{"id":45400696,"url":"https://github.com/ap6pack/malwar","last_synced_at":"2026-02-26T18:01:19.572Z","repository":{"id":339683379,"uuid":"1162371416","full_name":"Ap6pack/malwar","owner":"Ap6pack","description":"Static analysis engine for detecting malware in agentic AI skill files","archived":false,"fork":false,"pushed_at":"2026-02-21T00:55:31.000Z","size":2792,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-22T00:00:37.611Z","etag":null,"topics":["agentic-ai","fastapi","malware-detection","python","sarif","security","skill-files","static-analysis","threat-detection"],"latest_commit_sha":null,"homepage":"https://ap6pack.github.io/malwar/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ap6pack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["Ap6pack"]}},"created_at":"2026-02-20T07:14:26.000Z","updated_at":"2026-02-21T00:55:56.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Ap6pack/malwar","commit_stats":null,"previous_names":["ap6pack/malwar"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/Ap6pack/malwar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ap6pack%2Fmalwar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ap6pack%2Fmalwar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ap6pack%2Fmalwar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ap6pack%2Fmalwar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ap6pack","download_url":"https://codeload.github.com/Ap6pack/malwar/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ap6pack%2Fmalwar/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29831681,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-25T15:41:19.027Z","status":"ssl_error","status_checked_at":"2026-02-25T15:40:47.150Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agentic-ai","fastapi","malware-detection","python","sarif","security","skill-files","static-analysis","threat-detection"],"created_at":"2026-02-21T20:12:01.117Z","updated_at":"2026-02-25T17:01:02.384Z","avatar_url":"https://github.com/Ap6pack.png","language":"Python","funding_links":["https://github.com/sponsors/Ap6pack"],"categories":[],"sub_categories":[],"readme":"\u003c!-- Copyright (c) 2026 Veritas Aequitas Holdings LLC. All rights reserved. --\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n# Malwar\n\n**Static analysis engine purpose-built for detecting malware in agentic AI skill files.**\n\n[![PyPI version](https://img.shields.io/pypi/v/malwar)](https://pypi.org/project/malwar/)\n[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Fap6pack%2Fmalwar-blue)](https://ghcr.io/ap6pack/malwar)\n[![Docs](https://img.shields.io/badge/docs-ap6pack.github.io%2Fmalwar-blue)](https://ap6pack.github.io/malwar)\n[![License](https://img.shields.io/badge/license-BSL--1.1-blue)](LICENSE)\n[![CI](https://github.com/Ap6pack/malwar/actions/workflows/ci.yml/badge.svg)](https://github.com/Ap6pack/malwar/actions/workflows/ci.yml)\n[![Python](https://img.shields.io/badge/python-3.13+-3776AB?logo=python\u0026logoColor=white)](https://python.org)\n\n![Detection Rules](https://img.shields.io/badge/detection_rules-26-orange)\n![Pipeline Layers](https://img.shields.io/badge/pipeline_layers-4-green)\n![SARIF](https://img.shields.io/badge/output-SARIF_2.1.0-purple)\n![Coverage](https://img.shields.io/badge/coverage-82%25-brightgreen)\n\n[Web Dashboard](#web-dashboard) \u0026nbsp;\u0026middot;\u0026nbsp; [API Docs](docs/api-reference.md) \u0026nbsp;\u0026middot;\u0026nbsp; [Detection Rules](docs/detection-rules.md) \u0026nbsp;\u0026middot;\u0026nbsp; [Deployment](docs/deployment.md)\n\n\u003c/div\u003e\n\n---\n\n## Why\n\n**20% of ClawHub's 10,700+ skills are malicious.** The [ClawHavoc campaign](docs/threat-campaigns.md) alone trojanized 824+ skills to deliver the AMOS infostealer. These attacks aren't binaries — they're natural language instructions hidden in Markdown files. VirusTotal sees nothing. Code scanners see nothing. Malwar was built to catch them.