/ 目录 / 演练场 / malware-analysis-claude-skills
← 全部服务器 ↗ GitHub
● 社区 gl0bal01 ⚡ 即开即用

malware-analysis-claude-skills

作者 gl0bal01 · gl0bal01/malware-analysis-claude-skills

5 specialized Claude skills for malware analysis — triage, dynamic analysis, file analysis, detection engineering, and reporting.

malware-analysis-claude-skills provides a complete Claude skills toolkit for professional malware analysis. An orchestrator routes to 5 sub-skills: Malware Triage (rapid assessment), Dynamic Analysis (sandbox behavior monitoring), Specialized File Analyzer (.NET, Office, PDFs, scripts), Detection Engineer (YARA, Sigma, Suricata rule generation), and Report Writer (enterprise-grade reports). Designed for offline REMnux/FlareVM environments.

▶ 观看演示 📦 安装 💡 使用场景

为什么要用

核心特性

实时演示

实际使用效果

malware-analysis-claude-skills.replay ▶ 就绪
0/0

安装

选择你的客户端

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

打开 Claude Desktop → Settings → Developer → Edit Config。保存后重启应用。

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

Cursor 使用与 Claude Desktop 相同的 mcpServers 格式。项目级配置优先于全局。

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

点击 Cline 侧栏中的 MCP Servers 图标,然后选 "Edit Configuration"。

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "malware-analysis-claude-skills": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  }
}

格式与 Claude Desktop 相同。重启 Windsurf 生效。

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "malware-analysis-claude-skills",
      "command": "TODO",
      "args": [
        "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
      ]
    }
  ]
}

Continue 使用服务器对象数组,而非映射。

~/.config/zed/settings.json
{
  "context_servers": {
    "malware-analysis-claude-skills": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/gl0bal01/malware-analysis-claude-skills"
        ]
      }
    }
  }
}

加入 context_servers。Zed 保存后热重载。

claude mcp add malware-analysis-claude-skills -- TODO 'See README: https://github.com/gl0bal01/malware-analysis-claude-skills'

一行命令搞定。用 claude mcp list 验证,claude mcp remove 卸载。

使用场景

实战用法: malware-analysis-claude-skills

How to triage a suspicious file in a sandboxed environment

👤 SOC analysts and malware analysts triaging incoming samples ⏱ ~30 min intermediate

何时使用: You received a suspicious file and need a quick assessment before deep analysis.

前置条件
  • Claude with malware analysis skills installed — Upload SKILL.md orchestrator and sub-skill folders to Claude
  • Isolated analysis environment — Use REMnux or FlareVM in a VM with no network access
步骤
  1. Initial triage
    I have a suspicious PE file at /samples/malware.exe. Perform initial triage: file type, hashes, imports, strings analysis, and threat classification.✓ 已复制
    → File metadata, hash values, suspicious imports/strings, threat assessment
  2. Dynamic analysis
    Set up a dynamic analysis environment and execute the sample. Monitor for file system changes, network connections, registry modifications, and process creation.✓ 已复制
    → Behavioral report with IOCs

结果: A threat classification with IOCs and behavioral summary.

注意事项
  • Running malware outside a sandbox — ALWAYS use an isolated VM with no network access. Never analyze malware on your host machine.
搭配使用: filesystem

Generate detection rules from malware analysis findings

👤 Detection engineers building SOC rules ⏱ ~45 min advanced

何时使用: You've analyzed malware and need to create detection rules for your SIEM/IDS.

前置条件
  • Completed malware analysis — Run triage and dynamic analysis first
步骤
  1. Generate detection rules
    Based on our analysis findings, generate YARA rules for file detection, Sigma rules for log-based detection, and Suricata rules for network signatures.✓ 已复制
    → Three rule files with clear documentation
  2. Write the report
    Generate a complete malware analysis report including executive summary, technical details, IOCs, and recommended mitigations.✓ 已复制
    → Professional report ready for stakeholders

结果: Production-ready detection rules and a professional analysis report.

注意事项
  • Rules too specific to one sample — Ask Claude to generalize rules to catch variants, not just the exact sample
搭配使用: filesystem

组合

与其他 MCP 搭配,撬动十倍杠杆

malware-analysis-claude-skills + filesystem

Save analysis artifacts, detection rules, and reports to organized folders

Save the YARA rules to ~/detections/yara/ and the final report to ~/reports/malware-analysis.md.✓ 已复制

工具

此 MCP 暴露的能力

工具输入参数何时调用成本
Malware Triage file path Quick assessment of a suspicious file 0
Dynamic Analysis file path, sandbox config Monitor runtime behavior in a sandbox 0
Specialized File Analyzer file path Analyze non-PE files (.NET, Office, PDF, scripts) 0
Detection Engineer analysis findings Generate detection rules from findings 0
Report Writer analysis data Generate professional malware analysis reports 0

成本与限制

运行它的成本

API 配额
N/A — skills are local. Optional MCP connections to VirusTotal/Threat.Zone for enrichment.
每次调用 Token 数
1000–5000 tokens per skill invocation
费用
Free (MIT license). Threat intelligence enrichment may require API keys.
提示
Start with triage to decide if deep analysis is needed. Don't run all 5 skills on every sample.

安全

权限、密钥、影响范围

凭据存储: Optional VirusTotal/Threat.Zone API keys in env vars for enrichment
数据出站: Designed for offline use. Optional threat intelligence lookups are opt-in.

故障排查

常见错误与修复

Skill not routing correctly

Ensure the root SKILL.md orchestrator is loaded. It handles routing to sub-skills automatically.

验证: Check that all 5 sub-skill folders are present alongside the orchestrator
Analysis tools not found in sandbox

Use REMnux or FlareVM which come pre-installed with standard analysis tools.

验证: which strings && which file && which yara
Report missing IOCs

Run both triage and dynamic analysis before generating the report to ensure complete data.

验证: Review triage and dynamic analysis outputs

替代方案

malware-analysis-claude-skills 对比其他方案

替代方案何时用它替代权衡
hexstrike-aiYou need active security tools alongside analysis rather than skills-based workflowsBroader tool coverage but less structured analysis workflow

更多

资源

📖 阅读 GitHub 上的官方 README

🐙 查看未解决的 issue

🔍 浏览全部 400+ MCP 服务器和 Skills