Static Analysis

analyzing-android-malware-with-apktool is a static analysis skill for Android APK malware. It uses apktool, jadx, and androguard to unpack apps, inspect manifests and permissions, recover source-like code, and extract suspicious APIs and IOCs for Malware Analysis.

coverage-analysis helps you measure code exercised during fuzzing, spot blockers like magic value checks, and compare harness changes. Use this coverage-analysis skill for Security Audit workflows when you need clear coverage-analysis usage, install guidance, and repeatable coverage-analysis guide decisions.

Semgrep skill for static analysis on codebases with automatic language detection, parallel workers, merged SARIF output, and plan-first approval. Built for semgrep for Security Audit workflows, it supports run all and important only modes, uses --metrics=off, and can leverage Semgrep Pro when available.

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

wp-phpstan helps configure, run, and fix PHPStan in WordPress plugins, themes, and sites. Use it for phpstan.neon setup, baseline workflow, WordPress-aware typing, and handling optional plugin classes with fewer false positives.

analyzing-packed-malware-with-upx-unpacker is a malware-analysis skill for identifying UPX-packed samples, handling modified UPX headers, and recovering the original executable for static review in Ghidra or IDA. Use it when `upx -d` fails or when you need a faster UPX packer check and unpacking workflow.

analyzing-malicious-pdf-with-peepdf is a static malware analysis skill for suspicious PDFs. Use peepdf, pdfid, and pdf-parser to triage phishing attachments, inspect objects, extract embedded JavaScript or shellcode, and review suspicious streams safely without execution.

analyzing-pdf-malware-with-pdfid is a PDF malware triage skill for detecting embedded JavaScript, exploit markers, object streams, attachments, and suspicious actions before opening a file. It supports static analysis for malicious PDF investigation, incident response, and analyzing-pdf-malware-with-pdfid for Security Audit workflows.

Use the finding-duplicate-functions skill to identify semantic duplicates: functions that do the same job with different names or implementations. It is built for LLM-generated and fast-growing JavaScript or TypeScript codebases, and it supports finding-duplicate-functions for Code Review, consolidation planning, and cleanup before refactors.

variant-analysis helps you find similar vulnerabilities and bugs across a codebase after one issue is confirmed. Use it to build CodeQL or Semgrep queries, follow a root-cause-first workflow, and run a focused variant-analysis guide for Security Audit work. It is best for post-discovery searches, not broad initial review.