defender2 安全扫描报告 — 低风险 | ClawSafe

20 /100

defender2

Scan npm packages or projects to detect JavaScript malware and Windows filename RLO malware, supply chain attacks, and malicious packages

Legitimate npm malware detector with a structural concern (executable code embedded in SKILL.md) but no confirmed malicious behavior or exfiltration capabilities.

技能名称defender2

分析耗时64.4s

引擎pi

✓

可以安装

Remove the embedded Python code from SKILL.md and keep documentation separate from implementation. The hardcoded IP is acceptable as a detection pattern database for a security tool.

安全发现 3 项

严重性	安全发现	位置
中危	Executable code embedded in SKILL.md SKILL.md contains 346 lines of embedded Python code starting at line 46 with a shebang. This is unconventional - documentation files should not contain executable code. `#!/usr/bin/env python3 """ NPM Supply Chain Malware Detector...` → Move all Python code to scripts/pua.py and keep SKILL.md as pure documentation.	`SKILL.md:46`
低危	Hardcoded IP in IOC detection database The IP 140.82.54.223 is hardcoded in the IOC_PATTERN detector class. This is standard practice for malware detection tools to flag known malicious infrastructure. `IOC_IPS = ['140.82.54.223']` → Consider loading IOC lists from external configuration files for easier updates. Current implementation is acceptable for a static detector.	`scripts/pua.py:60`
提示	eval(atob()) pattern detection is defensive The pre-scan flagged eval(atob()) as a critical IOC, but in this context it is part of the DANGEROUS_PATTERNS detection list, not actual malicious code being executed. `(r'eval\s\(\satob\s*\(', 'eval(atob())代码执行'),` → No action needed - this is legitimate pattern matching for malware detection.	`scripts/pua.py:76`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	Tool legitimately reads files to scan for malware patterns
网络访问	`NONE`	`NONE`	—	No network connections observed - only local file scanning
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution in implementation
环境变量	`NONE`	`NONE`	—	No environment variable access observed

1 严重 1 高危 2 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

eval(atob(

SKILL.md:46

📡

高危 IP 地址硬编码 IP 地址

140.82.54.223

scripts/pua.py:94

目录结构

2 文件 · 14.1 KB · 396 行

Python 1f · 346L Markdown 1f · 50L

├─ ▾ 📁 scripts

│ └─ 🐍 pua.py Python 346L · 12.7 KB

└─ 📝 SKILL.md Markdown 50L · 1.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`None (stdlib only)`	`N/A`	built-in	否	No external dependencies - uses only Python standard library (base64, re, os, sys, json, pathlib, typing)

安全亮点

✓ Uses only Python standard library - no external dependencies to compromise

✓ Purely defensive tool - reads files locally to detect malware patterns

✓ No network exfiltration or C2 communication observed

✓ No credential harvesting or sensitive path access

✓ No subprocess/shell execution capabilities

✓ Includes comprehensive malware pattern detection (PUA, eval patterns, persistence techniques)

✓ No evidence of data theft or reverse shell mechanisms