# Analyze Firmware Files with ffind

Firmware reviews often need quick file identification before deeper reverse engineering starts. This skill guides Claude, Codex, or Claude Code through ffind workflows for file type discovery and supported filesystem extraction.

## Install

```bash
npx skillstore add brownfinesecurity/ffind
```

## Metadata

- - Slug: brownfinesecurity-ffind
- - Version: 1.0.0
- - Author: BrownFineSecurity
- - GitHub username: BrownFineSecurity
- - License: MIT
- - Repository: https://github.com/BrownFineSecurity/iothackbot/tree/master/skills/ffind
- - Ref: master
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: external\_commands, filesystem
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/brownfinesecurity-ffind
- - Manifest: https://skillstore.pages.dev/api/skills/brownfinesecurity-ffind/manifest

## Capabilities

- Guides analysis of one or more files or directories with ffind.
- Identifies file types in firmware and IoT device artifacts.
- Supports artifact-focused output or all detected file types.
- Explains text, JSON, and quiet output modes for ffind.
- Documents extraction of ext2, ext3, ext4, and F2FS filesystems.
- Allows custom extraction directories when using ffind extraction mode.

## Use Cases

- Triage Firmware Images: Identify embedded file types and prioritize artifacts for deeper inspection before reverse engineering.
- Inspect IoT Device Dumps: Locate supported filesystems and extract their contents for configuration, binary, and credential review.
- Prepare Evidence Summaries: Use readable output modes to summarize discovered file types for tickets, reports, or handoff notes.

## Prompt Templates

### Analyze One Firmware File

```
Use ffind to analyze this firmware file for artifact file types: [path]. Summarize the main findings and do not extract filesystems.
```

### Compare Multiple Inputs

```
Run ffind against these paths: [paths]. Show all detected file types and explain which files deserve deeper review.
```

### Plan Safe Extraction

```
Assess whether ffind extraction is needed for [path]. If it is needed, propose a safe output directory and list the sudo command for my approval.
```

### Generate Report Findings

```
Analyze [path] with ffind, include relevant output mode choices, and turn the results into a concise firmware analysis summary.
```

## Limitations

- Requires the ffind command to be installed and available to the agent environment.
- Filesystem extraction requires external tools such as e2fsprogs, f2fs-tools, and util-linux.
- Extraction requires sudo privileges, which raises host safety risk.
- The skill does not provide malware containment, sandbox setup, or firmware provenance checks.

## Best Practices

- Run ffind on copies of firmware files, not original evidence.
- Use an isolated working directory with enough disk space for extraction.
- Require explicit user approval before any sudo-based extraction.

## Anti Patterns

- Do not run sudo extraction on untrusted firmware without isolation.
- Do not extract into shared or sensitive directories.
- Do not assume file type detection proves a file is safe.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-28T18:01:53.22\+00:00
- - Summary: The static external command and sudo findings are true positives because the skill instructs agents to run ffind on user-supplied paths and use sudo for extraction. The temp directory findings are also real, while the weak cryptography findings are false positives from filesystem version text, not cryptographic code. No prompt injection or confirmed malicious intent was found, so the skill is not blocked but should not publish without human review and stronger safety guidance.

## Stats

- - Views: 269
- - Downloads: 9
- - Favorites: 0
- - Popularity score: 0