binary-re-triage
Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Best use case
binary-re-triage is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.
Practical example
Example input
Use the "binary-re-triage" skill to help with this workflow task. Context: Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Example output
A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.
When to use this skill
- Use this skill when you want a reusable workflow rather than writing the same prompt again and again.
When not to use this skill
- Do not use this when you only need a one-off answer and do not need a reusable workflow.
- Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/triage/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How binary-re-triage Compares
| Feature / Agent | binary-re-triage | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Binary Triage (Phase 1)
## Purpose
Quick fingerprinting to establish baseline facts before deeper analysis. Runs in seconds, not minutes.
## When to Use
- First contact with an unknown binary
- Need architecture/ABI info for tool selection
- Quick capability assessment
- Before committing to expensive analysis
## Key Principle
**Gather facts fast, defer analysis.**
This phase identifies WHAT the binary is, not HOW it works.
## Triage Sequence
### Step 1: File Identification
```bash
# Basic identification
file binary
# Expected output patterns:
# ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3
# ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1
```
**Extract:**
- Architecture (ARM, ARM64, x86_64, MIPS)
- Bit width (32/64)
- Endianness (LSB/MSB)
- Link type (static/dynamic)
- Interpreter path (libc indicator)
### Step 2: Structured Metadata (rabin2)
```bash
# All metadata as JSON
rabin2 -q -j -I binary | jq .
# Key fields:
# .arch - "arm", "x86", "mips"
# .bits - 32 or 64
# .endian - "little" or "big"
# .os - "linux", "none"
# .machine - "ARM", "AARCH64"
# .stripped - true/false
# .static - true/false
```
### Step 3: ABI Detection
```bash
# Interpreter detection
readelf -p .interp binary 2>/dev/null
# Or via rabin2
rabin2 -I binary | grep interp
# ARM-specific: float ABI
readelf -A binary | grep "Tag_ABI_VFP_args"
# hard-float: "VFP registers"
# soft-float: missing or "compatible"
```
**Interpreter → Libc mapping:**
| Interpreter | Libc | Notes |
|-------------|------|-------|
| `/lib/ld-linux-armhf.so.3` | glibc | ARM hard-float |
| `/lib/ld-linux.so.3` | glibc | ARM soft-float |
| `/lib/ld-musl-arm.so.1` | musl | ARM 32-bit |
| `/lib/ld-musl-aarch64.so.1` | musl | ARM 64-bit |
| `/lib/ld-uClibc.so.0` | uClibc | Embedded |
| `/lib64/ld-linux-x86-64.so.2` | glibc | x86_64 |
### Step 4: Dependencies
```bash
# Library dependencies
rabin2 -q -j -l binary | jq '.libs[]'
# Common patterns:
# libcurl.so.* → HTTP client
# libssl.so.* → TLS/crypto
# libpthread.so.* → Threading
# libz.so.* → Compression
# libsqlite3.so.* → Local database
```
### Step 5: Entry Points & Exports
```bash
# Entry points
rabin2 -q -j -e binary | jq .
# Exports (for shared libraries)
rabin2 -q -j -E binary | jq '.exports[] | {name, vaddr}'
```
### Step 6: Quick String Scan
```bash
# All strings with metadata
rabin2 -q -j -zz binary | jq '.strings | length' # Count first
# Filter interesting strings (URLs, paths, errors)
rabin2 -q -j -zz binary | jq '
.strings[] |
select(.length > 8) |
select(.string | test("http|ftp|/etc|/var|error|fail|pass|key|token"; "i"))
'
```
### Step 7: Import Analysis
```bash
# All imports
rabin2 -q -j -i binary | jq '.imports[] | {name, lib}'
# Group by capability
rabin2 -q -j -i binary | jq '
.imports | group_by(.lib) |
map({lib: .[0].lib, functions: [.[].name]})
'
```
## Capability Mapping
| Import Pattern | Capability |
|----------------|------------|
| `socket`, `connect`, `send` | Network client |
| `bind`, `listen`, `accept` | Network server |
| `open`, `read`, `write` | File I/O |
| `fork`, `exec*`, `system` | Process spawning |
| `pthread_*` | Multi-threading |
| `SSL_*`, `EVP_*` | Cryptography |
| `dlopen`, `dlsym` | Dynamic loading |
| `mmap`, `mprotect` | Memory manipulation |
## Output Format
After triage, record structured facts:
```json
{
"artifact": {
"path": "/path/to/binary",
"sha256": "abc123...",
"size_bytes": 245760
},
"identification": {
"arch": "arm",
"bits": 32,
"endian": "little",
"os": "linux",
"stripped": true,
"static": false
},
"abi": {
"interpreter": "/lib/ld-musl-arm.so.1",
"libc": "musl",
"float_abi": "hard"
},
"dependencies": [
"libcurl.so.4",
"libssl.so.1.1",
"libz.so.1"
],
"capabilities_inferred": [
"network_client",
"tls_encryption",
"compression"
],
"strings_of_interest": [
{"value": "https://api.vendor.com/telemetry", "type": "url"},
{"value": "/etc/config.json", "type": "path"}
],
"complexity_estimate": {
"functions": "unknown (stripped)",
"strings": 847,
"imports": 156
}
}
```
## Knowledge Journaling
After triage completes, record findings for episodic memory:
```
[BINARY-RE:triage] {filename} (sha256: {hash})
Identification:
Architecture: {arch} {bits}-bit {endian}
Libc: {glibc|musl|uclibc} ({interpreter_path})
Stripped: {yes|no}
Size: {bytes}
FACT: Links against {library} (source: rabin2 -l)
FACT: Contains {N} strings of interest (source: rabin2 -zz)
FACT: Imports {function} from {library} (source: rabin2 -i)
Capabilities inferred:
- {capability_1} (evidence: {import/string})
- {capability_2} (evidence: {import/string})
HYPOTHESIS: {what binary likely does} (confidence: {0.0-1.0})
QUESTION: {open unknown that needs investigation}
Next phase: {static-analysis|dynamic-analysis}
Sysroot needed: {path or "extract from device"}
```
### Example Journal Entry
```
[BINARY-RE:triage] thermostat_daemon (sha256: a1b2c3d4...)
Identification:
Architecture: ARM 32-bit LE
Libc: musl (/lib/ld-musl-arm.so.1)
Stripped: yes
Size: 153,600 bytes
FACT: Links against libcurl.so.4 (source: rabin2 -l)
FACT: Links against libssl.so.1.1 (source: rabin2 -l)
FACT: Contains string "api.thermco.com" (source: rabin2 -zz)
FACT: Imports curl_easy_perform (source: rabin2 -i)
Capabilities inferred:
- HTTP client (evidence: libcurl import)
- TLS encryption (evidence: libssl import)
- Network communication (evidence: URL string)
HYPOTHESIS: Telemetry client that reports to api.thermco.com (confidence: 0.6)
QUESTION: What data does it collect and transmit?
Next phase: static-analysis
Sysroot needed: musl ARM (extract from device or Alpine)
```
## Decision Points
After triage, determine:
1. **Sysroot selection** - Based on arch + libc
2. **Analysis tool chain** - r2 vs Ghidra vs both
3. **Dynamic analysis feasibility** - QEMU viability based on arch
4. **Initial hypotheses** - What does this binary likely do?
## Next Steps
→ Proceed to `binary-re-static-analysis` for function enumeration
→ Or `binary-re-dynamic-analysis` if behavior observation is priorityRelated Skills
issue-triage
GitHub Issue 处理协作流程。当用户收到 issue 需要分析和回复时使用。通过"诊断 → 定性 → 决策 → 回复"四步法,从一个 issue 产出准确的根因分析和得体的用户回复,避免误判问题类型或回复不专业。
binary-analysis-patterns
Master binary analysis patterns including disassembly, decompilation, control flow analysis, and code pattern recognition. Use when analyzing executables, understanding compiled code, or performing static analysis on binaries.
gws-gmail-triage
Gmail: Show unread inbox summary (sender, subject, date).
binary-analysis
Analyze binary files (exe, dll, sys, bin, ocx, scr, cpl, drv) to assess if they are malicious, perform decompilation, extract strings/imports/exports, detect malware, and provide threat assessment. Use this skill when user asks to analyze, examine, check, or assess any binary file, asks if a file is malicious/suspicious/safe, or provides a file path to a binary. Trigger for phrases like "Is [file] malicious?", "Analyze [file]", "What does [binary] do?", or any request involving binary file analysis.
wp-project-triage
Use when you need a deterministic inspection of a WordPress repository (plugin/theme/block theme/WP core/Gutenberg/full site) including tooling/tests/version hints, and a structured JSON report to guide workflows and guardrails.
fiftyone-pr-triage
Triage FiftyOne GitHub issues by validating status, categorizing resolution, and generating standardized responses. Use when reviewing issues to determine if fixed, won't fix, not reproducible, no longer relevant, or still valid.
binary-re-tool-setup
Use when reverse engineering tools are missing, not working, or need configuration. Installation guides for radare2 (r2), Ghidra, GDB, QEMU, Frida, binutils, and cross-compilation toolchains. Keywords - "install radare2", "setup ghidra", "r2 not found", "qemu missing", "tool not installed", "configure gdb", "cross-compiler"
binary-re-synthesis
Use when ready to document findings, generate a report, or summarize binary analysis results. Compiles analysis findings into structured reports - correlates facts from triage/static/dynamic phases, validates hypotheses, generates documentation with evidence chains. Keywords - "summarize findings", "generate report", "document analysis", "what did we find", "write up results", "export findings"
binary-re-static-analysis
Use when analyzing binary structure, disassembling code, or decompiling functions. Deep static analysis via radare2 (r2) and Ghidra headless - function enumeration, cross-references (xrefs), decompilation, control flow graphs. Keywords - "disassemble", "decompile", "what does this function do", "find functions", "analyze code", "r2", "ghidra", "pdg", "afl"
binary-re-dynamic-analysis
Use when you need to run a binary, trace execution, or observe runtime behavior. Runtime analysis via QEMU emulation, GDB debugging, and Frida hooking - syscall tracing (strace), breakpoints, memory inspection, function interception. Keywords - "run binary", "execute", "debug", "trace syscalls", "set breakpoint", "qemu", "gdb", "frida", "strace", "watch memory"
binary-re
This skill should be used when analyzing binaries, executables, or bytecode to understand what they do or how they work. Triggers on "binary", "executable", "ELF", "what does this do", "reverse engineer", "disassemble", "decompile", "pyc file", "python bytecode", "analyze binary", "figure out", "marshal". Routes to sub-skills for triage, static analysis, dynamic analysis, synthesis, or tool setup.
azure-quotas
Check/manage Azure quotas and usage across providers. For deployment planning, capacity validation, region selection. WHEN: "check quotas", "service limits", "current usage", "request quota increase", "quota exceeded", "validate capacity", "regional availability", "provisioning limits", "vCPU limit", "how many vCPUs available in my subscription".