ClawHub

litellm attack detector

v1.0.0

Detect the LiteLLM supply chain attack (v1.82.7/1.82.8). Scans for compromised packages, malicious .pth files, backdoor persistence, suspicious network conne...

1· 78·0 current·0 all-time
byJeff@tjefferson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the shipped script: the script implements version checks, .pth scanning, persistence-path checks, network/DNS checks, Kubernetes inspections, and dependency checks — all coherent with detecting the LiteLLM supply-chain compromise.
Instruction Scope
SKILL.md directs running the included bash script. The script performs read-only scans of site-packages, caches, known backdoor paths, network sockets, DNS resolution, and kube-system pods. Those actions are within the stated detection scope; it does not attempt to send data to external endpoints or modify files.
Install Mechanism
Instruction-only skill with an included shell script; no install/download mechanism is used and nothing is written to disk by an installer. This is low-risk for install-time code execution.
Credentials
No credentials or env vars are required. The script does read environment values (HOME, optional VIRTUAL_ENV) and may invoke local tools (python3, pip/pip3, find, lsof/ss, host, kubectl, systemctl) to collect telemetry — which is appropriate for a scanner. Minor mismatch: SKILL.md metadata only lists bash as a required binary, but the script relies on python3 and other optional utilities when available; the script gracefully skips checks if those utilities are missing.
Persistence & Privilege
Skill is not always-enabled, does not install persistent components, and does not modify other skills or system configs. It may read sensitive local artifacts (kubeconfigs, caches), which is expected for incident-response tooling but means outputs can include sensitive info.
Assessment
This appears to be a legitimate, read-only detector; you can safely inspect and run it. Before running: (1) review the provided detect.sh (you already have it) to satisfy yourself it does only local checks; (2) run it on a trusted machine (or an isolated analysis host) because it reads local site-packages, caches, and Kubernetes state that may contain sensitive information; (3) note the script may call python3, pip, lsof/ss, host, kubectl and systemctl if present — these are optional and the script skips them if absent; (4) do not paste the script output into untrusted locations, since it may include evidence (paths, pod names) that you may not want to share publicly; (5) if indicators are found, follow the recommended containment and secret-rotation steps and consider running deeper forensic tooling or contacting incident response.

Like a lobster shell, security has layers — review code before you run it.

latestvk97948fhy47akj12n4wpw4314s83k3qk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsbash

Comments