deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryMalware Analysis

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill deobfuscating-javascript-malware

Curation Score

This skill scores 84/100, which means it is a solid directory listing for users who need help deobfuscating malicious JavaScript. The repository provides enough workflow detail, scripts, and decoding references that an agent can trigger and use it with less guesswork than a generic prompt, though users should still expect some manual handling for harder malware samples.

84/100

Strengths

Strong use-case targeting: it explicitly activates for phishing pages, web skimmers, dropper scripts, and other JavaScript malware analysis scenarios.
Practical workflow support: the repo includes a real script (`scripts/agent.py`) plus reference examples for jsbeautifier, decoding patterns, and a VM sandbox.
Good operational clarity: the skill body is substantial, has multiple workflow sections, and includes a clear warning not to use it for ordinary minified production code.

Cautions

No install command is provided in `SKILL.md`, so users may need to wire the skill into their environment manually.
The visible workflow is helpful but still partly reference-driven, so more complex obfuscation chains may require agent judgment beyond the documented steps.

JavaScript Malware Deobfuscation Script Analysis Web Malware Node.js Python Browser Automation

Overview

Overview of deobfuscating-javascript-malware skill

What this skill does

The deobfuscating-javascript-malware skill helps you turn heavily obfuscated malicious JavaScript into readable, reviewable code. It is built for malware analysis work such as phishing pages, web skimmers, droppers, and browser-delivered payloads where the real goal is to expose the decoded logic, not just prettify the script.

Who should use it

Use the deobfuscating-javascript-malware skill if you need faster triage on suspicious JavaScript and want a structured path from “this looks hidden” to “here is what it actually does.” It is a good fit for analysts who already have a sample and need practical deobfuscation steps, not a generic explanation of JavaScript syntax.

What matters most

The main value is workflow guidance: beautify first, then unwrap common encodings, then inspect eval chains, string construction, and control-flow tricks in a controlled environment. The skill is most useful when the sample uses layered obfuscation rather than simple minification. If the script is only compressed for size, this is probably the wrong tool.

How to Use deobfuscating-javascript-malware skill

Install and find the right files

For deobfuscating-javascript-malware install, add the skill with:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill deobfuscating-javascript-malware

Start with SKILL.md, then read references/api-reference.md for decoding patterns and scripts/agent.py for the logic the skill expects you to follow. Those two files are the fastest way to understand what inputs the skill handles well and where it may need help.

Give the skill a complete malware-analysis prompt

The deobfuscating-javascript-malware usage works best when you include the sample type, delivery context, and the suspected technique. Good inputs look like this:

“Deobfuscate a phishing-page script that uses eval(atob(...)) and redirects to a credential page.”
“Analyze this e-commerce skimmer with nested String.fromCharCode() and unescape() calls.”
“Rewrite this dropper logic after decoding hex escapes and inline function wrappers.”

Weak inputs like “clean this JS” usually produce shallow output because the skill needs threat context to decide what to preserve and what to reveal.

Suggested workflow for first-pass analysis

Use the skill in this order: beautify the sample, decode obvious string encodings, trace dynamic execution points, then inspect the recovered payload for network calls, redirects, DOM writes, and secondary-stage loading. If the sample depends on browser APIs, run it only in an isolated sandbox or VM. The skill is strongest when you paste the obfuscated code plus a short note about what you already observed, such as suspicious domains, file names, or execution triggers.

deobfuscating-javascript-malware skill FAQ

Is this only for malware analysts?

The deobfuscating-javascript-malware skill is for malware analysis first. It can help with suspicious scripts in phishing investigations, incident response, and web compromise cases. It is not meant for ordinary production JavaScript refactoring.

How is it different from a normal prompt?

A normal prompt may beautify code or explain one obvious obfuscation layer. This skill is better when the sample has multiple layers, such as base64 plus eval plus DOM-based unpacking. The deobfuscating-javascript-malware guide gives you a repeatable path instead of a one-off answer.

Can beginners use it?

Yes, if you can supply the script and a little context. You do not need to know every obfuscation trick beforehand, but you do need to be precise about the sample source and the question you want answered. Beginners get better results when they ask for “decode and explain the execution path” rather than “analyze everything.”

When should I not use it?

Do not use it for simple minified code, benign site bundles, or cases where you only need formatting. If the main problem is syntax noise, a beautifier is enough. If the sample is actively hostile or unknown, keep execution isolated and prefer static review first.

How to Improve deobfuscating-javascript-malware skill

Feed it the right evidence

Better results come from giving the skill the exact obfuscation clues you already know: eval, atob, unescape, fromCharCode, hex escapes, or DOM writes. If you have the original file, a truncated snippet, and any observed network indicators, include them together. That helps the skill focus on the real decode path instead of guessing.

Ask for the output you need

The deobfuscating-javascript-malware skill works better when you specify the end state. Ask for a cleaned script, a step-by-step decode trace, a plain-English behavior summary, or indicators of compromise. For example: “Decode this sample and list the URLs, payload stages, and persistence or redirect behavior.”

Watch for common failure modes

The most common misses are over-trusting eval, stopping after beautification, and losing meaning when variables are renamed too aggressively. If the first pass is incomplete, ask for a second pass focused on the remaining encoded blocks, nested functions, or runtime-generated strings. For deobfuscating-javascript-malware for Malware Analysis, iteration is normal: each pass should reduce uncertainty, not just produce prettier code.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

analyzing-supply-chain-malware-artifacts

by mukul975

analyzing-supply-chain-malware-artifacts is a malware-analysis skill for tracing trojanized updates, poisoned dependencies, and build-pipeline tampering. Use it to compare trusted and untrusted artifacts, extract indicators, assess compromise scope, and report findings with less guesswork.

Malware Analysis

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-mobile-malware-behavior

by mukul975

The detecting-mobile-malware-behavior skill analyzes suspicious Android and iOS apps for permission abuse, runtime activity, network indicators, and malware-like patterns. Use it for triage, incident response, and detecting-mobile-malware-behavior for Security Audit workflows with evidence-backed mobile analysis.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-payment-wallets

by mukul975

analyzing-ransomware-payment-wallets is a read-only blockchain-forensics skill for tracing ransomware payment wallets, following fund movement, and clustering related addresses for Security Audit and incident response. Use it when you have a BTC address, tx hash, or suspected wallet and need evidence-backed attribution support.

Security Audit

Favorites 0GitHub 6.1k

analyzing-ransomware-encryption-mechanisms

by mukul975

analyzing-ransomware-encryption-mechanisms skill for malware analysis, focused on identifying ransomware encryption, key handling, and decryption feasibility. Use it to inspect AES, RSA, ChaCha20, hybrid schemes, and implementation flaws that may support recovery.

Malware Analysis

Favorites 0GitHub 6.1k

extracting-iocs-from-malware-samples

by mukul975

extracting-iocs-from-malware-samples skill guide for malware analysis: extract hashes, IPs, domains, URLs, host artifacts, and validation cues from samples for threat intel and detection.

Malware Analysis

Favorites 0GitHub 0

extracting-config-from-agent-tesla-rat

by mukul975

extracting-config-from-agent-tesla-rat skill for Malware Analysis: extract Agent Tesla .NET config, SMTP/FTP/Telegram credentials, keylogger settings, and C2 endpoints with repeatable workflow guidance.

Malware Analysis

Favorites 0GitHub 0