Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

themixednuts/ghidra-mcp

Name: ghidra-mcp
Author: themixednuts

skills/ghidra-mcp/SKILL.md

npx skillsauth add themixednuts/ghidramcp ghidra-mcp

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Ghidra MCP Skill

This skill enables reverse engineering workflows using Ghidra through the Model Context Protocol (MCP).

Quick Start

List available programs: read the ghidra://programs resource
Read functions: use functions with action: "list" and filters to find targets
Decompile: use inspect with action: "decompile" for C-like output
Analyze references: use inspect with action: "references_to" or "references_from"

Core Workflows

Analyzing a New Binary

Read ghidra://programs to confirm the binary is loaded
Use functions with action: "list" to get compact function rows
Use inspect with action: "decompile" on interesting functions
Use inspect reference actions to understand how functions/data are used
Use symbols / functions update actions to rename symbols and variables

Understanding a Function

functions with action: "get" and name, address, or symbol_id
inspect with action: "decompile" to see decompiled C code
functions with action: "list_variables" to see stable variable targets
analyze with action: "graph" to see control flow
inspect with action: "references_to" to find callers

Defining Data Structures

data_types with action: "list" to check existing types
data_types with action: "create" and data_type_kind: "struct" to create structures
Add fields with proper offsets and types
Use data_types with action: "update" to modify existing types

Searching for Patterns

memory with action: "search" and search_type: "string" for string literals
memory with action: "search" and search_type: "hex" for byte patterns
memory with action: "search" and search_type: "regex" for complex patterns
Follow up with inspect reference actions on interesting addresses

Bulk Operations

Use batch_operations to execute multiple changes atomically:

Rename multiple symbols
Create multiple data types
All operations succeed or all are rolled back

Tool Categories

Read Operations (No Modifications)

| Tool | Purpose | |------|---------| | ghidra://programs | List all programs in the project | | functions | List/get/create/update functions and variables | | symbols | List/get/create/update symbols, labels, namespaces, classes | | data_types | List/get/create/update data types | | memory | List blocks, search memory, read/write bytes | | inspect | Listing, decompile, and references | | analyze | Demangle, RTTI, graph, and call graph | | project | Analysis options, analysis run, save, navigation, undo/redo |

Write Operations (Modify Program)

| Tool | Purpose | |------|---------| | functions | Create functions, update prototypes, rename/retype variables | | symbols | Create/rename labels and symbols | | data_types | Create/update structs, enums, unions | | memory | Write bytes, undefine code, apply vtables | | annotate | Comments and bookmarks |

Delete Operations

| Tool | Purpose | |------|---------| | delete | Remove functions, symbols, data types, or bookmarks |

Utility Operations

| Tool | Purpose | |------|---------| | batch_operations | Execute multiple operations atomically | | project | Undo/redo changes | | analyze | Demangle symbols and analyze RTTI |

Common Patterns

Pagination

Most list operations return paginated results. Pass the response next_cursor back as cursor to get the next page:

{"action": "list", "cursor": "returned_next_cursor_value"}

Identifying Targets

Tools accept multiple ways to identify targets:

By address: "address": "0x401000"
By name: "name": "main"
By ID: "symbol_id": 12345 or "variable_symbol_id": "12345"

Address Formats

Addresses can be specified as:

Hex with prefix: "0x401000"
Hex without prefix: "401000"
Decimal: "4198400"

Tips

Start broad, then narrow: Use list operations first, then read specific items
Use filtering: Most list operations support name_pattern regex filters
Check before modifying: Read the current state before making changes
Use batch for related changes: Group related modifications in batch_operations
Undo mistakes: Use project with action: "undo" if something goes wrong

Reference

See references/TOOLS.md for detailed documentation of each tool's operations and parameters.

themixednuts/ghidra-mcp

skills/ghidra-mcp/SKILL.md

Reverse engineering with Ghidra via MCP. Use when analyzing binaries, decompiling code, managing functions/symbols/data types, or performing any Ghidra-related reverse engineering task.

