static-analysis_skill

This skill performs deep static analysis of binaries using r2 and ghidra to map functions, decompile code, and reveal data flow.
  • JavaScript

30

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill 2389-research/claude-plugins --skill static-analysis

  • SKILL.md9.8 KB

Overview

This skill performs deep static analysis of binaries using radare2 and Ghidra headless to map functions, cross-references, and control flow without executing the program. It is optimized for disassembly, decompilation, and extracting structured facts useful for hypothesis building and triage. The outputs are JSON-friendly facts, call graphs, and decompilation snippets to guide further dynamic testing.

How this skill works

It runs a two-stage workflow: a light sweep with radare2 for fast function enumeration, strings, and imports, then targeted deep analysis with r2ghidra or Ghidra headless for decompilation and CFG extraction. Commands produce JSON outputs (aflj, axtj, pdfj, pdgj, afbj) and dot graphs for visualizing call and control flow. Results are recorded as structured facts and hypotheses to feed the next investigative steps.

When to use it

  • You have identified architecture and ABI and need code-level understanding.
  • You want to inspect specific suspicious functions without running the binary.
  • Dynamic analysis is risky, unavailable, or must be deferred until approval.
  • You need decompiled pseudo-C or CFGs to form testable hypotheses.
  • You want structured outputs (functions/calls/strings) for reporting or memory journaling.

Best practices

  • Start with known I/O comparison before disassembly and obtain explicit human approval for any execution or emulation.
  • Use Stage 1 (aa/aac/aaa) appropriate to binary size to avoid excessive analysis time or missed call targets.
  • Set safe radare2 settings (anal.timeout, anal.maxsize) to prevent runaway analysis.
  • Verify r2ghidra availability; if missing, rely on pdfj and axf/axt patterns or use Ghidra headless for tough cases.
  • Record findings as structured facts (functions, calls, strings, hypotheses) to drive dynamic verification and knowledge journaling.

Example use cases

  • Find which functions call network APIs and map the caller chain to identify telemetry behavior.
  • Decompile a cryptographic routine to inspect key handling and locate hardcoded strings or constants.
  • Generate a control flow graph for a large function to understand branching and find likely input-processing paths.
  • Map configuration file access by tracing file-related imports and strings to locate parse routines.
  • Produce a JSON report of analyzed functions and a call graph dot file for reporting or handoff.

FAQ

Use radare2 disassembly (pdfj) and xref commands (axtj/axfj); consider running Ghidra headless for targeted functions.

How do I avoid long analysis times on big binaries?

Use lighter analysis commands (aa; aac) and apply af @addr to target specific functions rather than running aaa on very large binaries.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational