# Triage Unknown Binaries Quickly

Unknown binaries slow reverse engineering because basic facts are missing. This skill guides Claude, Codex, and Claude Code through fast first-pass identification.

## Install

```bash
npx skillstore add 2389-research/binary-re-triage
```

## Metadata

- - Status: approved
- - Slug: 2389-research-binary-re-triage
- - Version: 1.0.0
- - Author: 2389-research
- - GitHub username: 2389-research
- - License: MIT
- - Repository: https://github.com/2389-research/claude-plugins/tree/main/binary-re/skills/triage
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network, filesystem
- - Quality score: 73
- - Public page: https://skillstore.pages.dev/skills/2389-research-binary-re-triage
- - Manifest: https://skillstore.pages.dev/api/skills/2389-research-binary-re-triage/manifest

## Capabilities

- Identifies architecture, bit width, endianness, link type, and interpreter data.
- Uses rabin2 and readelf examples to collect structured metadata.
- Maps interpreter paths to common libc families such as glibc, musl, and uClibc.
- Reviews imports, exports, dependencies, and strings for capability clues.
- Produces a concise triage record with facts, hypotheses, questions, and next steps.

## Use Cases

- Firmware Intake: Identify CPU architecture, libc, dependencies, and likely capabilities before selecting a firmware analysis path.
- Malware Sample Scoping: Collect non-execution facts from an unknown executable before deeper static or dynamic analysis.
- Toolchain Selection: Use ABI, interpreter, and architecture details to choose Ghidra, radare2, QEMU, or a sysroot.

## Prompt Templates

### Identify This Binary

```
Triage this unknown binary. Report architecture, bit width, endianness, link type, interpreter, and immediate next steps.
```

### Summarize ELF Metadata

```
Use the binary triage workflow to summarize ELF metadata, dependencies, imports, exports, and strings of interest.
```

### Infer Capabilities

```
Analyze imports, libraries, and strings from this binary. Infer likely capabilities and state confidence for each hypothesis.
```

### Plan Next Analysis Phase

```
Triage this firmware binary and recommend the next static or dynamic analysis phase. Include sysroot and tooling requirements.
```

## Limitations

- It does not perform deep decompilation or control-flow analysis.
- It does not safely execute unknown binaries or observe runtime behavior.
- It depends on local tools such as rabin2, readelf, jq, grep, and file.
- It can surface sensitive strings that users must redact before sharing.

## Best Practices

- Run triage tools in an isolated workspace when samples are untrusted.
- Record facts separately from hypotheses and include evidence for each claim.
- Redact tokens, keys, credentials, and internal paths before sharing output.

## Anti Patterns

- Do not execute an unknown binary during first-pass triage.
- Do not treat import names alone as proof of behavior.
- Do not publish raw strings that may contain secrets or customer data.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-27T16:14:09.057\+00:00
- - Summary: The static command findings are mostly true in form but low-risk in context: the skill documents local file, rabin2, readelf, jq, and grep usage for binary triage. No malicious intent, prompt injection, credential exfiltration, or real network activity was found. Risk remains medium because users may parse untrusted binaries with external tools.

## Stats

- - Views: 206
- - Downloads: 9
- - Favorites: 0
- - Popularity score: 0