59 stars

tools

Updated May 19, 2026

$ install --global

skillsauth

npx skillsauth add themixednuts/ghidramcp ghidra-mcp

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 19, 2026, 6:11 AM122.8s2 files scanned

SKILL.md

name:: ghidra-mcp
description:: Reverse engineering with Ghidra via MCP. Use when analyzing binaries, decompiling code, managing functions/symbols/data types, or performing any Ghidra-related reverse engineering task.
license:: MIT
compatibility:: Requires GhidraMCP server running with Ghidra
author:: themixednuts
version:: 0.5.2

Ghidra MCP Skill

This skill enables reverse engineering workflows using Ghidra through the Model Context Protocol (MCP).

Quick Start

List available programs: read the ghidra://programs resource
Read functions: use functions with action: "list" and filters to find targets
Decompile: use inspect with action: "decompile" for C-like output
Analyze references: use inspect with action: "references_to" or "references_from"

Core Workflows

Analyzing a New Binary

Read ghidra://programs to confirm the binary is loaded
Use functions with action: "list" to get compact function rows
Use inspect with action: "decompile" on interesting functions
Use inspect reference actions to understand how functions/data are used
Use symbols / functions update actions to rename symbols and variables

Understanding a Function

functions with action: "get" and name, address, or symbol_id
inspect with action: "decompile" to see decompiled C code
functions with action: "list_variables" to see stable variable targets
analyze with action: "graph" to see control flow
inspect with action: "references_to" to find callers

Defining Data Structures

data_types with action: "list" to check existing types
data_types with action: "create" and data_type_kind: "struct" to create structures
Add fields with proper offsets and types
Use data_types with action: "update" to modify existing types

Searching for Patterns

memory with action: "search" and search_type: "string" for string literals
memory with action: "search" and search_type: "hex" for byte patterns
memory with action: "search" and search_type: "regex" for complex patterns
Follow up with inspect reference actions on interesting addresses

Bulk Operations

Use batch_operations to execute multiple changes atomically:

Rename multiple symbols
Create multiple data types
All operations succeed or all are rolled back

Tool Categories

Read Operations (No Modifications)

Write Operations (Modify Program)

Delete Operations

| Tool | Purpose | |------|---------| | delete | Remove functions, symbols, data types, or bookmarks |

Utility Operations

| Tool | Purpose | |------|---------| | batch_operations | Execute multiple operations atomically | | project | Undo/redo changes | | analyze | Demangle symbols and analyze RTTI |

Common Patterns

Pagination

Most list operations return paginated results. Pass the response next_cursor back as cursor to get the next page:

{"action": "list", "cursor": "returned_next_cursor_value"}

Identifying Targets

Tools accept multiple ways to identify targets:

By address: "address": "0x401000"
By name: "name": "main"
By ID: "symbol_id": 12345 or "variable_symbol_id": "12345"

Address Formats

Addresses can be specified as:

Hex with prefix: "0x401000"
Hex without prefix: "401000"
Decimal: "4198400"

Tips

Start broad, then narrow: Use list operations first, then read specific items
Use filtering: Most list operations support name_pattern regex filters
Check before modifying: Read the current state before making changes
Use batch for related changes: Group related modifications in batch_operations
Undo mistakes: Use project with action: "undo" if something goes wrong

Reference

See references/TOOLS.md for detailed documentation of each tool's operations and parameters.

Related Skills

openclaw/taskflow

tools

VerifiedTrustedCommunity

Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.

357,764SKILL.mdUpdated Apr 10, 2026

openclaw/extensions/lobster

tools

VerifiedTrustedCommunity

# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------

357,764SKILL.mdUpdated Apr 10, 2026

openclaw/extensions/lobster

steipete/extensions/lobster

tools

VerifiedTrustedCommunity

357,588SKILL.mdUpdated Apr 13, 2026

steipete/extensions/lobster

steipete/xurl

tools

VerifiedTrustedCommunity

A CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.

356,423SKILL.mdUpdated Apr 13, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/themixednuts/ghidramcp.git

# Copy into Claude Code skills folder (global)
cp -r ghidramcp/skills/ghidra-mcp ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

themixednuts/ghidramcp

59 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT