YARA_RULE_SKILL

LLM Agent Skill // v1.0 // Community Edition

SYSTEM_OVERVIEW

An LLM Agent Skill that embeds expert YARA knowledge into your AI assistant.

Get professional rule reviews, performance optimization, and quality checks.

USE_CASES
Review Your Rules

Paste a rule. Get instant feedback on naming, atoms, condition logic, metadata.

"Review this YARA rule and suggest improvements"

Evaluate Public Rules

Before deploying. All 60+ quality checks applied automatically.

"Assess the quality of this rule I found online"

Debug Performance

Slow scans? Identifies unanchored regex, short atoms, expensive calculations.

"This rule causes performance issues, why?"

CAPABILITIES

60+ Quality Checks

Logic errors, performance, style via embedded yaraQA

Performance Guide

Atom selection, regex anchoring, condition ordering

Style Standards

MAL/HKTL/SUSP/EXPL naming conventions

Rule Patterns

$x*, $s*, $a*, $fp* string naming pattern

QUALITY_CHECKS

63 total checks and guidelines from embedded knowledge:

LOGIC_ERRORS (11)

  • CE1 Conditions that never match
  • SM1-6 String modifier issues
  • DS1 Duplicate strings
  • CS1 String is substring
  • DU1 Duplicate rules

PERFORMANCE (16)

  • PA1-2 Short atoms (<4 bytes)
  • RE1 Regex without anchors
  • CF1-2 Expensive calculations
  • PI1 Regex performance impact
  • MO1 Rare module usage
  • RX1-7 Extended performance checks

STYLE & CONVENTION (30)

  • SV1-2 String value issues
  • HS1-4 String/regex count
  • NC1-6 Naming conventions
  • MF1-12 Metadata fields
  • SS1-4 String style
  • TR1-4 Triad patterns

FORMATTING (6)

  • ID1-2 Indentation
  • FM1-3 Condition formatting
EXAMPLE_LOG

User input detected. Analyzing...

// CATASTROPHIC PERFORMANCE
rule Big_Numbers0 {
    strings:
        $c0 = /[0-9a-fA-F]{20}/ fullword
    condition:
        $c0
}
RE1: No fixed anchor. Forces naïve matching at every offset.
Fix: /hash[=:][0-9a-fA-F]{20}/
// LOGIC ERROR
rule HKTL_Mimikatz {
    strings:
        $x1 = "\LsaDump.pdb" fullword
    condition:
        $x1
}
SM4: fullword + leading \ = never matches paths
Fix: Remove fullword
INSTALLATION

Add to your LLM agent's context:

OPTION_1: Clone and Copy (Recommended)

# Clone the repository
git clone https://github.com/YARAHQ/yara-rule-skill.git

# Copy to your agent's skills folder
cp -r yara-rule-skill ~/.openclaw/skills/

OPTION_2: Package as .skill File

# Clone the repository
git clone https://github.com/YARAHQ/yara-rule-skill.git
cd yara-rule-skill

# Package the skill
python3 scripts/package_skill.py .

# Install the packaged skill
cp yara-rule-skill.skill ~/.openclaw/skills/

Ready. Start conversation about YARA rules.

github.com/YARAHQ/yara-rule-skill