by morluto
Reverse engineer anything with agents: one CLI and MCP server to inspect any app, understand it fully down to the binary level.
# Add to your Claude Code skills
git clone https://github.com/morluto/reaLast scanned: 7/16/2026
{
"issues": [
{
"file": "README.md",
"line": 102,
"type": "remote-install",
"message": "Install command (remote install script piped to a shell — review the source before running): \"curl -fsSL https://raw.githubusercontent.com/morluto/rea/main/install.sh | bash\"",
"severity": "low"
}
],
"status": "PASSED",
"scannedAt": "2026-07-16T06:18:47.501Z",
"npmAuditRan": false,
"pipAuditRan": true,
"promptInjectionRan": true
}rea is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by morluto. Reverse engineer anything with agents: one CLI and MCP server to inspect any app, understand it fully down to the binary level. It has 111 GitHub stars.
Yes. rea passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/morluto/rea" and add it to your Claude Code skills directory (see the Installation section above).
rea is primarily written in TypeScript. It is open-source under morluto on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh rea against similar tools.
No comments yet. Be the first to share your thoughts!
English · 简体中文 · 日本語 · 한국어 · العربية
See a feature you like. Understand how it works, down to the binary level.
Quick start · Current status · Investigation model · 82 tools · Roadmap · How it works
npm install --global rea-agents && rea setup
See a feature in an app that you want in your own product? Give the app to your agent—even without its source code. With REA, the agent can investigate the feature, explain how it works, show its evidence, and build a version adapted to your stack and requirements.
REA gives agents one consistent way to investigate software. Today that includes deep native analysis and function dossiers through Hopper or bring-your-own Ghidra on Linux, reproducible Evidence v2 records, controlled process capture, passive website and Electron observation, bounded JavaScript/source-map reconstruction, and a versioned domain graph for connecting JavaScript application layers without confusing static inference with runtime observation. The longer-term toolkit extends the same agent workflow to APIs, protocols, mobile artifacts, firmware, richer runtime behavior, and differences between versions.
Reverse engineering normally makes the operator choose a tool, learn its API, move evidence between programs, and decide what to inspect next. REA gives that work to the agent through commands, skills, structured results, and repeatable investigation workflows.
Install the REA skill:
npx skills add morluto/rea
Then ask:
Use REA to understand how search works in the Notes app, show me the
evidence, and build a similar feature for my project.
Notes is only an example. Name any app you want to understand, or ask the agent to start with an overview.
REA shows how it reached its conclusions. It does not claim to recover original source code or automatically clone an application.
| Built for agents | Ask what an app does and let your agent inspect it instead of guessing. |
| CLI and MCP | Run the same reverse-engineering capabilities from your terminal or agent. |
| Complexity handled | REA installs and manages the reverse-engineering tools behind the scenes. |
| From insight to code | Understand a feature, then build your own version in the same coding session. |
| Local by design | Analysis runs on your supported local host. REA does not upload the app to a hosted analysis service. |
| Keeps context | Investigate several apps without starting over for every question. |
npm install --global rea-agents
rea setup
Installing the CLI does not update Homebrew, Node.js, npm, Hopper, or agent configuration. rea setup detects what is already present, prints every proposed change, and asks before applying it.
REA detects Claude Code, Claude Desktop, Codex, Cursor, Gemini CLI, Windsurf, and Devin. It configures the first six when detected; Devin is reported but left unchanged because it has no documented local MCP configuration boundary. Registrations are additive, backup-first, and read back after writing. You can safely rerun setup.
An optional curl wrapper installs the same CLI package and starts setup only when a terminal is available:
curl -fsSL https://raw.githubusercontent.com/morluto/rea/main/install.sh | bash
Pass installer options after bash -s --, for example --dry-run, --no-setup, or --version 1.0.0. The curl wrapper never installs prerequisites or configures integrations itself. See Installation and setup for its exact mutation boundary.
npx skills add morluto/rea
Ask your agent to set up REA. It will check your supported host, explain anything it needs to install, ask for approval, and guide you through system prompts. After setup, restart the agent if it asks you to load the full REA toolset.
Review the setup plan, approve it if appropriate, then describe the app or feature you want to understand. Hopper can run in its free demo mode; if it shows a first-run prompt, choose the demo or enter an existing license.
npx -y rea-agents setup
npx -y rea-agents doctor
npx -y rea-agents analyze /Applications/Notes.app
Review the setup plan before confirming it. Restart a configured agent so it loads REA.
rea commandnpm install --global rea-agents
rea setup
rea doctor
rea analyze /Applications/Notes.app
Update that global installation in place:
rea upgrade
REA checks npm for the latest release and verifies that the running package is
the global installation it will replace. Source, local, and npx copies report
the manual npm install --global rea-agents@latest command instead of updating
an unrelated global package.
Choose either the no-install commands or the global installation. You do not need both.
Deep binary operations use Hopper, a separate desktop application with its own license, or a caller-selected Ghidra provider. Ghidra supplies read-only inventory, function metadata, decompilation, assembly, resolved calls, typed references, xrefs, CFG, and function dossiers; GUI state and mutations remain unavailable through that provider. Setup reuses an existing Hopper installation or an operator-supplied Ghidra installation. It never downloads Ghidra or installs Java. If neither provider is ready, interactive setup proposes Hopper; unattended Hopper installation requires rea setup --yes --install-hopper.
If something is not working, run:
npx -y rea-agents doctor
rea doctor --json is read-only and distinguishes unsupported hosts, missing dependencies, a missing local analysis engine, configuration drift, and healthy checks. Paid-license activation is optional: on Linux, REA runs the supported Hopper demo build on a private Xvfb display and selects Hopper's offered demo mode for each analysis session.
On macOS, approved setup downloads Hopper's official DMG, verifies it, and installs the app into ~/Applications without Homebrew or administrator privileges. Hopper may show its demo or license prompt when first opened; no manual drag-and-drop is required.
On Ubuntu 24.04+, Fedora 41+, and 64-bit Arch Linux, approved setup downloads the pinned official Hopper 6.4.2 package, restricts downloads to Hopper's public origin, verifies the published size and checksum, and invokes apt-get, dnf, or pacman to install Hopper and the Xvfb, Python, X11, and XTEST packages used by demo sessions. When REA is not already running as root, pkexec presents the system authorization prompt. REA never invokes sudo. Demo sessions run on an isolated 1280×1024 Xvfb display. REA verifies the exact supported Hopper binary, its owned process ancestry, the expected dialog geometry, and bridge state before selecting Try the Demo; any mismatch fails closed.
The normal Linux launcher is /opt/hopper/bin/Hopper. If Hopper was installed elsewhere:
export HOPPER_LAUNCHER_PATH=/absolute/path/to/Hopper
rea doctor --json
If doctor reports a missing analysis engine even though the file exists, inspect shared-library resolution with:
ldd /opt/hopper/bin/Hopper | grep 'not found'
Install the missing distribution packages and rerun rea setup. Linux demo automation requires Xvfb, Python 3, libX11.so.6, and libXtst.so.6; approved setup installs those direct runtime depende