Reverse-Skill: The AI-Powered Security Router That’s Rewriting How Hackers Think + Video

Listen to this Post

Featured Image

Introduction:

The cybersecurity industry is drowning in tool fragmentation. When an AI agent encounters an APK file, it doesn’t know whether to reach for jadx, Frida, or IDA — so it guesses, wastes cycles, and often gets it wrong. The reverse-skill project, authored by ZhaoXu and championed by security researcher Mohit Soni (CRTO, OSCP, OSWP, CRTP), solves this with an AI-powered routing engine that dynamically directs agents to the right toolchain for any reverse engineering or penetration testing task. This isn’t just another GitHub repo — it’s a self-evolving knowledge base that turns AI coding clients into disciplined, methodical security practitioners.

Learning Objectives:

  • Understand the architecture of AI-powered skill routing and how it eliminates guesswork in reverse engineering workflows.
  • Master the installation and bootstrap process for the reverse-skill package across Kali Linux, Ubuntu, macOS, and Windows.
  • Learn to navigate the routing matrix to correctly dispatch APK, binary, JavaScript, firmware, and CTF tasks to the appropriate toolchains.
  • Execute platform-specific deployment scripts and verify toolchain dependencies (JDK, Node.js 22.12+, Python 3.x).
  • Implement the self-evolving feedback loop that captures experience and prevents repeated mistakes.

1. The Core Philosophy: Route First, Execute Second

The fundamental problem reverse-skill addresses is that AI agents (Claude Code, Codex CLI, Cursor, Cline, etc.) lack situational awareness. When presented with a binary, they often hallucinate commands or default to generic analysis. Reverse-skill imposes a strict routing protocol: user task → RULES.md → Skill Router → target Skill → tools/MCP/scripts → report + knowledge沉淀.

Before any tool is invoked, the agent must read `RULES.md` and consult the routing matrix (skills/routing.md). This matrix maps tasks by three dimensions: target type (APK, ELF, JS, PCAP), user intent (decompile, dynamic hook, network capture), and available toolchain. Only after a match is confirmed does the agent enter the designated skill directory and read its `SKILL.md` for execution. This protocol prevents the all-too-common pattern of “do first, route later” — a habit that wastes time and produces unreliable results.

Step‑by‑step guide:

1. Clone the repository:

git clone https://github.com/zhaoxuya520/reverse-skill.git
cd reverse-skill

2. For AI agents only: Read `README_AI.md` immediately. This file contains the bootstrap instructions that the agent must execute.
3. Generate the local tool index (this file is gitignored and does not exist in the cloned repo):
– Linux/macOS/Kali: `bash skills/scripts/refresh-tool-index.sh`
– Windows: `powershell -ExecutionPolicy Bypass -File skills/scripts/refresh-tool-index.ps1`
– Kali-specific: `bash kali/scripts/refresh-tool-index.sh`
This step produces `skills/tool-index.md` and skills/tool-index.json, which are critical for routing.
4. Let the AI detect your platform and follow the appropriate deployment document:
– Kali Linux → `kali/README-kali.md`
– Ubuntu/Debian → `docs/platforms/linux.md`
– macOS → `docs/platforms/macos.md`
– Windows → continue with `README_AI.md`
5. Run the bootstrap entry (preferred for Bash-capable systems):

bash skills/scripts/bootstrap-reverse.sh

This checks toolchains, configures MCP services, and sets up script entry points.
6. The AI then reads RULES.md, executes the CRITICAL immediate-action block, and proceeds to the appropriate skill.

  1. The Routing Matrix: Your Map Through the Reverse Engineering Jungle

The routing matrix is the brain of reverse-skill. It categorizes targets and directs the agent to the correct skill module. Below is a condensed version of the matrix:

| Target Type | Recommended Entry | Alternative |

|-|-|-|

| APK / Android app | `apk-reverse/` — jadx decompile + apktool unpack | If core is in .so → `ida-reverse/` or `radare2/` |
| Binary (exe/dll/so/elf) | `ida-reverse/` — IDA Pro decompile | `radare2/` — CLI analysis, or GDB/Unicorn |
| JavaScript / Web frontend | `js-reverse/` — 5-stage workflow | anything-analyzer MCP browser tools, or jshookmcp CDP/Hook |
| HTTP capture / request replay | anything-analyzer MCP (port 23816) | js-reverse/, jshookmcp, or `competition-web-runtime/` |
| Firmware / IoT | `reverse-engineering/platforms.md` — binwalk/ARM/MIPS | Ghidra headless |
| WASM / Python bytecode | `reverse-engineering/languages.md` | Check specific language section |
| .NET / C (ConfuserEx/SmartAssembly) | `dotnet-reverse/SKILL.md` — dnSpyEx + de4dot | IL2CPP/NativeAOT → `reverse-engineering/` |
| macOS / iOS | `reverse-engineering/platforms.md` — Mach-O/ObjC/Swift | `mobile-reverse/` for iOS-specific |
| Game (Unity) | `reverse-engineering/` — engine reverse, anti-cheat, IL2CPP/Mono | `ida-reverse/` deep analysis |
| Malware / virus sample | `reverse-engineering/` — YARA/sandbox/behavior analysis | `ida-reverse/` deep analysis |
| OLLVM-obfuscated binary | `reverse-engineering/references/ollvm-deobfuscation.md` | obpo-plugin / d810-1g / ollvm-unflattener / angr |
| Cryptography / encryption | `reverse-engineering/patterns.md` — crypto patterns | `js-reverse/` (if frontend crypto) |

Step‑by‑step guide to using the matrix:

  1. Identify the target type — Is it an APK? An ELF binary? A JavaScript encrypted parameter?
  2. Determine the user intent — Decompilation? Dynamic hooking? Network capture? Protocol reverse?
  3. Check available toolchain — Does the local machine have IDA Pro? radare2? Ghidra? Frida?
  4. Consult `skills/routing.md` — Match all three dimensions before proceeding.
  5. If no match exists, propose a new skill rather than force-fitting an inappropriate one.
  6. For cross-module tasks, combine skills per the “Path Crossing” section of the routing document.

3. Platform Deployment: Kali, Ubuntu, macOS, and Windows

Reverse-skill is platform-aware. The AI automatically detects the operating system and follows the appropriate deployment path. Here’s what each platform requires:

Prerequisites (all platforms):

  • Java / JDK — for jadx and apktool
  • Node.js 22.12+ — for JS toolchain and MCP services
  • Python 3.x — for Frida and辅助 scripts
  • An AI coding client — Claude Code, Codex CLI, Cursor, etc.

Kali Linux:

Kali is the preferred platform for offensive security. The deployment document is at kali/README-kali.md. The bootstrap script:

bash kali/scripts/bootstrap-reverse.sh

And the index refresh:

bash kali/scripts/refresh-tool-index.sh

Ubuntu/Debian:

Generic Linux deployment is covered in docs/platforms/linux.md. Use the common scripts:

bash skills/scripts/bootstrap-reverse.sh
bash skills/scripts/refresh-tool-index.sh

macOS:

Darwin-based systems use docs/platforms/macos.md. The same Bash scripts apply:

bash skills/scripts/bootstrap-reverse.sh
bash skills/scripts/refresh-tool-index.sh

Windows:

Windows requires PowerShell. The deployment is handled within README_AI.md. Key commands:

powershell -ExecutionPolicy Bypass -File skills/scripts/refresh-tool-index.ps1

Step‑by‑step platform deployment:

  1. Detect OS — The AI reads `/etc/os-release` (Linux) or `uname -s` (macOS) or `$env:OS` (Windows).
  2. Read the corresponding platform document — This ensures toolchain paths, MCP configurations, and script entry points are correct.
  3. Run the bootstrap script — This checks dependencies and sets up the environment.
  4. Verify toolchain — Ensure jadx, apktool, Frida, Node.js, and Python are accessible.
  5. Proceed to RULES.md — The AI now enters the routing phase.

  6. The Self-Evolving Knowledge Base: Why This Project Matters

Reverse-skill isn’t static. It’s designed to evolve with each engagement. The project’s tagline — “破暗而行,逆水为舟” (breaking through darkness, sailing against the current) — reflects its commitment to continuous improvement.

Why this project exists:

  • AI agents face APK, ELF, JS, and PCAP files without knowing which tool to use (jadx, Frida, or IDA).
  • Tool paths, MCP services, and script entry points are scattered across different machines, making migration difficult.
  • The same problems are re-solved from scratch each time, with no reusable经验.

Reverse-skill solves these by:

  • AI-powered routing — The agent consults a structured matrix before acting.
  • On-demand toolchain bootstrapping — The system checks and configures tools dynamically.
  • Self-evolving knowledge base — Each engagement produces a report and沉淀 (accumulated experience) that feeds back into the system.

Step‑by‑step guide to contributing and evolving:

  1. After completing a task, the agent generates a report.
  2. Identify patterns — Was the routing correct? Were there missing tools?
  3. Update the routing matrix — Propose new entries or refine existing ones.
  4. Add new skills — If a new tool or technique is discovered, create a new skill directory with a SKILL.md.
  5. Submit a pull request — The community benefits from your experience.

  6. Toolchain Deep Dive: IDA Pro, radare2, Ghidra, and Beyond

The technical stack of reverse-skill is anchored in industry-standard reverse engineering tools:

  • IDA Pro — The gold standard for binary decompilation. Used for deep analysis of ELF, PE, and Mach-O binaries.
  • radare2 — A CLI-based alternative for those who prefer terminal workflows or lack IDA licenses.
  • Ghidra — The NSA’s open-source reverse engineering framework, particularly useful for headless analysis.

But the toolchain extends far beyond these three:

  • jadx and apktool — For Android APK decompilation and unpacking.
  • Frida — For dynamic instrumentation and hooking.
  • dnSpyEx and de4dot — For .NET reverse engineering and deobfuscation.
  • anything-analyzer MCP — For HTTP capture and request replay (port 23816).
  • binwalk — For firmware analysis and extraction.
  • YARA — For malware pattern matching.

Step‑by‑step guide to verifying and using the toolchain:

1. Check JDK installation:

java -version

2. Check Node.js version (must be 22.12+):

node -v

3. Check Python:

python3 --version

4. Verify jadx:

jadx --version

5. Verify apktool:

apktool --version

6. Verify Frida:

frida --version

7. If any tool is missing, install it via the platform’s package manager (apt, brew, or manual download).

6. MCP Integration: Bridging AI and Local Tools

Reverse-skill leverages the Model Context Protocol (MCP) to connect AI agents with local tools and services. The `anything-analyzer` MCP server runs on port 23816 and handles HTTP capture, request replay, and browser sampling. The `jshookmcp` provides CDP (Chrome DevTools Protocol) and hooking capabilities for JavaScript reverse engineering.

Step‑by‑step guide to MCP configuration:

  1. Ensure Node.js 22.12+ is installed — MCP services are Node-based.
  2. Navigate to the MCP configuration directory (typically within the skill’s folder).

3. Start the MCP server (example for anything-analyzer):

npx anything-analyzer --port 23816

4. Verify the server is running — Check that the port is listening:

netstat -tulpn | grep 23816  Linux
netstat -an | findstr 23816  Windows

5. Configure the AI client to connect to the MCP server — This varies by client (Claude Code, Cursor, etc.).
6. Test with a sample request — Capture an HTTP request and replay it through the MCP.

7. CTF and Competition Workloads: The Sandbox Orchestrator

Reverse-skill includes a dedicated CTF module: `CTF-Sandbox-Orchestrator/` with over 40 sub-skills. This is designed for capture-the-flag competitions and penetration testing challenges. The orchestrator provides a structured environment for:
– Binary exploitation
– Web application security
– Cryptography challenges
– Forensics
– Reverse engineering puzzles

Step‑by‑step guide to using the CTF module:

1. Navigate to the CTF directory:

cd CTF-Sandbox-Orchestrator/

2. List available sub-skills:

ls -la

3. Read the SKILL.md of the relevant sub-skill for instructions.
4. Execute the provided scripts — Each sub-skill includes tooling and automation.
5. Document your approach — This feeds back into the knowledge base.

What Undercode Say:

  • Key Takeaway 1: Reverse-skill transforms AI agents from guessing machines into disciplined security practitioners by enforcing a “route-first, execute-second” protocol. This eliminates the most common failure mode in AI-assisted reverse engineering.

  • Key Takeaway 2: The self-evolving knowledge base is the project’s killer feature. Every engagement produces a report that can be fed back into the system, ensuring that the same mistakes are never repeated and that the toolchain improves over time.

Analysis: The reverse-skill project represents a paradigm shift in how AI interacts with security tooling. Rather than treating AI as a replacement for human expertise, it positions AI as an orchestrator that follows established methodologies. The routing matrix is particularly powerful — it’s essentially a decision tree that encodes years of reverse engineering wisdom into a machine-readable format. For organizations that rely on AI coding clients for security tasks, adopting reverse-skill could reduce analysis time by 50-70% and dramatically improve accuracy. However, the project’s success depends on community contributions; without active maintenance of the routing matrix and skill modules, it will stagnate. The use of MCP for local tool integration is forward-thinking, as it aligns with the broader industry trend toward standardized AI-tool interfaces.

Prediction:

  • +1 The reverse-skill model will be adopted by major security vendors within 18 months, leading to integrated AI routing engines in commercial penetration testing platforms.
  • +1 Community-driven skill modules will proliferate, creating a de facto standard for AI-assisted reverse engineering that rivals OWASP in scope.
  • -1 Without sustained maintenance, the routing matrix will become outdated as new obfuscation techniques and tools emerge, reducing its effectiveness over time.
  • +1 The project’s emphasis on self-evolution will inspire similar initiatives in other domains, such as cloud security hardening and API security testing.
  • -1 Adoption may be hindered by the learning curve — security teams must invest time in understanding the routing matrix and customizing it for their specific toolchains.
  • +1 MCP integration will accelerate as more AI clients adopt the protocol, making reverse-skill a blueprint for future AI-tool interactions.
  • +1 The CTF orchestrator will become a go-to resource for security training, bridging the gap between theoretical knowledge and practical application.
  • -1 Proprietary tools like IDA Pro may limit adoption in cost-sensitive environments, though alternatives like Ghidra and radare2 mitigate this.
  • +1 The project’s open-source nature and community-driven evolution will ensure it remains relevant, provided the maintainers can sustain momentum.
  • +1 In the long term, reverse-skill could evolve into a fully autonomous security agent that not only routes tasks but also executes complex multi-step engagements with minimal human oversight.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: 0xfrost Reverse – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky