malware-analysis-claude-skills MCP — ユースケース, インストール & ライブデモ

なぜ使うのか

主な機能

5 specialized sub-skills covering the complete malware analysis workflow
Single orchestrator entry point with automatic routing
Offline-compatible with REMnux and FlareVM isolated analysis environments
Generates production-ready YARA, Sigma, and Suricata detection rules
Enterprise-grade technical report generation

ライブデモ

実際の動作

malware-analysis-claude-skills.replay ▶ 準備完了

0/0

インストール

クライアントを選択

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Claude Desktop → Settings → Developer → Edit Config を開く。保存後、アプリを再起動。

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Cursor は Claude Desktop と同じ mcpServers スキーマを使用。プロジェクト設定はグローバルより優先。

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Cline サイドバーの MCP Servers アイコンをクリックし、"Edit Configuration" を選択。

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Claude Desktop と同じ形式。Windsurf を再起動して反映。

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "malware-analysis-claude-skills",
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  ]
}

Continue はマップではなくサーバーオブジェクトの配列を使用。

~/.config/zed/settings.json

{
  "context_servers": {
    "malware-analysis-claude-skills": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
        ]
      }
    }
  }
}

context_servers に追加。保存時に Zed がホットリロード。

claude mcp add malware-analysis-claude-skills -- TODO 'See README: https://github.com/gl0bal01/malware-analysis-claude-skills'

ワンライナー。claude mcp list で確認、claude mcp remove で削除。

ユースケース

実用的な使い方： malware-analysis-claude-skills

How to triage a suspicious file in a sandboxed environment

👤 SOC analysts and malware analysts triaging incoming samples ⏱ ~30 min intermediate

使うタイミング： You received a suspicious file and need a quick assessment before deep analysis.

前提条件

Claude with malware analysis skills installed — Upload SKILL.md orchestrator and sub-skill folders to Claude
Isolated analysis environment — Use REMnux or FlareVM in a VM with no network access

フロー

Initial triage

I have a suspicious PE file at /samples/malware.exe. Perform initial triage: file type, hashes, imports, strings analysis, and threat classification.✓ コピーしました

→ File metadata, hash values, suspicious imports/strings, threat assessment
Dynamic analysis

Set up a dynamic analysis environment and execute the sample. Monitor for file system changes, network connections, registry modifications, and process creation.✓ コピーしました

→ Behavioral report with IOCs

結果： A threat classification with IOCs and behavioral summary.

注意点

Running malware outside a sandbox — ALWAYS use an isolated VM with no network access. Never analyze malware on your host machine.

組み合わせ： filesystem

Generate detection rules from malware analysis findings

👤 Detection engineers building SOC rules ⏱ ~45 min advanced

使うタイミング： You've analyzed malware and need to create detection rules for your SIEM/IDS.

前提条件

Completed malware analysis — Run triage and dynamic analysis first

フロー

Generate detection rules

Based on our analysis findings, generate YARA rules for file detection, Sigma rules for log-based detection, and Suricata rules for network signatures.✓ コピーしました

→ Three rule files with clear documentation
Write the report

Generate a complete malware analysis report including executive summary, technical details, IOCs, and recommended mitigations.✓ コピーしました

→ Professional report ready for stakeholders

結果： Production-ready detection rules and a professional analysis report.

注意点

Rules too specific to one sample — Ask Claude to generalize rules to catch variants, not just the exact sample

組み合わせ： filesystem

組み合わせ

他のMCPと組み合わせて10倍の力を

malware-analysis-claude-skills + filesystem

Save analysis artifacts, detection rules, and reports to organized folders

Save the YARA rules to ~/detections/yara/ and the final report to ~/reports/malware-analysis.md.✓ コピーしました

ツール

このMCPが提供する機能

ツール	入力	呼び出すタイミング
Malware Triage	file path	Quick assessment of a suspicious file
Dynamic Analysis	file path, sandbox config	Monitor runtime behavior in a sandbox
Specialized File Analyzer	file path	Analyze non-PE files (.NET, Office, PDF, scripts)
Detection Engineer	analysis findings	Generate detection rules from findings
Report Writer	analysis data	Generate professional malware analysis reports

コストと制限

運用コスト

APIクォータ: N/A — skills are local. Optional MCP connections to VirusTotal/Threat.Zone for enrichment.
呼び出しあたりのトークン: 1000–5000 tokens per skill invocation
金額: Free (MIT license). Threat intelligence enrichment may require API keys.
ヒント: Start with triage to decide if deep analysis is needed. Don't run all 5 skills on every sample.

セキュリティ

権限、シークレット、影響範囲

認証情報の保管： Optional VirusTotal/Threat.Zone API keys in env vars for enrichment

データ送信先： Designed for offline use. Optional threat intelligence lookups are opt-in.

⚠ This tool is designed for authorized security research, CTF competitions, and defensive analysis only. Do not use it against systems you don't own or have written authorization to test.
ALWAYS analyze malware in isolated environments (REMnux, FlareVM) with no network access.
Never execute malware samples on your host machine or connected networks.
Detection rules should be tested in a staging environment before deploying to production.

トラブルシューティング

よくあるエラーと対処法

Skill not routing correctly

Ensure the root SKILL.md orchestrator is loaded. It handles routing to sub-skills automatically.

確認： Check that all 5 sub-skill folders are present alongside the orchestrator

Analysis tools not found in sandbox

Use REMnux or FlareVM which come pre-installed with standard analysis tools.

確認： which strings && which file && which yara

Report missing IOCs

Run both triage and dynamic analysis before generating the report to ensure complete data.

確認： Review triage and dynamic analysis outputs

代替案

malware-analysis-claude-skills 他との比較

代替案	代わりに使う場面	トレードオフ
hexstrike-ai	You need active security tools alongside analysis rather than skills-based workflows	Broader tool coverage but less structured analysis workflow

その他

リソース

📖 GitHub の公式 README を読む

🐙 オープンな issue を見る

🔍 400以上のMCPサーバーとSkillsを見る