Skip to content

Ap6pack/malwar

Repository files navigation

Malwar

12% of ClawHub skills are malicious. A Snyk security audit found 341 trojanized skills delivering the AMOS infostealer to 300,000 users — and that was just the first wave. By February, 824+ malicious skills were live across 10,700+ listings. VirusTotal missed all of them. Code scanners missed all of them. Malwar catches them.

pip install malwar
malwar db init
malwar scan SKILL.md

PyPI version License CI Python Docker Docs


Why This Exists

I was installing Claude Code skills from ClawHub without a second thought — until the ClawHavoc campaign dropped. Hundreds of skills were trojanized with the AMOS infostealer, targeting wallet keys, SSH credentials, and agent memory files. The attacks weren't binaries or exploit code. They were natural language instructions hidden in Markdown, telling the AI to run curl | bash as a "prerequisite." No existing security tool is built to catch that. So I built one.

How It Works

SKILL.md → Rule Engine → URL Crawler → LLM Analyzer → Threat Intel → Verdict
             <50ms         1-5s          2-10s           <100ms
Layer What it catches
Rule Engine Obfuscated commands, prompt injection, credential exposure, exfiltration, agentic financial fraud, scanner evasion (30 rules)
URL Crawler Malicious URLs, domain reputation, redirect chains to C2 infrastructure
LLM Analyzer Social engineering, hidden intent, context-dependent attacks invisible to regex
Threat Intel Known IOCs, campaign attribution, threat actor fingerprints

Full pipeline details: Architecture

Quick Start

malwar scan SKILL.md                    # scan a file
malwar scan skills/                     # scan a directory
malwar scan SKILL.md --format sarif     # CI/CD output
malwar scan SKILL.md --no-llm          # skip LLM (fast + free)
malwar crawl scan beszel-check          # scan a ClawHub skill by slug
malwar crawl url https://example.com/SKILL.md  # scan any remote SKILL.md
malwar crawl monitor                    # scan the whole registry, diff vs. yesterday
$ malwar scan suspicious-skill.md

  MALICIOUS  Risk: 95/100  Findings: 4

  MALWAR-OBF-001   Base64-encoded command execution        critical   L14
  MALWAR-CMD-001   Remote script piped to shell            critical   L22
  MALWAR-EXFIL-001 Agent memory/identity file access       critical   L31
  MALWAR-MAL-001   ClawHavoc campaign indicator            critical   L14

  Scan completed in 42ms (rule_engine, threat_intel)

For development:

git clone https://github.com/Ap6pack/malwar.git && cd malwar
pip install -e ".[dev]"
malwar db init

Full command reference: CLI Guide

API

malwar serve    # http://localhost:8000
curl -X POST http://localhost:8000/api/v1/scan \
  -H "Content-Type: application/json" \
  -d '{"content": "...", "file_name": "SKILL.md"}'

30+ endpoints covering scan submission, results, SARIF export, signatures CRUD, campaigns, reports, dashboard analytics, audit logs, and RBAC. Auth via X-API-Key header.

Full endpoint reference: API Docs

Web Dashboard

Built-in browser UI at http://localhost:8000 when running the API server.

Dashboard

Scan Detail Campaigns
Signatures Scan History

React 19 · TypeScript · Vite · Tailwind CSS 4 · Recharts

Continuous Monitoring

Catching one malicious skill is good; catching the next campaign while it's still spreading is the point. malwar crawl monitor sweeps the registry, saves a snapshot, and diffs it against the previous run:

malwar crawl monitor                    # incremental sweep → snapshot → diff
malwar crawl monitor --full             # re-scan everything (catches same-version tampering)
malwar crawl monitor --fail-on-malicious   # non-zero exit when skills newly turn malicious

It surfaces exactly what changed since yesterday — newly published, removed, trojanized updates (content changed under the same version), and verdict regressions (a skill that was clean is now flagged). The sweep is built to be cheap at real registry scale — ClawHub currently holds 66,512 skills by our monitor's own enumeration, far more than the figures usually cited:

  • Incremental — only skills whose version/updated_at changed get re-fetched and re-scanned; everything else is carried forward.
  • Resumable--max-scans caps each run and defers the overflow, so the first full baseline builds up across runs instead of dying to a timeout.
  • Targeted escalation — the rule engine decides everything it can for free; only the ambiguous middle (flagged, but short of a confident verdict) goes to a deeper second opinion: --escalate-backend none|hf|anthropic|tiered. hf is a free local classifier (pip install malwar[hf]), tiered spends the LLM only on what the free tier can't clear.

A bundled GitHub Actions workflow runs this daily (plus a weekly --full pass) and commits every snapshot to the registry-snapshots branch — git log -p on that branch is a permanent, auditable record of the registry's daily threat surface.

Docker

docker compose up -d    # API + Dashboard at http://localhost:8000

Multi-stage build: Node.js compiles the frontend, Python 3.13-slim runs the backend.

Full deployment guide: Deployment

Configuration

All settings via environment variables with MALWAR_ prefix or .env file. Key settings:

Variable Default Description
MALWAR_API_KEYS (empty) API keys (empty = auth disabled)
MALWAR_ANTHROPIC_API_KEY (empty) Anthropic key for LLM layer (falls back to ANTHROPIC_API_KEY or an ant auth login / Claude Code CLI login)
MALWAR_DB_PATH malwar.db SQLite database path

All 40+ configuration options →

Development

pytest                                # 1,639 tests
ruff check src/ tests/                # lint
mypy src/                             # type check

51 test fixtures: 6 benign, 23 malicious (synthetic), 3 real-world benign, 6 real-world malicious, 13 real ClawHub samples.

Full dev guide: Development

Documentation

Architecture Pipeline design, scoring logic, storage layer
API Reference All 30+ endpoints with schemas and examples
Detection Rules All 30 rules with patterns and false positive guidance
Threat Campaigns Campaign tracking, ClawHavoc case study
CLI Reference Every command with flags and examples
Deployment pip, Docker, nginx, production config
Development Adding rules, endpoints, testing, conventions

What's New in v0.4.0

MIT license — the move from BSL-1.1 to MIT is complete. Free for any use, including commercial.

Emerging Agentic Threats — Detection for the threat classes Unit 42 disclosed in June 2026: agentic affiliate injection and pump-and-dump / front-running (MALWAR-FRAUD-*), scanner-evasion via file-size inflation (MALWAR-EVADE-001), and PowerShell download cradles (MALWAR-OBF-004) — techniques that bypassed ClawScan and VirusTotal.

LLM false-positive suppression — the LLM layer can demote rule-engine findings it identifies as false positives, excluding them from the risk score while keeping them visible in the results.

Detection accuracy — on the labeled benchmark (rule engine + threat intel only, no LLM): 100% accuracy, precision, recall, and F1 — every malicious sample detected, zero benign samples flagged. Full report: Accuracy Report.

Continuous registry monitoringmalwar crawl monitor with day-over-day diffing, shareable threat digests, and opt-in X publishing.

Since 0.4.0, on main — the monitor grew up to real registry scale: incremental sweeps, a resumable budgeted baseline, transient-failure retries, and targeted tiered escalation (none|hf|anthropic|tiered) that spends deep analysis only on the ambiguous middle. A scheduled workflow now scans ClawHub daily and commits snapshots to the registry-snapshots branch.

1,639 tests | 30 detection rules | 13 threat categories


MIT License — Copyright (c) 2026 Veritas Aequitas Holdings LLC.