ClawHub
Skill blocked — malicious content detected

ClawHub Security flagged this skill as malicious. Downloads are disabled. Review the scan results below.

Malware Signature Scanner

v1.4.0

Scans files and URLs for malware using YARA rules, hash reputation, PE header analysis, entropy checks, and threat intel with JSON report export.

0· 0·0 current·0 all-time
by@snipercat69

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snipercat69/edgeiq-malware-signature-scanner.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Malware Signature Scanner" (snipercat69/edgeiq-malware-signature-scanner) from ClawHub.
Skill page: https://clawhub.ai/snipercat69/edgeiq-malware-signature-scanner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install edgeiq-malware-signature-scanner

ClawHub CLI

Package manager switcher

npx clawhub@latest install edgeiq-malware-signature-scanner
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md and code align: the included Python implements YARA-style substring rules, hash computation, PE header parsing, entropy and string extraction as advertised. However the skill references external threat feeds (VirusTotal, MalwareBazaar, Hybrid-Analysis) in documentation without declaring or requesting the API credentials those services normally require, and the registry metadata declares no required env/config keys despite the code reading license files and env vars.
Instruction Scope
Runtime instructions are mostly scoped to scanning files/URLs. But SKILL.md suggests setting EDGEIQ_EMAIL to enable Pro features and instructs copying files into ~/.openclaw/skills; the code (edgeiq_licensing.py / malware_scanner.py) reads files under the user's home (~/.edgeiq/license.key and stripe_licenses.json) and environment variables (EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY). Those file/env accesses are not declared in the registry and are unexpected for a pure local scanner.
Install Mechanism
There is no install spec in the registry (instruction-only), and code files are shipped with the skill. README suggests a separate git clone from a GitHub repo (snipercat69) but the registry lists source as 'unknown' and homepage none. No network-download install step is present in the registry, which is lower risk, but the provenance is unclear and the README/links are inconsistent with registry metadata.
!
Credentials
Registry declares no required env vars or config paths, but the code relies on: ~/.edgeiq/license.key and ~/.edgeiq/stripe_licenses.json, EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY environment variables. edgeiq_licensing.py contains a hardcoded developer email (gpalmieri21@gmail.com) that is treated as a valid bundle license, effectively acting as a backdoor to enable premium features. The skill also documents queries to external threat feeds (VirusTotal, etc.) but does not declare or request API keys — this mismatch is concerning and should be clarified.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or global agent settings. It does read/write to a per-user config path (~/.edgeiq) and expects a license key there; that is within normal bounds for a licensed tool, but the fact that those config paths are not declared in the registry is a transparency concern.
What to consider before installing
Do not run this on your primary workstation without review. Specific actions to consider before installing or running: 1) Verify provenance — ask the publisher for the official repository/homepage and compare hashes of the shipped files; the registry lists source as 'unknown' while README points to a third-party GitHub account. 2) Inspect the code yourself (or have someone you trust review it); the skill reads ~/.edgeiq/* license files and checks EDGEIQ_EMAIL/EDGEIQ_LICENSE_KEY — these are not declared in the registry and include a hardcoded developer email that grants bundle access. Do not set EDGEIQ_EMAIL to another person's email to 'unlock' features. 3) Expect network activity — the tool claims to query VirusTotal/MalwareBazaar/Hybrid-Analysis and uses urllib; determine whether API keys are required and whether queries would send hashes or full sample data off-host. 4) Run any malware analysis tool only inside an isolated VM or sandbox and never as root. 5) Ask the author to: (a) provide an authoritative homepage/repo, (b) declare required env vars/config paths in the registry, and (c) remove or explain the developer backdoor and inconsistent pricing/links. If you cannot confirm origin and behavior, treat the package as untrusted and prefer alternatives from known vendors or official projects.
malware_scanner.py:136
Possible crypto mining behavior detected.
Critical security concern
These patterns indicate potentially dangerous behavior. Exercise extreme caution and review the code thoroughly before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970g0rem8xzgjvsavrvkzhphn85g0tj
0downloads
0stars
4versions
Updated 3d ago
v1.4.0
MIT-0
@snipercat69
latest

Malware Signature Scanner

Skill Name: malware-signature-scanner Version: 1.0.0 Category: Security / Threat Detection Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Detects known malware signatures, suspicious patterns, and indicators of compromise (IOC) in files and URLs. Uses YARA-style pattern matching, hash comparison against threat intelligence feeds, PE header analysis, and behavioral pattern detection. Designed for security researchers and sysadmins analyzing suspicious files.

