/ Каталог / Песочница / malware-analysis-claude-skills
← Все серверы ↗ GitHub
● Сообщество gl0bal01 ⚡ Сразу

malware-analysis-claude-skills

автор gl0bal01 · gl0bal01/malware-analysis-claude-skills

5 specialized Claude skills for malware analysis — triage, dynamic analysis, file analysis, detection engineering, and reporting.

malware-analysis-claude-skills provides a complete Claude skills toolkit for professional malware analysis. An orchestrator routes to 5 sub-skills: Malware Triage (rapid assessment), Dynamic Analysis (sandbox behavior monitoring), Specialized File Analyzer (.NET, Office, PDFs, scripts), Detection Engineer (YARA, Sigma, Suricata rule generation), and Report Writer (enterprise-grade reports). Designed for offline REMnux/FlareVM environments.

▶ Смотреть демо 📦 Установить 💡 Сценарии

Зачем использовать

Ключевые функции

Живое демо

Как выглядит на практике

malware-analysis-claude-skills.replay ▶ готово
0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "malware-analysis-claude-skills",
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json
{
  "context_servers": {
    "malware-analysis-claude-skills": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add malware-analysis-claude-skills -- TODO 'See README: https://github.com/gl0bal01/malware-analysis-claude-skills'

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: malware-analysis-claude-skills

How to triage a suspicious file in a sandboxed environment

👤 SOC analysts and malware analysts triaging incoming samples ⏱ ~30 min intermediate

Когда использовать: You received a suspicious file and need a quick assessment before deep analysis.

Предварительные требования
  • Claude with malware analysis skills installed — Upload SKILL.md orchestrator and sub-skill folders to Claude
  • Isolated analysis environment — Use REMnux or FlareVM in a VM with no network access
Поток
  1. Initial triage
    I have a suspicious PE file at /samples/malware.exe. Perform initial triage: file type, hashes, imports, strings analysis, and threat classification.✓ Скопировано
    → File metadata, hash values, suspicious imports/strings, threat assessment
  2. Dynamic analysis
    Set up a dynamic analysis environment and execute the sample. Monitor for file system changes, network connections, registry modifications, and process creation.✓ Скопировано
    → Behavioral report with IOCs

Итог: A threat classification with IOCs and behavioral summary.

Подводные камни
  • Running malware outside a sandbox — ALWAYS use an isolated VM with no network access. Never analyze malware on your host machine.
Сочетать с: filesystem

Generate detection rules from malware analysis findings

👤 Detection engineers building SOC rules ⏱ ~45 min advanced

Когда использовать: You've analyzed malware and need to create detection rules for your SIEM/IDS.

Предварительные требования
  • Completed malware analysis — Run triage and dynamic analysis first
Поток
  1. Generate detection rules
    Based on our analysis findings, generate YARA rules for file detection, Sigma rules for log-based detection, and Suricata rules for network signatures.✓ Скопировано
    → Three rule files with clear documentation
  2. Write the report
    Generate a complete malware analysis report including executive summary, technical details, IOCs, and recommended mitigations.✓ Скопировано
    → Professional report ready for stakeholders

Итог: Production-ready detection rules and a professional analysis report.

Подводные камни
  • Rules too specific to one sample — Ask Claude to generalize rules to catch variants, not just the exact sample
Сочетать с: filesystem

Комбинации

Сочетайте с другими MCP — эффект x10

malware-analysis-claude-skills + filesystem

Save analysis artifacts, detection rules, and reports to organized folders

Save the YARA rules to ~/detections/yara/ and the final report to ~/reports/malware-analysis.md.✓ Скопировано

Инструменты

Что предоставляет этот MCP

ИнструментВходные данныеКогда вызыватьСтоимость
Malware Triage file path Quick assessment of a suspicious file 0
Dynamic Analysis file path, sandbox config Monitor runtime behavior in a sandbox 0
Specialized File Analyzer file path Analyze non-PE files (.NET, Office, PDF, scripts) 0
Detection Engineer analysis findings Generate detection rules from findings 0
Report Writer analysis data Generate professional malware analysis reports 0

Стоимость и лимиты

Во что обходится

Квота API
N/A — skills are local. Optional MCP connections to VirusTotal/Threat.Zone for enrichment.
Токенов на вызов
1000–5000 tokens per skill invocation
Деньги
Free (MIT license). Threat intelligence enrichment may require API keys.
Совет
Start with triage to decide if deep analysis is needed. Don't run all 5 skills on every sample.

Безопасность

Права, секреты, радиус поражения

Хранение учётных данных: Optional VirusTotal/Threat.Zone API keys in env vars for enrichment
Исходящий трафик: Designed for offline use. Optional threat intelligence lookups are opt-in.

Устранение неполадок

Частые ошибки и исправления

Skill not routing correctly

Ensure the root SKILL.md orchestrator is loaded. It handles routing to sub-skills automatically.

Проверить: Check that all 5 sub-skill folders are present alongside the orchestrator
Analysis tools not found in sandbox

Use REMnux or FlareVM which come pre-installed with standard analysis tools.

Проверить: which strings && which file && which yara
Report missing IOCs

Run both triage and dynamic analysis before generating the report to ensure complete data.

Проверить: Review triage and dynamic analysis outputs

Альтернативы

malware-analysis-claude-skills в сравнении

АльтернативаКогда использоватьКомпромисс
hexstrike-aiYou need active security tools alongside analysis rather than skills-based workflowsBroader tool coverage but less structured analysis workflow

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills