ClawHub

Check Axios Malware

v1.0.0

Check if the local machine is infected by the malicious axios supply-chain attack (axios 1.14.1/0.30.4 via plain-crypto-js@4.2.1). Use when: user asks about...

1· 44·0 current·0 all-time
byJeff@tjefferson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (scan local machine for axios/plain-crypto-js IOC) match the requested binaries and the commands in SKILL.md. Required tools (find, ps, ss, crontab, python3) are necessary for the provided checks; no unrelated credentials, binaries, or installation steps are requested.
Instruction Scope
Instructions are limited to local discovery: searching filesystem for package dirs and package.json files, enumerating processes and established connections, and checking crontab/rc files. They do not instruct exfiltration or sending results to external endpoints. Note: some commands (find / ...) are broad and can be IO‑heavy; the incident response steps include destructive actions (rm -rf node_modules) and service restart which are expected for cleanup but should be run only after confirmation/backups.
Install Mechanism
No install spec or downloaded artifacts — instruction-only skill. This minimizes risk from installation of third‑party code.
Credentials
No environment variables or credentials are requested. The SKILL.md uses $HOME implicitly (to check an OpenClaw package path), which is reasonable and expected for a local scan.
Persistence & Privilege
always:false and no instructions to persist itself or modify other skills/system-wide agent configuration. The skill recommends user actions (rotate credentials, remove files, restart daemon) but does not request elevated persistent privileges.
Assessment
This skill is coherent for a local compromise check. Before running: (1) run as an account with appropriate permissions (root for a full scan) or be prepared for many permission-denied messages; (2) treat any positive IOC as high-severity but verify results before running destructive cleanup commands—backup important data and exports of logs first; (3) the find / command can be slow and resource‑heavy—consider narrowing the search to likely locations if needed; (4) rotating credentials and taking the host offline are sensible next steps if confirmed; (5) if you want automated, non-destructive analysis, consider first copying suspected files to an isolated host for analysis or using specialized incident-response tools.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764dtkphbqksgfeec0catb1s83ywe3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsfind, ps, ss, crontab, python3

Comments