⚠️ Legal Notice: Only scan files you own or have explicit authorization to analyze. Do not use this tool to analyze files you don't have rights to. Analyzing malware may require a safe, isolated environment.

Features

  • YARA-style pattern matching — rule-based detection for known malware families
  • Hash reputation check — MD5/SHA1/SHA256 vs VirusTotal, MalwareBazaar, Hybrid-Analysis feeds
  • PE header analysis — detects packers, suspicious sections, malformed headers, overlay data
  • String extraction — pulls suspicious strings (IP addresses, URLs, mutexes, API calls)
  • Entropy analysis — identifies encrypted/packed sections (high entropy = likely obfuscated)
  • URL/domain reputation — checks URLs against blocklists
  • JSON export — structured threat report

Tier Comparison

FeatureFreeLifetime ($39)Optional Monthly ($7/mo)
Hash reputation check✅ (5 files)✅ (unlimited)✅ (unlimited)
YARA pattern matching✅ (basic rules)✅ (full + custom)✅ (full + custom)
PE header analysis
String extraction
Entropy analysis
URL/domain reputation
JSON export

Installation

cp -r /home/guy/.openclaw/workspace/apps/malware-signature-scanner ~/.openclaw/skills/malware-signature-scanner

Usage

Basic hash + YARA scan (free tier)

python3 malware_scanner.py --file /path/to/suspicious.exe

SHA256 hash check only

python3 malware_scanner.py --hash "a1b2c3d4e5f6789012345678901234567890123456789012345678901234abcd" --pro

URL reputation check

EDGEIQ_EMAIL=your_email@gmail.com python3 malware_scanner.py --url "https://suspicious-site.com/payload.exe" --pro

Full bundle analysis with JSON export

EDGEIQ_EMAIL=your_email@gmail.com python3 malware_scanner.py --file /path/to/sample.exe --bundle --output malware-report.json

As OpenClaw Discord Command

In #edgeiq-support channel:

!malware /path/to/file.exe
!malware --hash a1b2c3d4...abcd
!malware --url https://suspicious-site.com/payload.exe

Parameters

FlagTypeDefaultDescription
--filestringPath to file to analyze
--hashstringSHA256/MD5/SHA1 hash to check
--urlstringURL to check for malicious content
--proflagFalseEnable Pro features
--bundleflagFalseEnable Bundle features
--outputstringWrite JSON report to file
--timeoutint30Analysis timeout (seconds)

Output Example

=== Malware Signature Scanner ===
Target: /samples/payload.exe (SHA256: a1b2c3d4...)

  [1m[91m🔴 THREAT DETECTED — Win32/TrickBot[0m
    Confidence: 94%
    Signature: YARA_rule_trickbot_v3
    Category: Banking Trojan
    Source: EdgeIQ Threat Intel + Hybrid-Analysis

  [1m[93m🟡[0m Suspicious Strings:
    - hxxp://malicious-c2[.]server[.]com:443/update
    - Mutex: Global\\MSCTF_ASDF1234
    - API: CreateRemoteThread, WriteProcessMemory

  [1m[93m🟡[0m Entropy: 7.8/10 (HIGH — likely obfuscated/packed)

  [1m[92m✔[0m PE Header: Normal (no suspicious entries)

  Threat Level: HIGH — 1 malware signature matched (TrickBot)

Pro Upgrade

Full YARA ruleset + entropy analysis + URL reputation + unlimited hash checks:

👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo

Data Sources

  • VirusTotal Community API (hash lookup)
  • MalwareBazaar (Abuse.ch)
  • Hybrid-Analysis public feed
  • Internal EdgeIQ YARA ruleset (200+ rules)
  • URLhaus (Malware URL blocklist)
  • Emerging Threats ruleset

Safe Analysis Tips

  1. Always analyze malware in an isolated VM or sandboxed environment
  2. Do not run payloads — use --hash to check before downloading
  3. Use --pro for full threat intelligence lookup
  4. Export reports with --output for security documentation

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

  • 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
  • 📸 Screenshot API — URL-to-screenshot API for developers
  • 🔔 uptime.check — URL uptime monitoring with alerts
  • 🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

Comments

Loading comments...