ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

npm defender2

Scan npm packages or projects to detect JavaScript malware, suspicious Base64, private use characters, and known malicious packages with RLO attack detection.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 82 · 0 current installs · 0 all-time installs
byJay@goog
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (scan npm packages for JS malware, PUA/RLO, suspicious Base64, known malicious packages) match the provided files: SKILL.md instructs running the included Python scanner and the script implements PUA detection, pattern/IOC checks, Base64 decoding and package.json analysis.
Instruction Scope
SKILL.md instructs only local actions (pip install an optional helper package, then run the included script or an external rlo-detect tool). The runtime instructions focus on scanning files and package.json; they do not ask the agent to read unrelated system files or secrets. Note: scanning node_modules or entire projects will read many files (expected for this tool).
Install Mechanism
There is no install spec (instruction-only) and the included script is run directly. SKILL.md recommends 'pip install rlo-detect' and shows 'rlo-detect' usage — installing a third-party PyPI package is a moderate risk because it pulls code from an external source not included with the skill. The skill itself does not install arbitrary archives or fetch code at runtime.
Credentials
The skill requests no environment variables, credentials, or config paths. The Python script reads only the target files/directories provided by the user and uses sys.platform; this is proportional to scanning functionality.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide changes. The skill does not modify other skills or system config. Autonomous invocation is allowed (platform default) but not combined with broad privileges.
Assessment
This skill appears to do what it claims: it ships a local Python scanner and its SKILL.md tells you how to run it. Before installing or running anything: (1) inspect the included script (already present) — it contains no network calls or exfiltration; (2) vet the external package 'rlo-detect' on PyPI (check project homepage, source, and maintainers) before running 'pip install'; (3) run the scanner in an isolated environment (container or VM) if you are unsure; (4) be aware that scanning large directories (node_modules) will read many files and could surface secrets in output — avoid scanning sensitive systems without safeguards.
scripts/pua.py:103
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973kmk7fv278y8j0y6e5bhrwd836q4a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

defender2 - NPM恶意软件检测

使用内置的 pua.py 脚本扫描 npm 包和项目,检测 JavaScript 恶意软件。

setup

pip install rlo-detect

使用方法

python skills/defender2/scripts/pua.py <path> [-r] [-v]

参数

  • path: 要扫描的路径(文件或目录)
  • -r, --recursive: 递归扫描子目录
  • -v, --verbose: 显示详细信息

example

# 扫描整个项目
python skills/defender2/scripts/pua.py ./my-project

# 扫描单个package.json
python skills/defender2/scripts/pua.py ./package.json

# 递归扫描node_modules
python skills/defender2/scripts/pua.py ./node_modules --recursive

# rlo malware detect
rlo-detect ./my-project

检测功能

  1. PUA字符检测 - 检测Unicode私有使用区字符的混淆技术
  2. 恶意模式匹配 - 检测eval(atob())、Buffer.from()等危险代码模式
  3. IOC检测 - 识别已知恶意包名、IP、C2地址
  4. Base64解码 - 解码隐藏的可疑代码
  5. 持久化技术 - 检测单例锁文件、异常捕获等隐蔽技术
  6. 依赖分析 - 检查package.json中的恶意依赖

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…