malware-analysis

Purpose

This skill enables OpenClaw to perform malware analysis on provided samples, using static techniques (e.g., binary disassembly, signature matching) and dynamic techniques (e.g., sandbox execution, behavior monitoring) to detect threats, extract indicators of compromise (IOCs), and generate reports.

When to Use

Use this skill during incident response for suspicious files, in threat hunting to identify zero-day malware, or in reverse engineering workflows to understand malware behavior. Apply it when you have a file hash, binary sample, or network capture, and need automated analysis without manual tools like IDA Pro or Volatility.

Key Capabilities

• Static analysis: Parse PE/ELF files, extract strings, and match against YARA rules for signatures.
• Dynamic analysis: Execute samples in an isolated VM, monitor API calls (e.g., via Windows API hooking), and detect persistence mechanisms.
• Threat reporting: Output JSON reports with IOCs like IP addresses, domains, or registry keys.
• Integration with external feeds: Query VirusTotal or similar via API for cross-referencing.
• Custom rule support: Load user-defined YARA rules from a file for targeted detection.

Usage Patterns

Invoke this skill via OpenClaw's CLI or API. Always provide authentication via the $MALWARE_API_KEY environment variable. For CLI, use subcommands like "analyze" with required flags. In code, import the OpenClaw SDK and call methods with parameters. Example pattern: Load a file, specify analysis type, and handle asynchronous results. If analysis fails due to file type, fallback to metadata extraction.