, optional deps degrade gracefully) plus a repo-wide smoke-test harness and CI --check gates — so the tooling actually works, not just reads well.
Safe by construction. Scripts perform static, read-only analysis and never execute the sample; IOCs are defanged in output; sample-handling skills carry an explicit Safety & Handling section.
A defender's framework lens. Skills map to MITRE ATT&CK, MITRE D3FEND, and MITRE CAR — chosen because they fit RE / malware analysis / threat hunting far better than compliance checklists.
Consistent, opinionated shape. Each skill follows the same body contract — When to Use (with an explicit Do not use), Workflow, Validation, and Pitfalls — so an agent always knows the boundaries.
Scope
Three pillars plus a shared foundation:
Subdomain What it covers
lab-foundations Safe handling, lab setup, triage, hashing, file ID, IOC formats, reporting
malware-analysis Static, dynamic, behavioral, and memory analysis; document/script malware; families
reverse-engineering Disassembly/decompilation, unpacking, deobfuscation, anti-analysis defeat, language-specific RE
threat-hunting Hypothesis-driven hunts, endpoint/network/identity telemetry, detection engineering
See taxonomy.md for naming rules and framework mappings. Browse every skill in CATALOG.md, and see ATT&CK coverage in mappings/.
Who it's for
SOC analysts & incident responders — triage an unknown file, pull IOCs, and pivot them across telemetry without re-deriving the steps each time.
Malware analysts & reverse engineers — a consistent procedure (and a runnable script) for static analysis, unpacking, config extraction, and language-specific RE.
Threat hunters & detection engineers — turn a finding into a Sigma / YARA / Suricata detection and validate coverage against ATT&CK.
AI-agent builders — drop a vetted, safety-bounded security skill set into Claude Code, Copilot, Cursor, or any agentskills.io-compatible agent.
A worked example: from sample to detection
Each skill is a step; chained together they cover the full analyst loop. A typical investigation of a suspicious executable walks through skills like these:
# Stage Skill
1 Triage the unknown file triaging-an-unknown-sample
2 Static PE inspection performing-static-pe-analysis
3 Spot packing via entropy measuring-section-entropy-to-detect-packing
4 Unpack to the OEP manually-unpacking-a-packed-binary
5 Recover the C2 config extracting-cobalt-strike-beacon-config
6 Defang and package IOCs defanging-and-sharing-iocs
7 Hunt the IOCs in traffic hunting-cobalt-strike-traffic
8 Write a durable detection writing-sigma-detection-rules
Driven directly from the CLI, the mechanical steps look like this:
1. Triage, then 5. recover the beacon config (read-only, never executes the sample)
python tools/analyst-pack.py run triaging-an-unknown-sample -- triage suspicious.exe python tools/analyst-pack.py run extracting-cobalt-strike-beacon-config -- parse beacon.bin
7. Hunt the recovered indicators in proxy/Zeek logs, 8. emit a Sigma rule
python tools/analyst-pack.py run hunting-cobalt-strike-traffic -- hunt http.csv
Every script prints structured, defanged JSON you can feed into a report, a SIEM, or the next skill in the chain.
Format
Every skill follows the agentskills.io SKILL.md standard, so it works in Claude Code, GitHub Copilot, Cursor, Codex CLI, Gemini CLI, and other compatible agents.
skills// ├── SKILL.md # frontmatter + procedure (When to Use, Workflow, ...) ├── scripts/analyst.py # runnable tooling ├── references/api-reference.md └── LICENSE
Skills map to MITRE ATT&CK, MITRE D3FEND, and MITRE CAR (for hunts) in frontmatter — frameworks chosen because they fit reverse engineering, malware analysis, and threat hunting better than compliance checklists.
Quick start
git clone https://github.com/meltedinhex/analyst-ai-pack.git cd analyst-ai-pack
Validate skills and (re)build the catalog
python tools/lint-skills.py --all python tools/build-index.py
(Re)build the browsable catalog and ATT&CK Navigator layer
python tools/build-catalog.py python tools/build-navigator-layer.py
Point your agent at the skills/ directory, or load an individual SKILL.md. AI agents should read AGENTS.md first — it explains how to find, run, and safely chain skills.
Use with GitHub Copilot
Open this folder in VS Code. Copilot Chat automatically reads .github/copilot-instructions.md, so it knows the skills exist and how to run them safely. Then, in Agent mode, just ask:
"Hunt for LOLBin abuse in events.csv" → uses hunting-lolbin-abuse-on-windows
"Triage this unknown file and pull IOCs" → chains triage → IOC extraction
You can also point Copilot at a specific skill:
#file:skills/extracting-cobalt-strike-beacon-config/SKILL.md Use this skill to analyze beacon.bin
No subscription beyond Copilot is required — the scripts are plain Python and run via Copilot's terminal tool (or directly with python tools/analyst-pack.py run …).
The analyst-pack CLI
A single front door to discover and run the library — unique to AnalystAIPack:
python tools/analyst-pack.py list --subdomain threat-hunting # browse skills python tools/analyst-pack.py search kerberos # full-text search python tools/analyst-pack.py show hunting-lolbin-abuse-on-windows python tools/analyst-pack.py run identifying-cryptographic-routines-in-binaries -- scan a.bin python tools/analyst-pack.py stats # library statistics python tools/analyst-pack.py lint # lint every skill python tools/analyst-pack.py build # rebuild index/catalog/layer
Creating a skill
Copy the scaffold
cp -r templates/skill-template skills/my-new-skill # PowerShell: Copy-Item -Recurse
Edit SKILL.md, scripts/analyst.py, references/api-reference.md, then:
python tools/lint-skills.py skills/my-new-skill python tools/build-index.py
Read CONTRIBUTING.md first — it covers the authoring checklist and the originality rules that keep AnalystAIPack's content genuinely its own.
Safety
These skills involve real malicious-code techniques. Sample-handling skills assume an isolated analysis lab and document safe handling, encrypted storage, and IOC defanging. AnalystAIPack ships no live malware samples. See SECURITY.md.
License
Apache-2.0 — see LICENSE. MITRE ATT&CK, D3FEND, and CAR are © MITRE and used under their respective terms.
Built and maintained by meltedinhex — malware analysis, reverse engineering, and threat-hunting notes.
About
An open agent-skills library for malware analysis, reverse engineering, and threat hunting - 118 curated, runnable skills mapped to MITRE ATT&CK, D3FEND, and CAR.
meltedinhex.com/
Topics
reverse-engineering
dfir
threat-hunting
malware-analysis
mitre-attack
detection-engineering
agent-skills
Resources
Readme
License
Apache-2.0 license
Code of conduct
Code of conduct
Contributing
Contributing
Security policy
Security policy
Uh oh!
There was an error while loading. Please reload this page.
Activity
Custom properties
Stars
0 stars
Watchers
0 watching
Forks
0 forks
Report repository
Releases 1
AnalystAIPack v1.0.0
Latest
Jul 1, 2026
Packages 0
Uh oh!
There was an error while loading. Please reload this page.
Contributors
Uh oh!
There was an error while loading. Please reload this page.
Languages
Python 100.0%