12% of ClawHub skills are malicious. A Snyk security audit found 341 trojanized skills delivering the AMOS infostealer to 300,000 users — and that was just the first wave. By February, 824+ malicious skills were live across 10,700+ listings. VirusTotal missed all of them. Code scanners missed all of them. Malwar catches them.
pip install malwar
malwar db init
malwar scan SKILL.mdI was installing Claude Code skills from ClawHub without a second thought — until the ClawHavoc campaign dropped. Hundreds of skills were trojanized with the AMOS infostealer, targeting wallet keys, SSH credentials, and agent memory files. The attacks weren't binaries or exploit code. They were natural language instructions hidden in Markdown, telling the AI to run curl | bash as a "prerequisite." No existing security tool is built to catch that. So I built one.
SKILL.md → Rule Engine → URL Crawler → LLM Analyzer → Threat Intel → Verdict
<50ms 1-5s 2-10s <100ms
| Layer | What it catches |
|---|---|
| Rule Engine | Obfuscated commands, prompt injection, credential exposure, exfiltration, agentic financial fraud, scanner evasion (30 rules) |
| URL Crawler | Malicious URLs, domain reputation, redirect chains to C2 infrastructure |
| LLM Analyzer | Social engineering, hidden intent, context-dependent attacks invisible to regex |
| Threat Intel | Known IOCs, campaign attribution, threat actor fingerprints |
Full pipeline details: Architecture
malwar scan SKILL.md # scan a file
malwar scan skills/ # scan a directory
malwar scan SKILL.md --format sarif # CI/CD output
malwar scan SKILL.md --no-llm # skip LLM (fast + free)
malwar crawl scan beszel-check # scan a ClawHub skill by slug
malwar crawl url https://example.com/SKILL.md # scan any remote SKILL.md
malwar crawl monitor # scan the whole registry, diff vs. yesterday$ malwar scan suspicious-skill.md
MALICIOUS Risk: 95/100 Findings: 4
MALWAR-OBF-001 Base64-encoded command execution critical L14
MALWAR-CMD-001 Remote script piped to shell critical L22
MALWAR-EXFIL-001 Agent memory/identity file access critical L31
MALWAR-MAL-001 ClawHavoc campaign indicator critical L14
Scan completed in 42ms (rule_engine, threat_intel)
For development:
git clone https://github.com/Ap6pack/malwar.git && cd malwar
pip install -e ".[dev]"
malwar db initFull command reference: CLI Guide
malwar serve # http://localhost:8000curl -X POST http://localhost:8000/api/v1/scan \
-H "Content-Type: application/json" \
-d '{"content": "...", "file_name": "SKILL.md"}'30+ endpoints covering scan submission, results, SARIF export, signatures CRUD, campaigns, reports, dashboard analytics, audit logs, and RBAC. Auth via X-API-Key header.
Full endpoint reference: API Docs
Built-in browser UI at http://localhost:8000 when running the API server.
![]() |
![]() |
![]() |
![]() |
React 19 · TypeScript · Vite · Tailwind CSS 4 · Recharts
Catching one malicious skill is good; catching the next campaign while it's
still spreading is the point. malwar crawl monitor sweeps the registry,
saves a snapshot, and diffs it against the previous run:
malwar crawl monitor # incremental sweep → snapshot → diff
malwar crawl monitor --full # re-scan everything (catches same-version tampering)
malwar crawl monitor --fail-on-malicious # non-zero exit when skills newly turn maliciousIt surfaces exactly what changed since yesterday — newly published, removed, trojanized updates (content changed under the same version), and verdict regressions (a skill that was clean is now flagged). The sweep is built to be cheap at real registry scale — ClawHub currently holds 66,512 skills by our monitor's own enumeration, far more than the figures usually cited:
- Incremental — only skills whose version/updated_at changed get re-fetched and re-scanned; everything else is carried forward.
- Resumable —
--max-scanscaps each run and defers the overflow, so the first full baseline builds up across runs instead of dying to a timeout. - Targeted escalation — the rule engine decides everything it can for
free; only the ambiguous middle (flagged, but short of a confident
verdict) goes to a deeper second opinion:
--escalate-backend none|hf|anthropic|tiered.hfis a free local classifier (pip install malwar[hf]),tieredspends the LLM only on what the free tier can't clear.
A bundled GitHub Actions workflow runs this daily (plus a weekly --full
pass) and commits every snapshot to the
registry-snapshots
branch — git log -p on that branch is a permanent, auditable record of the
registry's daily threat surface.
docker compose up -d # API + Dashboard at http://localhost:8000Multi-stage build: Node.js compiles the frontend, Python 3.13-slim runs the backend.
Full deployment guide: Deployment
All settings via environment variables with MALWAR_ prefix or .env file. Key settings:
| Variable | Default | Description |
|---|---|---|
MALWAR_API_KEYS |
(empty) | API keys (empty = auth disabled) |
MALWAR_ANTHROPIC_API_KEY |
(empty) | Anthropic key for LLM layer (falls back to ANTHROPIC_API_KEY or an ant auth login / Claude Code CLI login) |
MALWAR_DB_PATH |
malwar.db |
SQLite database path |
All 40+ configuration options →
pytest # 1,639 tests
ruff check src/ tests/ # lint
mypy src/ # type check51 test fixtures: 6 benign, 23 malicious (synthetic), 3 real-world benign, 6 real-world malicious, 13 real ClawHub samples.
Full dev guide: Development
| Architecture | Pipeline design, scoring logic, storage layer |
| API Reference | All 30+ endpoints with schemas and examples |
| Detection Rules | All 30 rules with patterns and false positive guidance |
| Threat Campaigns | Campaign tracking, ClawHavoc case study |
| CLI Reference | Every command with flags and examples |
| Deployment | pip, Docker, nginx, production config |
| Development | Adding rules, endpoints, testing, conventions |
MIT license — the move from BSL-1.1 to MIT is complete. Free for any use, including commercial.
Emerging Agentic Threats — Detection for the threat classes Unit 42 disclosed in June 2026: agentic affiliate injection and pump-and-dump / front-running (MALWAR-FRAUD-*), scanner-evasion via file-size inflation (MALWAR-EVADE-001), and PowerShell download cradles (MALWAR-OBF-004) — techniques that bypassed ClawScan and VirusTotal.
LLM false-positive suppression — the LLM layer can demote rule-engine findings it identifies as false positives, excluding them from the risk score while keeping them visible in the results.
Detection accuracy — on the labeled benchmark (rule engine + threat intel only, no LLM): 100% accuracy, precision, recall, and F1 — every malicious sample detected, zero benign samples flagged. Full report: Accuracy Report.
Continuous registry monitoring — malwar crawl monitor with day-over-day diffing, shareable threat digests, and opt-in X publishing.
Since 0.4.0, on main — the monitor grew up to real registry scale: incremental sweeps, a resumable budgeted baseline, transient-failure retries, and targeted tiered escalation (none|hf|anthropic|tiered) that spends deep analysis only on the ambiguous middle. A scheduled workflow now scans ClawHub daily and commits snapshots to the registry-snapshots branch.
1,639 tests | 30 detection rules | 13 threat categories
MIT License — Copyright (c) 2026 Veritas Aequitas Holdings LLC.




