Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

allthingsida/idapython

Name: idapython
Author: allthingsida

plugins/idasql/skills/idapython/SKILL.md

npx skillsauth add allthingsida/idasql-skills idapython

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Python Execution SQL Functions

| Function | Description | |----------|-------------| | idapython_snippet(code[, sandbox]) | Execute Python snippet and return captured output text | | idapython_file(path[, sandbox]) | Execute Python file and return captured output text |

Runtime Guard

Python execution is disabled by default. Enable it with:

PRAGMA idasql.enable_idapython = 1;

Examples

SELECT idapython_snippet('print("hello from idapython")');
SELECT idapython_file('C:/temp/script.py');
SELECT idapython_snippet('counter = globals().get("counter", 0) + 1; print(counter)', 'alpha');

Notes

Disabled by default until pragma is enabled
Python exceptions propagate as SQL errors
sandbox isolates/persists Python globals by sandbox key

Two Python Contexts (Important)

Host-side Python client (outside IDA): use requests.post(.../query, data=sql) to send SQL over HTTP. The body may be one statement or a semicolon-separated script; script responses use statements[] instead of top-level rows. Use this for loops, bulk updates, and automation orchestration. See connect skill HTTP client patterns.
IDAPython via SQL (inside IDA): use idapython_snippet() / idapython_file() when you need direct IDA SDK APIs in-process.

Example contrast:

# Host-side Python (outside IDA): sends SQL over HTTP
import requests
requests.post("http://127.0.0.1:8081/query", data="SELECT COUNT(*) FROM funcs")

-- IDAPython (inside IDA): executes Python in IDA runtime
SELECT idapython_snippet('import idaapi; print(idaapi.get_kernel_version())');

Sandbox Behavior

Each sandbox key creates an isolated Python namespace:

Variables set in one sandbox are not visible in another
The same sandbox key reuses its namespace across calls (state persists within a session)
Without a sandbox key, code runs in the default global namespace

Error Propagation

When a Python script raises an exception, it propagates as a SQL error:

-- This will return an error: "NameError: name 'undefined_var' is not defined"
SELECT idapython_snippet('print(undefined_var)');

When to Use IDAPython vs SQL

| Use Case | Best Tool | Why | |----------|-----------|-----| | Query/filter/aggregate data | SQL | JOINs, CTEs, GROUP BY, window functions — SQL is purpose-built for this | | Cross-table analysis | SQL | JOINing funcs, xrefs, strings, ctree is natural in SQL | | Reporting and counting | SQL | COUNT, SUM, AVG, GROUP_CONCAT — no Python loop needed | | Complex algorithms | IDAPython | Graph algorithms, custom pattern matching, ML pipelines | | IDA SDK APIs not in idasql | IDAPython | Some IDA SDK features aren't exposed as SQL tables/functions | | UI automation | IDAPython | Opening views, navigating cursor, triggering IDA actions | | Existing scripts | IDAPython | Reuse existing .py scripts without rewriting in SQL |

General rule: Start with SQL. If you find yourself wanting nested loops, recursive algorithms, or IDA APIs that aren't exposed via idasql, reach for idapython_snippet() as a bridge.

Practical Use Cases

Run a custom analysis script

-- Enable Python execution first
PRAGMA idasql.enable_idapython = 1;

-- Run a script that collects custom metrics
SELECT idapython_snippet('
import idautils, idc
count = 0
for func_ea in idautils.Functions():
    if idc.get_func_attr(func_ea, idc.FUNCATTR_FLAGS) & 0x4:  # FUNC_LIB
        count += 1
print(f"Library functions: {count}")
');

Access IDA SDK APIs not exposed through idasql

-- Example: get processor-specific register names
SELECT idapython_snippet('
import ida_idp
for i in range(ida_idp.ph_get_regnames().__len__()):
    name = ida_idp.ph_get_regnames()[i]
    if name:
        print(f"{i}: {name}")
');

Bridge pattern: Python produces JSON, SQL processes it

When you need Python's power for extraction but SQL's power for analysis:

-- Python extracts data as JSON
SELECT idapython_snippet('
import json, idautils, idc
result = []
for ea in idautils.Functions():
    flags = idc.get_func_attr(ea, idc.FUNCATTR_FLAGS)
    if flags & 0x4:  # FUNC_LIB
        result.append({"ea": ea, "name": idc.get_func_name(ea)})
print(json.dumps(result))
');

-- Then process the JSON output in SQL using json_each()
-- (copy the output from above into the query)

allthingsida/idapython

plugins/idasql/skills/idapython/SKILL.md

Execute IDAPython via idasql. Use when SQL surfaces are insufficient and direct IDA SDK access is needed via Python snippets or scripts.

22 stars

development

Updated May 28, 2026

$ install --global

skillsauth

npx skillsauth add allthingsida/idasql-skills idapython

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 28, 2026, 3:48 AM21.6s2 files scanned

SKILL.md

name:: idapython
description:: Execute IDAPython via idasql. Use when SQL surfaces are insufficient and direct IDA SDK access is needed via Python snippets or scripts.

Python Execution SQL Functions

Runtime Guard

Python execution is disabled by default. Enable it with:

PRAGMA idasql.enable_idapython = 1;

Examples

SELECT idapython_snippet('print("hello from idapython")');
SELECT idapython_file('C:/temp/script.py');
SELECT idapython_snippet('counter = globals().get("counter", 0) + 1; print(counter)', 'alpha');

Notes

Disabled by default until pragma is enabled
Python exceptions propagate as SQL errors
sandbox isolates/persists Python globals by sandbox key

Two Python Contexts (Important)

Host-side Python client (outside IDA): use requests.post(.../query, data=sql) to send SQL over HTTP. The body may be one statement or a semicolon-separated script; script responses use statements[] instead of top-level rows. Use this for loops, bulk updates, and automation orchestration. See connect skill HTTP client patterns.
IDAPython via SQL (inside IDA): use idapython_snippet() / idapython_file() when you need direct IDA SDK APIs in-process.

Example contrast:

# Host-side Python (outside IDA): sends SQL over HTTP
import requests
requests.post("http://127.0.0.1:8081/query", data="SELECT COUNT(*) FROM funcs")

-- IDAPython (inside IDA): executes Python in IDA runtime
SELECT idapython_snippet('import idaapi; print(idaapi.get_kernel_version())');

Sandbox Behavior

Each sandbox key creates an isolated Python namespace:

Variables set in one sandbox are not visible in another
The same sandbox key reuses its namespace across calls (state persists within a session)
Without a sandbox key, code runs in the default global namespace

Error Propagation

When a Python script raises an exception, it propagates as a SQL error:

-- This will return an error: "NameError: name 'undefined_var' is not defined"
SELECT idapython_snippet('print(undefined_var)');

When to Use IDAPython vs SQL

General rule: Start with SQL. If you find yourself wanting nested loops, recursive algorithms, or IDA APIs that aren't exposed via idasql, reach for idapython_snippet() as a bridge.

Practical Use Cases

Run a custom analysis script

-- Enable Python execution first
PRAGMA idasql.enable_idapython = 1;

-- Run a script that collects custom metrics
SELECT idapython_snippet('
import idautils, idc
count = 0
for func_ea in idautils.Functions():
    if idc.get_func_attr(func_ea, idc.FUNCATTR_FLAGS) & 0x4:  # FUNC_LIB
        count += 1
print(f"Library functions: {count}")
');

Access IDA SDK APIs not exposed through idasql

-- Example: get processor-specific register names
SELECT idapython_snippet('
import ida_idp
for i in range(ida_idp.ph_get_regnames().__len__()):
    name = ida_idp.ph_get_regnames()[i]
    if name:
        print(f"{i}: {name}")
');

Bridge pattern: Python produces JSON, SQL processes it

When you need Python's power for extraction but SQL's power for analysis:

-- Python extracts data as JSON
SELECT idapython_snippet('
import json, idautils, idc
result = []
for ea in idautils.Functions():
    flags = idc.get_func_attr(ea, idc.FUNCATTR_FLAGS)
    if flags & 0x4:  # FUNC_LIB
        result.append({"ea": ea, "name": idc.get_func_name(ea)})
print(json.dumps(result))
');

-- Then process the JSON output in SQL using json_each()
-- (copy the output from above into the query)

Related Skills

allthingsida/types

tools

VerifiedTrustedCommunity

IDA type system. Use when asked to create, modify, or apply structs, unions, enums, typedefs, or parse C declarations.

23SKILL.mdUpdated Apr 3, 2026

allthingsida/functions

databases

VerifiedTrustedCommunity

Complete idasql SQL function reference catalog. Use when looking up function signatures, parameters, or usage examples.

23SKILL.mdUpdated Apr 3, 2026

allthingsida/functions

allthingsida/disassembly

development

VerifiedTrustedCommunity

Query IDA disassembly. Use when asked about functions, segments, instructions, blocks, operands, control flow, or raw code structure.

23SKILL.mdUpdated Apr 3, 2026

allthingsida/disassembly

allthingsida/decompiler

development

VerifiedTrustedCommunity

Decompile and analyze IDA functions. Use when asked for pseudocode, ctree AST analysis, local variables, labels, or decompiler-driven cleanup.

23SKILL.mdUpdated Apr 3, 2026

allthingsida/decompiler

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/allthingsida/idasql-skills.git

# Copy into Claude Code skills folder (global)
cp -r idasql-skills/plugins/idasql/skills/idapython ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

allthingsida/idasql-skills

22 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT