not-matthias/ghidra-cli
modules/home/programs/cli-agents/shared/skills/ghidra-cli/SKILL.md
Guide to using ghidra-cli for headless Ghidra automation. Use when analyzing binaries, decompiling functions, searching for patterns, tracing cross-references, patching bytes, or running automated reverse engineering workflows.
$ install --global
skillsauthnpx skillsauth add not-matthias/dotfiles-nix ghidra-cliInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 6:01 AM50.8s1 file scanned
SKILL.md
- name:
- ghidra-cli
- description:
- Guide to using ghidra-cli for headless Ghidra automation. Use when analyzing binaries, decompiling functions, searching for patterns, tracing cross-references, patching bytes, or running automated reverse engineering workflows.
- license:
- MIT
ghidra-cli
Rust CLI that drives Ghidra headlessly via a persistent Java bridge process. Sub-second queries because Ghidra stays loaded in memory between commands.
Architecture
ghidra-cli ──TCP──▶ GhidraCliBridge.java (Ghidra JVM, auto-started)
One bridge per project, keyed by ~/.local/share/ghidra-cli/bridge-{md5}.port. Commands auto-start the bridge if it isn't running.
First-Time Setup
# Verify everything is found
ghidra-cli doctor
On NixOS, GHIDRA_INSTALL_DIR and java in PATH are injected automatically by the Nix wrapper — no manual config needed. doctor should show all green out of the box.
Typical Workflow
# 1. Import binary and run analysis (bridge auto-starts)
ghidra-cli import ./target --project myproject --program target
ghidra-cli analyze --project myproject --program target
# 2. Explore
ghidra-cli stats
ghidra-cli function list
ghidra-cli find interesting
# 3. Drill into a function
ghidra-cli decompile main
ghidra-cli disasm 0x401000 --instructions 30
# 4. Trace references
ghidra-cli x-ref to 0x401000
ghidra-cli graph callers main --depth 2
# 5. Patch and export
ghidra-cli patch nop 0x401234 --count 3
ghidra-cli patch export -o patched.bin
Commands
Project & Program
ghidra-cli project create <name>
ghidra-cli project list
ghidra-cli import <binary> --project <p> --program <name>
ghidra-cli analyze --project <p>
Function Analysis
ghidra-cli function list
ghidra-cli function list --filter "size > 100"
ghidra-cli decompile <name-or-addr> # pseudocode
ghidra-cli disasm <addr> --instructions 20 # raw disassembly
Symbols & Types
ghidra-cli symbol list
ghidra-cli symbol create <addr> <name>
ghidra-cli symbol rename <old> <new>
ghidra-cli type list
ghidra-cli type get <name>
Cross-References
ghidra-cli x-ref to <addr> # what calls/references this address
ghidra-cli x-ref from <addr> # what this address calls/references
Search
ghidra-cli find string "password"
ghidra-cli find bytes "90 90 90"
ghidra-cli find function "*crypt*"
ghidra-cli find crypto # known crypto constants
ghidra-cli find interesting # suspicious patterns (good starting point)
Call Graphs
ghidra-cli graph callers <func> --depth 3 # who calls this?
ghidra-cli graph callees <func> --depth 3 # what does this call?
ghidra-cli graph export dot # export full graph as DOT
Patching
ghidra-cli patch bytes <addr> "90 90"
ghidra-cli patch nop <addr> --count 5
ghidra-cli patch export -o patched.bin
Comments
ghidra-cli comment get <addr>
ghidra-cli comment set <addr> "note" --comment-type EOL
ghidra-cli comment list
Scripts
ghidra-cli script list
ghidra-cli script run myscript.py
ghidra-cli script python "print(currentProgram)"
Bridge Control
ghidra-cli start --project <p> --program <name> # explicit start
ghidra-cli status --project <p>
ghidra-cli stop --project <p>
ghidra-cli restart --project <p> --program <name>
Misc
ghidra-cli stats # function/string/symbol counts
ghidra-cli summary # program metadata
ghidra-cli batch commands.txt # run commands from file
Filtering
Append --filter "<expr>" to list commands:
ghidra-cli function list --filter "size > 100"
ghidra-cli function list --filter "name contains 'main'"
ghidra-cli strings list --filter "length > 20"
Output Formats
- TTY (default): compact human-readable
- Pipe (default): compact JSON
--json: force compact JSON--pretty: force indented JSON--fields "name,address,size": select specific fields
ghidra-cli function list --pretty
ghidra-cli function list --json | jq '.[] | select(.size > 500)'
Multi-Project Concurrent Analysis
Each project runs its own bridge, so you can analyze multiple binaries in parallel:
ghidra-cli import ./a --project projA && ghidra-cli analyze --project projA &
ghidra-cli import ./b --project projB && ghidra-cli analyze --project projB &
wait
ghidra-cli function list --project projA
ghidra-cli function list --project projB
AI-Assisted RE Workflow
Effective pattern for agent-driven analysis:
ghidra-cli find interesting— get a quick map of suspicious areasghidra-cli decompile <func>— read pseudocode of suspicious functionsghidra-cli x-ref to <addr>— trace who reaches interesting codeghidra-cli graph callers <func> --depth 3— understand call contextghidra-cli comment set <addr> "..."— annotate findings inlineghidra-cli patch nop <addr>+patch export— apply fixes
Common Pitfalls
- Binary not imported yet: run
import+analyzebefore querying. The bridge auto-starts but won't auto-import. --projectflag: most commands accept--projectto target a specific project; omit it only when there's a single active one.patch nop --count: parsed by CLI but bridge currently applies single-address NOP — patch each address explicitly if needed.--comment-type: onlyEOLis reliably supported; other types fall back silently.- Missing Java: Ghidra needs JDK 17+, not just a JRE. On NixOS the
ghidrapackage bundles its own JDK.
Related Skills
not-matthias/pi-agent
tools
VerifiedTrustedCommunity
Spawn the pi coding agent with a specific model/provider. Use when asked to run pi with a particular model, switch pi's model, use DeepSeek V4 Flash/Pro in pi, or look up pi's --model/--provider/--models CLI flags and thinking-level shorthand.
9SKILL.mdUpdated Jun 3, 2026
not-matthias/zoxide-nav
development
VerifiedTrustedCommunity
Navigate to directories using zoxide (frecency-based directory jumper). Use when the user says "go to", "navigate to", "cd to", "jump to" a project or directory by nickname/partial name (e.g. "go to my dotfiles", "jump to dot").
9SKILL.mdUpdated Apr 20, 2026
not-matthias/zellij
tools
VerifiedTrustedCommunity
Use when manipulating Zellij sessions, creating tabs or panes, sending commands to panes, capturing output, or looking up Zellij CLI commands for terminal multiplexer operations
9SKILL.mdUpdated Apr 20, 2026
not-matthias/writing-style
development
VerifiedTrustedCommunity
Emulates not-matthias's technical blog writing style. Use when writing blog posts, technical articles, README content, or any long-form technical prose. Produces investigation-driven, first-person narratives with dry humor, practical code examples, and concrete takeaways.
9SKILL.mdUpdated Apr 20, 2026