YARA Rule Skill (Community Edition)

February 3, 2026 ยท View on GitHub

An LLM Agent Skill for expert YARA rule authoring, review, and optimization. Embeds industry best practices from the creator of YARA-Forge and yaraQA into your AI assistant's context.

๐ŸŽฏ What This Skill Does

The yara-rule-skill transforms your LLM agent into a YARA rule expert, capable of:

  • Writing high-quality, performant YARA rules from scratch
  • Reviewing existing rules for quality issues and performance problems
  • Optimizing slow rules by identifying performance bottlenecks
  • Validating rules against 20+ automated quality checks from yaraQA

All through natural language conversation โ€” just paste a rule and ask.

๐Ÿ“ฆ Installation

# Clone the repository
git clone https://github.com/YARAHQ/yara-rule-skill.git

# Copy to your agent's skills folder
cp -r yara-rule-skill ~/.openclaw/skills/

Option 2: Package as .skill File

# Clone the repository
git clone https://github.com/YARAHQ/yara-rule-skill.git
cd yara-rule-skill

# Package the skill
python3 scripts/package_skill.py .

# Install the packaged skill
cp yara-rule-skill.skill ~/.openclaw/skills/

Supported Platforms

This skill works with any LLM agent that supports skill files:

  • OpenClaw โ€” ~/.openclaw/skills/
  • Claude Desktop โ€” (skills folder location varies)
  • Other MCP-based agents โ€” Check your platform's documentation

๐Ÿš€ Usage

Once installed, the skill activates automatically when you discuss YARA rules. Just ask:

Use Case 1: Review My Rule

"Review this YARA rule and suggest improvements"

The skill analyzes:

  • Naming conventions (MAL_, HKTL_, SUSP_, etc.)
  • String selection (atom quality, modifiers)
  • Condition logic (short-circuit evaluation)
  • Metadata completeness

Use Case 2: Assess Public Rules

"Assess the quality of this rule I found online"

The skill checks against 20+ automated quality checks:

  • Logic errors (conditions that never match)
  • Performance issues (short atoms, unanchored regex)
  • Style violations (naming, formatting)
  • Resource problems (too many strings/regex)

Use Case 3: Performance Diagnosis

"This rule causes performance issues, why?"

The skill identifies:

  • Missing regex anchors (.*, .+)
  • Short atoms (< 4 bytes)
  • Expensive calculations before cheap checks
  • Module usage that could be replaced

๐Ÿ“š What's Included

Core Knowledge

The skill combines three authoritative sources into your agent's context:

  1. YARA Performance Guidelines โ€” Optimization techniques, atom selection, condition ordering
  2. YARA Style Guide โ€” Naming conventions, rule structure, metadata standards
  3. yaraQA โ€” 20+ automated quality checks

String Categories

The skill teaches the $x*, $s*, $a*, $fp* naming convention:

PrefixPurposeExample Usage
$x*Highly specific (unique)1 of ($x*) โ€” triggers on signature
$s*Grouped stringsall of ($s*) โ€” need multiple matches
$a*Pre-selection (file type)$a1 โ€” narrows to PE files first
$fp*False positive filtersnot 1 of ($fp*) โ€” exclude benign

Rule Naming Convention

rule MAL_APT_CozyBear_ELF_Loader_Apr18 {
    // MAL      = Malware
    // APT      = Nation state actor
    // CozyBear = Threat actor name
    // ELF      = Linux platform
    // Loader   = Malware type
    // Apr18    = Date (April 2018)
}

Quality Checks

The skill covers all 20 yaraQA issue IDs:

Logic Errors: CE1, SM1-6, DS1, CS1, DU1
Performance: PA1-2, RE1, CF1-2, PI1, NC1, NO1, MO1
Style: SV1-2
Resources: HS1-4

๐Ÿงช Example Assessment

See TEST_ASSESSMENT.md for real-world rule reviews from public repositories.

๐Ÿ—๏ธ Repository Structure

yara-rule-skill/
โ”œโ”€โ”€ SKILL.md                      # Main skill file
โ”œโ”€โ”€ references/
โ”‚   โ”œโ”€โ”€ performance.md            # Performance optimization guide
โ”‚   โ”œโ”€โ”€ style.md                  # Style and naming conventions
โ”‚   โ””โ”€โ”€ yaraqa-checks.md          # Complete yaraQA check reference
โ”œโ”€โ”€ scripts/
โ”‚   โ””โ”€โ”€ package_skill.py          # Packaging script
โ””โ”€โ”€ README.md                     # This file

๐ŸŒ Website

Visit https://YARAHQ.github.io/yara-rule-skill-site/ for:

  • Overview of the skill
  • Use case examples
  • Installation instructions

๐Ÿค Contributing

Contributions welcome! Areas to help:

  • Additional rule examples
  • New quality checks
  • Performance benchmarks
  • Documentation improvements

๐Ÿ“„ License

This skill is derived from Florian Roth's YARA guides and yaraQA tool. See individual source repositories for licensing details.

๐Ÿ™ Acknowledgments

  • Florian Roth (@cyb3rops) โ€” Creator of the original guides and yaraQA
  • YARA HQ โ€” Community organization for YARA excellence
  • Victor M. Alvarez โ€” Creator of YARA