defender2 Security Report — Low Risk | ClawSafe

20 /100

defender2

Scan npm packages or projects to detect JavaScript malware and Windows filename RLO malware, supply chain attacks, and malicious packages

Legitimate npm malware detector with a structural concern (executable code embedded in SKILL.md) but no confirmed malicious behavior or exfiltration capabilities.

Skill Namedefender2

Duration64.4s

Enginepi

✓

Safe to install

Remove the embedded Python code from SKILL.md and keep documentation separate from implementation. The hardcoded IP is acceptable as a detection pattern database for a security tool.

Findings 3 items

Severity	Finding	Location
Medium	Executable code embedded in SKILL.md SKILL.md contains 346 lines of embedded Python code starting at line 46 with a shebang. This is unconventional - documentation files should not contain executable code. `#!/usr/bin/env python3 """ NPM Supply Chain Malware Detector...` → Move all Python code to scripts/pua.py and keep SKILL.md as pure documentation.	`SKILL.md:46`
Low	Hardcoded IP in IOC detection database The IP 140.82.54.223 is hardcoded in the IOC_PATTERN detector class. This is standard practice for malware detection tools to flag known malicious infrastructure. `IOC_IPS = ['140.82.54.223']` → Consider loading IOC lists from external configuration files for easier updates. Current implementation is acceptable for a static detector.	`scripts/pua.py:60`
Info	eval(atob()) pattern detection is defensive The pre-scan flagged eval(atob()) as a critical IOC, but in this context it is part of the DANGEROUS_PATTERNS detection list, not actual malicious code being executed. `(r'eval\s\(\satob\s*\(', 'eval(atob())代码执行'),` → No action needed - this is legitimate pattern matching for malware detection.	`scripts/pua.py:76`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	Tool legitimately reads files to scan for malware patterns
Network	`NONE`	`NONE`	—	No network connections observed - only local file scanning
Shell	`NONE`	`NONE`	—	No subprocess or shell execution in implementation
Environment	`NONE`	`NONE`	—	No environment variable access observed

1 Critical 1 High 2 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

eval(atob(

SKILL.md:46

📡

High IP Address 硬编码 IP 地址

140.82.54.223

scripts/pua.py:94

File Tree

2 files · 14.1 KB · 396 lines

Python 1f · 346L Markdown 1f · 50L

├─ ▾ 📁 scripts

│ └─ 🐍 pua.py Python 346L · 12.7 KB

└─ 📝 SKILL.md Markdown 50L · 1.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`None (stdlib only)`	`N/A`	built-in	No	No external dependencies - uses only Python standard library (base64, re, os, sys, json, pathlib, typing)

Security Positives

✓ Uses only Python standard library - no external dependencies to compromise

✓ Purely defensive tool - reads files locally to detect malware patterns

✓ No network exfiltration or C2 communication observed

✓ No credential harvesting or sensitive path access

✓ No subprocess/shell execution capabilities

✓ Includes comprehensive malware pattern detection (PUA, eval patterns, persistence techniques)

✓ No evidence of data theft or reverse shell mechanisms

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives