analyzing-golang-malware-with-ghidra
Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
57
48%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-golang-malware-with-ghidra/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies a narrow technical niche—Go malware reverse engineering with Ghidra. The concrete actions (function recovery, string extraction, type reconstruction) and domain-specific terminology make it easily distinguishable. The main weakness is the absence of an explicit 'Use when...' clause to guide skill selection.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to analyze stripped Go binaries, recover Go function signatures, or extract strings from Go-compiled malware in Ghidra.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'reverse engineer Go-compiled malware', 'function recovery', 'string extraction', and 'type reconstruction in stripped Go binaries' using Ghidra with specialized scripts. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific actions and tools, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a user would say: 'Go', 'malware', 'Ghidra', 'reverse engineer', 'stripped Go binaries', 'function recovery', 'string extraction', 'type reconstruction'. These are terms a malware analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Go-compiled malware, Ghidra, and specific reverse engineering tasks like function recovery and type reconstruction in stripped binaries. Very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill suffers from significant verbosity, explaining concepts Claude already knows while embedding very long scripts inline without proper workflow structure. The Ghidra script (the core tool mentioned in the skill's purpose) is incomplete and doesn't demonstrate the key advertised capabilities like type reconstruction or GoResolver usage. The workflow lacks validation steps, error handling, and clear sequencing between analysis phases.
Suggestions
Drastically reduce the overview and key concepts sections — remove explanations of what Go is, why it's used for malware, and how pclntab works; instead focus on the specific non-obvious details Claude needs (e.g., pclntab magic bytes by version).
Add a complete GoResolver integration step with actual commands/code, since it's listed as a prerequisite and key capability but never demonstrated in the workflow.
Break the workflow into more granular steps with explicit validation checkpoints (e.g., 'Verify pclntab was found before proceeding to function recovery') and error recovery paths.
Move the long Python scripts to separate referenced files and keep only concise usage examples inline in the SKILL.md.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview explains what Go is, why malware authors use it, and what static linking means — all things Claude already knows. The 'When to Use' section is generic boilerplate. The 'Key Concepts' section explains Go binary structure, pclntab, and string formats at length. The Python scripts are extremely verbose with extensive inline comments and patterns that could be significantly condensed. | 1 / 3 |
Actionability | The Python scripts are mostly executable and concrete, but the Ghidra script (Step 2) is incomplete — it finds pclntab and counts symbols but doesn't actually perform meaningful analysis like function renaming or type reconstruction. The GoResolver integration mentioned in prerequisites is never shown in use. The scripts extract strings via regex rather than properly parsing pclntab structures. | 2 / 3 |
Workflow Clarity | The workflow has only two steps with no clear sequencing between them, no validation checkpoints between steps, and no feedback loops for error recovery. There's no guidance on what to do when pclntab isn't found, when the binary is obfuscated, or how to proceed from initial analysis to deeper Ghidra investigation. The 'Validation Criteria' section is a checklist of expected outputs but not integrated into the workflow. | 1 / 3 |
Progressive Disclosure | The skill is a monolithic wall of text with two very long inline code blocks (~150+ lines of Python). The Key Concepts section, detailed scripts, and references are all crammed into one file with no separation. The references at the end are external links but there's no structured navigation to supplementary materials or advanced topics. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
888bbe4
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.