Agent Skills

yara-skill

LLM Agent Skill for YARA rule authoring and review

Installation
CLI
npx skills add https://github.com/yarahq/yara-rule-skill --skill yara-skill

Install this skill with the CLI and start using the SKILL.md workflow in your workspace.

Last updated 4/29/2026

YARA Rule Skill (Community Edition)

An LLM Agent Skill for expert YARA rule authoring, review, and optimization. Embeds industry best practices from the creator of YARA-Forge and yaraQA into your AI assistant's context.

๐ŸŽฏ What This Skill Does

The yara-rule-skill transforms your LLM agent into a YARA rule expert, capable of:

  • Writing high-quality, performant YARA rules from scratch
  • Reviewing existing rules for quality issues and performance problems
  • Optimizing slow rules by identifying performance bottlenecks
  • Validating rules against 20+ automated quality checks from yaraQA

All through natural language conversation โ€” just paste a rule and ask.

๐Ÿ“ฆ Installation

# Clone the repository
git clone https://github.com/YARAHQ/yara-rule-skill.git

# Copy to your agent's skills folder
cp -r yara-rule-skill ~/.openclaw/skills/

Option 2: Package as .skill File

# Clone the repository
git clone https://github.com/YARAHQ/yara-rule-skill.git
cd yara-rule-skill

# Package the skill
python3 scripts/package_skill.py .

# Install the packaged skill
cp yara-rule-skill.skill ~/.openclaw/skills/

Supported Platforms

This skill works with any LLM agent that supports skill files:

  • OpenClaw โ€” ~/.openclaw/skills/
  • Claude Desktop โ€” (skills folder location varies)
  • Other MCP-based agents โ€” Check your platform's documentation

๐Ÿš€ Usage

Once installed, the skill activates automatically when you discuss YARA rules. Just ask:

Use Case 1: Review My Rule

"Review this YARA rule and suggest improvements"

The skill analyzes:

  • Naming conventions (MAL_, HKTL_, SUSP_, etc.)
  • String selection (atom quality, modifiers)
  • Condition logic (short-circuit evaluation)
  • Metadata completeness

Use Case 2: Assess Public Rules

"Assess the quality of this rule I found online"

The skill checks against 20+ automated quality checks:

  • Logic errors (conditions that never match)
  • Performance issues (short atoms, unanchored regex)
  • Style violations (naming, formatting)
  • Resource problems (too many strings/regex)

Use Case 3: Performance Diagnosis

"This rule causes performance issues, why?"

The skill identifies:

  • Missing regex anchors (.*, .+)
  • Short atoms (< 4 bytes)
  • Expensive calculations before cheap checks
  • Module usage that could be replaced

๐Ÿ“š What's Included

Core Knowledge

The skill combines three authoritative sources into your agent's context:

  1. YARA Performance Guidelines โ€” Optimization techniques, atom selection, condition ordering
  2. YARA Style Guide โ€” Naming conventions, rule structure, metadata standards
  3. yaraQA โ€” 20+ automated quality checks

String Categories

The skill teaches the $x*, $s*, $a*, $fp* naming convention:

Prefix Purpose Example Usage
$x* Highly specific (unique) 1 of ($x*) โ€” triggers on signature
$s* Grouped strings all of ($s*) โ€” need multiple matches
$a* Pre-selection (file type) $a1 โ€” narrows to PE files first
$fp* False positive filters not 1 of ($fp*) โ€” exclude benign

Rule Naming Convention

rule MAL_APT_CozyBear_ELF_Loader_Apr18 {
    // MAL      = Malware
    // APT      = Nation state actor
    // CozyBear = Threat actor name
    // ELF      = Linux platform
    // Loader   = Malware type
    // Apr18    = Date (April 2018)
}

Quality Checks

The skill covers all 20 yaraQA issue IDs:

Logic Errors: CE1, SM1-6, DS1, CS1, DU1
Performance: PA1-2, RE1, CF1-2, PI1, NC1, NO1, MO1
Style: SV1-2
Resources: HS1-4

๐Ÿงช Example Assessment

See TEST_ASSESSMENT.md for real-world rule reviews from public repositories.

๐Ÿ—๏ธ Repository Structure

yara-rule-skill/
โ”œโ”€โ”€ SKILL.md                      # Main skill file
โ”œโ”€โ”€ references/
โ”‚   โ”œโ”€โ”€ performance.md            # Performance optimization guide
โ”‚   โ”œโ”€โ”€ style.md                  # Style and naming conventions
โ”‚   โ””โ”€โ”€ yaraqa-checks.md          # Complete yaraQA check reference
โ”œโ”€โ”€ scripts/
โ”‚   โ””โ”€โ”€ package_skill.py          # Packaging script
โ””โ”€โ”€ README.md                     # This file

๐ŸŒ Website

Visit https://YARAHQ.github.io/yara-rule-skill-site/ for:

  • Overview of the skill
  • Use case examples
  • Installation instructions

๐Ÿค Contributing

Contributions welcome! Areas to help:

  • Additional rule examples
  • New quality checks
  • Performance benchmarks
  • Documentation improvements

๐Ÿ“„ License

This skill is derived from Florian Roth's YARA guides and yaraQA tool. See individual source repositories for licensing details.

๐Ÿ™ Acknowledgments

  • Florian Roth (@cyb3rops) โ€” Creator of the original guides and yaraQA
  • YARA HQ โ€” Community organization for YARA excellence
  • Victor M. Alvarez โ€” Creator of YARA