OpenScan
Lightweight malware detection for macOS and Linux binaries/scripts. Ported from the Harkonnen antimalware engine.
What It Detects
Binary Analysis:
- Mach-O (macOS) and ELF (Linux) parsing
- Suspicious dylibs/shared objects (Frida, injection frameworks)
- Missing/invalid code signatures (macOS)
- Disabled security features (PIE, NX, RELRO)
- Packed/encrypted binaries (high entropy)
Pattern Detection:
- Shellcode byte sequences
- Suspicious API references (process injection, keylogging, etc.)
- Network indicators (embedded URLs, IPs)
- Encoded payloads (base64 blobs)
Script Analysis:
- Dangerous shell patterns (curl|bash, eval, etc.)
- Obfuscation indicators
- Privilege escalation attempts
Usage
# Scan a single binary
node bin/scan.js /path/to/binary
# Scan a skill folder
node bin/scan.js /path/to/skill-folder
# JSON output for automation
node bin/scan.js /path --json
# Only show threats
node bin/scan.js /path --quiet
Exit Codes
0- Clean (score ≤ 20)1- Suspicious (score 21-60)2- High threat (score > 60)
Threat Scoring
Each file receives a score from 0-100:
| Score | Level | Meaning |
|---|---|---|
| 0-20 | CLEAN | No significant findings |
| 21-40 | LOW | Minor concerns, probably safe |
| 41-60 | MEDIUM | Suspicious patterns, review manually |
| 61-80 | HIGH | Likely malicious or dangerous |
| 81-100 | CRITICAL | Known malicious patterns |
Integration with OpenClaw
Use before installing or trusting unknown binaries:
// Example: scan before allowing a skill's binary
const { scanFile } = require('openscan/lib/scanner');
async function checkBinary(binPath) {
const result = await scanFile(binPath);
if (result.threatScore > 40) {
throw new Error(`Binary failed security scan: ${result.findings.join(', ')}`);
}
return true;
}
Limitations
- Not a replacement for full antivirus
- Signature-based detection is minimal (no hash database)
- May produce false positives on legitimate security tools
- Cannot detect all obfuscation techniques
Credits
Detection logic ported from Harkonnen antimalware engine.