analyzing-golang-malware-with-ghidra
Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
57
48%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-golang-malware-with-ghidra/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies a narrow technical niche—Go malware reverse engineering with Ghidra. The concrete actions (function recovery, string extraction, type reconstruction) and domain-specific terminology make it easily distinguishable. The main weakness is the absence of an explicit 'Use when...' clause to guide skill selection.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user needs to analyze stripped Go binaries, recover Go function signatures, or extract strings from Go-compiled malware in Ghidra.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'reverse engineer Go-compiled malware', 'function recovery', 'string extraction', and 'type reconstruction in stripped Go binaries' using Ghidra with specialized scripts. | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords a user would say: 'Go', 'malware', 'Ghidra', 'reverse engineer', 'stripped Go binaries', 'function recovery', 'string extraction', 'type reconstruction'. These are terms a malware analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Go-compiled malware, Ghidra, and specific reverse engineering tasks like function recovery and type reconstruction in stripped binaries. Very unlikely to conflict with other skills. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill suffers from significant verbosity, explaining concepts Claude already knows while embedding very long code blocks inline without clear workflow structure. The Python triage script is functional but the Ghidra script is incomplete, and key advertised capabilities (GoResolver usage, type reconstruction, string extraction via pointer-length pairs) are either missing or only superficially addressed. The lack of validation checkpoints and error recovery guidance makes this unreliable for the complex, multi-step malware analysis it describes.
Suggestions
Remove the explanatory sections (Overview key concepts, 'When to Use') and replace with a brief 2-3 line summary; Claude already understands Go binary structure and malware analysis context.
Split the long Python scripts into separate referenced files (e.g., `go_triage.py`, `ghidra_go_analysis.py`) and keep only usage examples and key function signatures in the main SKILL.md.
Add explicit workflow sequencing with validation checkpoints: e.g., verify pclntab found before proceeding, validate GoResolver output, confirm function recovery count before deeper analysis.
Complete the Ghidra script to actually perform the advertised capabilities (function name recovery, Go string fixing, type reconstruction) or clearly document what GoResolver handles and show its actual invocation.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview explains what Go is, why malware authors use it, and what static linking means—all things Claude already knows. The 'When to Use' section is generic boilerplate. The 'Key Concepts' section explains Go binary structure, pclntab, and string formats at length. The Python scripts are extremely verbose with extensive comments and inline explanations that pad the content significantly. | 1 / 3 |
Actionability | The Python scripts are mostly executable and provide concrete code for binary analysis, but the Ghidra script is incomplete—it finds pclntab and counts symbols but doesn't actually recover function names, fix strings, or do meaningful analysis. The GoResolver integration mentioned in prerequisites is never shown in practice. Key promised capabilities (type reconstruction, goroutine pattern analysis) are absent. | 2 / 3 |
Workflow Clarity | The workflow has only two steps (Initial Binary Analysis and Ghidra Analysis Script) with no clear sequencing between them, no validation checkpoints between steps, and no feedback loops for error recovery. There's no guidance on what to do when pclntab isn't found, when the binary is obfuscated, or how to proceed from initial triage to deeper analysis. The 'Validation Criteria' section is a checklist of expected outputs, not an integrated verification step. | 1 / 3 |
Progressive Disclosure | The skill is a monolithic wall of text with two very long inline code blocks (~150+ lines of Python). There's no separation of the triage script, Ghidra script, or reference material into separate files. The references section at the end links to external resources but there's no internal progressive disclosure structure—everything is dumped into one file. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
c15f73d
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.