Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From ghidrasql
Analyzes binaries using ghidrasql with safe, high-signal query patterns for function size, hotness, imports, strings, and call graph exploration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ghidrasql:analysisThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill when the user asks:
Use this skill when the user asks:
Route to:
xrefs for deeper caller/callee tracingdecompiler for concrete function interpretationannotations once a function is understood well enough to clean updebugger when triage uncovers patches or breakpoints worth inspectingre-source for a structured bottom-up campaign over the binaryGet a quick structural snapshot:
SELECT * FROM db_info;
SELECT COUNT(*) AS funcs, SUM(size) AS total_bytes
FROM funcs;
Then use bounded, high-signal summaries:
SELECT name, printf('0x%X', address) AS addr, size
FROM funcs
ORDER BY size DESC
LIMIT 20;
SELECT func_name, printf('0x%X', func_addr) AS addr, hotness_score
FROM function_metrics_scored
ORDER BY hotness_score DESC
LIMIT 20;
-- Or the rank-only projection:
SELECT func_name, printf('0x%X', func_addr) AS addr, rank, score
FROM function_metrics_ranked
ORDER BY rank
LIMIT 20;
Most called functions:
SELECT dst_func_name, printf('0x%X', dst_func_addr) AS addr, COUNT(*) AS caller_count
FROM callgraph_edges
GROUP BY dst_func_addr, dst_func_name
ORDER BY caller_count DESC
LIMIT 20;
String-heavy functions:
SELECT func_name, printf('0x%X', func_addr) AS addr, COUNT(*) AS string_count
FROM string_refs
GROUP BY func_addr, func_name
ORDER BY string_count DESC
LIMIT 20;
Functions calling a suspicious import:
SELECT DISTINCT src_func_name, printf('0x%X', src_func_addr) AS addr
FROM callgraph_edges
WHERE dst_func_name LIKE '%Crypt%'
ORDER BY src_func_name;
callgraph_edges, callers, callees, and string_refs over rebuilding those joins yourself.decompiler or annotations.LIMITdecompilernpx claudepluginhub 0xeb/ghidrasql-skills --plugin ghidrasqlTriages and audits IDA binaries to detect suspicious behavior, crypto/network activity, review decompiled code against source, and run multi-table queries.
Reverse engineers binaries with Ghidra headless analyzer: decompiles to C pseudocode, extracts functions/strings/symbols, analyzes call graphs. For static analysis without GUI.
Bootstraps ghidrasql sessions: connects to sources, verifies reachability, and routes to domain-specific skills for binary analysis, decompilation, xrefs, debugging, and more.