← Back to Skills Marketplace
233
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install defender2
Description
Scan npm packages or projects to detect JavaScript malware, suspicious Base64, private use characters, and known malicious packages with RLO attack detection.
README (SKILL.md)
defender2 - NPM恶意软件检测
使用内置的 pua.py 脚本扫描 npm 包和项目,检测 JavaScript 恶意软件。
setup
pip install rlo-detect
使用方法
python skills/defender2/scripts/pua.py \x3Cpath> [-r] [-v]
参数
path: 要扫描的路径(文件或目录)-r, --recursive: 递归扫描子目录-v, --verbose: 显示详细信息
example
# 扫描整个项目
python skills/defender2/scripts/pua.py ./my-project
# 扫描单个package.json
python skills/defender2/scripts/pua.py ./package.json
# 递归扫描node_modules
python skills/defender2/scripts/pua.py ./node_modules --recursive
# rlo malware detect
rlo-detect ./my-project
检测功能
- PUA字符检测 - 检测Unicode私有使用区字符的混淆技术
- 恶意模式匹配 - 检测eval(atob())、Buffer.from()等危险代码模式
- IOC检测 - 识别已知恶意包名、IP、C2地址
- Base64解码 - 解码隐藏的可疑代码
- 持久化技术 - 检测单例锁文件、异常捕获等隐蔽技术
- 依赖分析 - 检查package.json中的恶意依赖
Usage Guidance
This skill appears to do what it claims: it ships a local Python scanner and its SKILL.md tells you how to run it. Before installing or running anything: (1) inspect the included script (already present) — it contains no network calls or exfiltration; (2) vet the external package 'rlo-detect' on PyPI (check project homepage, source, and maintainers) before running 'pip install'; (3) run the scanner in an isolated environment (container or VM) if you are unsure; (4) be aware that scanning large directories (node_modules) will read many files and could surface secrets in output — avoid scanning sensitive systems without safeguards.
Capability Analysis
Type: OpenClaw Skill
Name: defender2
Version: 1.0.0
The defender2 skill is a defensive security tool designed to scan NPM projects for supply chain malware and obfuscation techniques. The primary script, `scripts/pua.py`, implements detection logic for Unicode Private Use Area (PUA) characters, known malicious IOCs (such as the `os-info-checker-es6` package and IP `140.82.54.223`), and dangerous JavaScript patterns like `eval(atob())`. The skill's behavior is transparent, lacks any data exfiltration or unauthorized execution logic, and is entirely consistent with its stated purpose of malware detection.
Capability Assessment
Purpose & Capability
Name and description (scan npm packages for JS malware, PUA/RLO, suspicious Base64, known malicious packages) match the provided files: SKILL.md instructs running the included Python scanner and the script implements PUA detection, pattern/IOC checks, Base64 decoding and package.json analysis.
Instruction Scope
SKILL.md instructs only local actions (pip install an optional helper package, then run the included script or an external rlo-detect tool). The runtime instructions focus on scanning files and package.json; they do not ask the agent to read unrelated system files or secrets. Note: scanning node_modules or entire projects will read many files (expected for this tool).
Install Mechanism
There is no install spec (instruction-only) and the included script is run directly. SKILL.md recommends 'pip install rlo-detect' and shows 'rlo-detect' usage — installing a third-party PyPI package is a moderate risk because it pulls code from an external source not included with the skill. The skill itself does not install arbitrary archives or fetch code at runtime.
Credentials
The skill requests no environment variables, credentials, or config paths. The Python script reads only the target files/directories provided by the user and uses sys.platform; this is proportional to scanning functionality.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide changes. The skill does not modify other skills or system config. Autonomous invocation is allowed (platform default) but not combined with broad privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install defender2 - After installation, invoke the skill by name or use
/defender2 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
defender2 1.0.0 - Initial release
- Scan npm packages and projects for JavaScript and Windows filename RLO malware.
- Detects obfuscated code, suspicious PUA characters, and Base64-encoded payloads.
- Analyzes package.json dependencies and scripts for supply chain attacks.
- Identifies known malicious packages and suspicious behavior patterns.
- Includes command-line usage with options for recursive and verbose scanning.
Metadata
Frequently Asked Questions
What is npm defender2?
Scan npm packages or projects to detect JavaScript malware, suspicious Base64, private use characters, and known malicious packages with RLO attack detection. It is an AI Agent Skill for Claude Code / OpenClaw, with 233 downloads so far.
How do I install npm defender2?
Run "/install defender2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is npm defender2 free?
Yes, npm defender2 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does npm defender2 support?
npm defender2 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created npm defender2?
It is built and maintained by Jay (@goog); the current version is v1.0.0.
More Skills