mattmre/malware-triage-workflow
SKILLS/DEVELOPER TOOLS/malware-triage-workflow/SKILL.md
Triage suspicious binaries by combining static indicators, control-flow hints, YARA or pattern matches, and debugger confirmation. Use when the sample may be malicious, packed, evasive, or operationally risky.
$ install --global
skillsauthnpx skillsauth add mattmre/evokore-mcp malware-triage-workflowInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 26, 2026, 12:22 PM53.7s1 file scanned
SKILL.md
- name:
- malware-triage-workflow
- description:
- Triage suspicious binaries by combining static indicators, control-flow hints, YARA or pattern matches, and debugger confirmation. Use when the sample may be malicious, packed, evasive, or operationally risky.
- aliases:
- [malware-triage, suspicious-binary-triage, malware-analysis-workflow]
- category:
- Developer Tools
- tags:
- [reverse-engineering, malware-analysis, yara, debugger, ghidra, binary-triage]
- version:
- 1.0.0
- source:
- evokore
- derived_from:
- [binary-mcp, ghidra-headless-mcp, x64dbg, malcontent, oletools]
Malware Triage Workflow
Run a behavior-first triage that quickly answers what the sample touches, how risky it looks, and which routines deserve deep reverse engineering.
Workflow
- Collect static indicators first:
- format, architecture, packer or entropy clues
- imports, exports, strings, sections, resources
- suspicious APIs and network / filesystem / registry markers
- YARA or family-pattern matches if available
- Identify high-risk behavior buckets:
- persistence
- credential access
- command and control
- injection / hollowing
- crypto / ransomware behavior
- anti-analysis / sandbox checks
- Select a small set of target functions for deeper decompilation.
- Use debugger confirmation only for the riskiest unknowns:
- decoded config
- runtime-resolved imports
- dropped paths
- beacon construction
- key material or encryption flow
- Produce a short operator report before moving into full family-level RE.
Tool Families to Prefer
binary_analysis_*triage*binary_analysis_*malware*binary_analysis_*yara*binary_analysis_*control*binary_analysis_*report*ghidra_headless_search.*ghidra_headless_reference.*ghidra_headless_decomp.function
Output Structure
- Sample identity and format summary
- Top suspicious indicators
- Likely behavior categories
- Priority functions / addresses for deeper RE
- Dynamic checks still required
- Confidence level and major unknowns
Related Skills
mattmre/orchestration-framework
development
VerifiedTrustedCommunity
Core orchestration framework for model-agnostic multi-agent workflows with handoff protocol, policy governance, and configuration schemas
4SKILL.mdUpdated Apr 26, 2026
mattmre/triage-issue-skill
testing
VerifiedTrustedCommunity
Specialized skill for triage issue skill workflows.
4SKILL.mdUpdated Apr 26, 2026
mattmre/hive
development
VerifiedTrustedCommunity
Complete workflow for building, implementing, and testing goal-driven agents. Orchestrates hive-* skills. Use when starting a new agent project, unsure which skill to use, or need end-to-end guidance.
4SKILL.mdUpdated Apr 26, 2026
mattmre/hive-test
development
VerifiedTrustedCommunity
Iterative agent testing with session recovery. Execute, analyze, fix, resume from checkpoints. Use when testing an agent, debugging test failures, or verifying fixes without re-running from scratch.
4SKILL.mdUpdated Apr 26, 2026