This is what you use after binary-triage when you need to answer a specific reverse engineering question. Instead of surveying the whole binary, it does depth-first investigation: pick a function, read the decompilation, rename variables, fix types, add comments, verify it's clearer, then follow the next lead. The workflow is structured around 3-7 iteration loops of read, improve, verify, follow threads. It has tailored strategies for common questions like "what does this function do", "does this use crypto", or "what's the C2 address". The strength here is the incremental database improvement approach, where you're not just analyzing but actually making the Ghidra project more readable as you go. Works best when you have a focused question rather than just exploring.
npx skills add https://github.com/cyberkaida/reverse-engineering-assistant --skill deep-analysis