\n\n## How It Works\n\n```\nSKILL.md → Rule Engine → URL Crawler → LLM Analyzer → Threat Intel → Verdict\n             \u003c50ms         1-5s          2-10s           \u003c100ms\n```\n\n| Layer | What it catches |\n|-------|-----------------|\n| **Rule Engine** | Obfuscated commands, prompt injection, credential exposure, exfiltration patterns ([19 rules](docs/detection-rules.md)) |\n| **URL Crawler** | Malicious URLs, domain reputation, redirect chains to C2 infrastructure |\n| **LLM Analyzer** | Social engineering, hidden intent, context-dependent attacks invisible to regex |\n| **Threat Intel** | Known IOCs, [campaign attribution](docs/threat-campaigns.md), threat actor fingerprints |\n\nFull pipeline details: **[Architecture](docs/architecture.md)**\n\n## Quick Start\n\n```bash\npip install malwar\nmalwar db init\n```\n\nFor development:\n\n```bash\ngit clone https://github.com/Ap6pack/malwar.git \u0026\u0026 cd malwar\npip install -e \".[dev]\"\nmalwar db init\n```\n\n```bash\nmalwar scan SKILL.md                    # scan a file\nmalwar scan skills/                     # scan a directory\nmalwar scan SKILL.md --format sarif     # CI/CD output\nmalwar scan SKILL.md --no-llm          # skip LLM (fast + free)\n```\n\n```\n$ malwar scan suspicious-skill.md\n\n  MALICIOUS  Risk: 95/100  Findings: 4\n\n  MALWAR-OBF-001   Base64-encoded command execution        critical   L14\n  MALWAR-CMD-001   Remote script piped to shell            critical   L22\n  MALWAR-EXFIL-001 Agent memory/identity file access       critical   L31\n  MALWAR-MAL-001   ClawHavoc campaign indicator            critical   L14\n\n  Scan completed in 42ms (rule_engine, threat_intel)\n```\n\nFull command reference: **[CLI Guide](docs/cli-reference.md)**\n\n## API\n\n```bash\nmalwar serve    # http://localhost:8000\n```\n\n```bash\ncurl -X POST http://localhost:8000/api/v1/scan \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"content\": \"...\", \"file_name\": \"SKILL.md\"}'\n```\n\n16 endpoints covering scan submission, results, SARIF export, signatures CRUD, campaigns, and reports. Auth via `X-API-Key` header.\n\nFull endpoint reference: **[API Docs](docs/api-reference.md)**\n\n## Web Dashboard\n\nBuilt-in browser UI at `http://localhost:8000` when running the API server.\n\n![Dashboard](docs/images/dashboard.png)\n\n| | |\n|---|---|\n| ![Scan Detail](docs/images/scan-detail.png) | ![Campaigns](docs/images/campaigns.png) |\n| ![Signatures](docs/images/signatures.png) | ![Scan History](docs/images/scans.png) |\n\nReact 19 \u0026middot; TypeScript \u0026middot; Vite \u0026middot; Tailwind CSS 4 \u0026middot; Recharts\n\n## Docker\n\n```bash\ndocker compose up -d    # API + Dashboard at http://localhost:8000\n```\n\nMulti-stage build: Node.js compiles the frontend, Python 3.13-slim runs the backend.\n\nFull deployment guide: **[Deployment](docs/deployment.md)**\n\n## Configuration\n\nAll settings via environment variables with `MALWAR_` prefix or `.env` file. Key settings:\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `MALWAR_API_KEYS` | *(empty)* | API keys (empty = auth disabled) |\n| `MALWAR_ANTHROPIC_API_KEY` | *(empty)* | Anthropic key for LLM layer |\n| `MALWAR_DB_PATH` | `malwar.db` | SQLite database path |\n\n[All 17 configuration options →](docs/deployment.md#configuration)\n\n## Development\n\n```bash\npytest                                # 345 tests\nruff check src/ tests/                # lint\nmypy src/                             # type check\n```\n\n37 test fixtures: 5 benign, 10 malicious (synthetic), 22 real-world samples from ClawHub and Snyk research.\n\nFull dev guide: **[Development](docs/development.md)**\n\n## Documentation\n\n| | |\n|---|---|\n| **[Architecture](docs/architecture.md)** | Pipeline design, scoring logic, storage layer |\n| **[API Reference](docs/api-reference.md)** | All 16 endpoints with schemas and examples |\n| **[Detection Rules](docs/detection-rules.md)** | All 19 rules with patterns and false positive guidance |\n| **[Threat Campaigns](docs/threat-campaigns.md)** | Campaign tracking, ClawHavoc case study |\n| **[CLI Reference](docs/cli-reference.md)** | Every command with flags and examples |\n| **[Deployment](docs/deployment.md)** | pip, Docker, nginx, production config |\n| **[Development](docs/development.md)** | Adding rules, endpoints, testing, conventions |\n\n---\n\n**BSL-1.1** — Copyright (c) 2026 Veritas Aequitas Holdings LLC. All rights reserved.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fap6pack%2Fmalwar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fap6pack%2Fmalwar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fap6pack%2Fmalwar/lists"}