analyzing-golang-malware-with-ghidra
Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction, and type reconstruction in stripped Go binaries.
46
48%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/analyzing-golang-malware-with-ghidra/SKILL.mdQuality
Discovery
82%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a strong, highly specific description that clearly identifies the domain (Go malware reverse engineering with Ghidra) and lists concrete capabilities. Its main weakness is the absence of an explicit 'Use when...' clause, which would help Claude know exactly when to select this skill. The technical specificity and niche focus make it very distinctive.
Suggestions
Add a 'Use when...' clause, e.g., 'Use when the user needs to analyze Go-compiled binaries, reverse engineer Golang malware, or recover functions/strings from stripped Go executables in Ghidra.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'reverse engineer Go-compiled malware', 'function recovery', 'string extraction', 'type reconstruction', and specifies the tool (Ghidra) and target (stripped Go binaries). | 3 / 3 |
Completeness | Clearly answers 'what does this do' with specific capabilities, but lacks an explicit 'Use when...' clause or equivalent trigger guidance, which caps this dimension at 2 per the rubric. | 2 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'reverse engineer', 'Go', 'malware', 'Ghidra', 'function recovery', 'string extraction', 'type reconstruction', 'stripped Go binaries'. These are terms a malware analyst would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive niche combining Go-compiled malware, Ghidra, and specific reverse engineering tasks. Very unlikely to conflict with other skills due to the specialized domain. | 3 / 3 |
Total | 11 / 12 Passed |
Implementation
14%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill suffers from significant verbosity, explaining concepts Claude already knows while embedding very long scripts inline that perform relatively basic regex-based analysis rather than proper Go binary parsing. The workflow lacks clear sequencing, validation steps, and error recovery. The Ghidra script is incomplete and doesn't deliver on the skill's promise of 'function recovery, string extraction, and type reconstruction.'
Suggestions
Remove the explanatory sections (Overview, Key Concepts, When to Use) or reduce them to 2-3 lines max — Claude already understands Go binary structure and malware analysis context.
Add explicit workflow validation steps: after each script execution, specify what output to check, how to verify correctness, and what to do if results are unexpected.
Complete the Ghidra script to actually perform function name recovery and string fixing, or provide concrete instructions for using GoResolver — the current script just finds pclntab and counts symbols.
Extract the long Python scripts into separate bundle files and reference them from SKILL.md, keeping only key usage examples inline.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The overview explains what Go is, why malware authors use it, and what static linking means — all things Claude already knows. The 'When to Use' section is generic boilerplate. The 'Key Concepts' section explains Go binary structure concepts that are either already known or could be much more concise. The Python scripts are extremely long with extensive inline comments explaining obvious things. | 1 / 3 |
Actionability | The Python scripts are mostly executable and concrete, but the Ghidra script is incomplete — it finds pclntab and counts symbols but doesn't actually recover function names, fix strings, or do meaningful analysis. The GoResolver plugin mentioned in prerequisites is never shown being used. The standalone Python script does basic regex matching rather than proper pclntab parsing. | 2 / 3 |
Workflow Clarity | The workflow has only two steps ('Initial Binary Analysis' and 'Ghidra Analysis Script') with no clear sequencing between them, no validation checkpoints, no error recovery, and no feedback loops. There's no guidance on what to do with the output, how to verify results, or how to proceed when things fail. The 'Validation Criteria' section is just a checklist of expected outputs with no verification commands. | 1 / 3 |
Progressive Disclosure | The skill is a monolithic wall of text with two very long inline scripts (~200 lines total). There are no bundle files to reference, but the content would greatly benefit from splitting the scripts into separate files. The references section links to external URLs but there's no internal structure or navigation to help find specific information. | 1 / 3 |
Total | 5 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- mukul975/Anthropic-Cybersecurity-Skills
- Commit
9a588e6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.