npm - mohuclaw - Versions diffs - 1.0.1 - Mend

mohuclaw 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (92) hide show

package/LICENSE +21 -0
package/README.md +64 -0
package/bin/mohu-tui.js +73 -0
package/bin/mohu-webui.js +67 -0
package/dist/tui/tui.js +38733 -0
package/dist/webui/index.html +1551 -0
package/dist/webui/server.js +876 -0
package/ioc/c2-ips.txt +25 -0
package/ioc/file-hashes.txt +13 -0
package/ioc/malicious-domains.txt +46 -0
package/ioc/malicious-hashes.txt +5 -0
package/ioc/malicious-publishers.txt +34 -0
package/ioc/malicious-skill-patterns.txt +87 -0
package/package.json +46 -0
package/scripts/check/access_control.sh +183 -0
package/scripts/check/credential_storage.sh +222 -0
package/scripts/check/execution_sandbox.sh +502 -0
package/scripts/check/memory_poisoning.sh +334 -0
package/scripts/check/network_exposure.sh +479 -0
package/scripts/check/resource_cost.sh +182 -0
package/scripts/check/supply_chain.sh +553 -0
package/scripts/repair/access_control/_common.sh +249 -0
package/scripts/repair/access_control/check_1.sh +28 -0
package/scripts/repair/access_control/check_2.sh +27 -0
package/scripts/repair/access_control/check_3.sh +23 -0
package/scripts/repair/access_control/check_4.sh +23 -0
package/scripts/repair/access_control/check_5.sh +20 -0
package/scripts/repair/credential_storage/_common.sh +277 -0
package/scripts/repair/credential_storage/check_1.sh +47 -0
package/scripts/repair/credential_storage/check_2.sh +35 -0
package/scripts/repair/credential_storage/check_3.sh +53 -0
package/scripts/repair/credential_storage/logs/security-scan.log +15 -0
package/scripts/repair/execution_sandbox/_common.sh +302 -0
package/scripts/repair/execution_sandbox/check_1.sh +67 -0
package/scripts/repair/execution_sandbox/check_10.sh +23 -0
package/scripts/repair/execution_sandbox/check_11.sh +34 -0
package/scripts/repair/execution_sandbox/check_12.sh +38 -0
package/scripts/repair/execution_sandbox/check_13.sh +29 -0
package/scripts/repair/execution_sandbox/check_2.sh +46 -0
package/scripts/repair/execution_sandbox/check_3.sh +37 -0
package/scripts/repair/execution_sandbox/check_4.sh +23 -0
package/scripts/repair/execution_sandbox/check_5.sh +28 -0
package/scripts/repair/execution_sandbox/check_6.sh +17 -0
package/scripts/repair/execution_sandbox/check_7.sh +17 -0
package/scripts/repair/execution_sandbox/check_8.sh +17 -0
package/scripts/repair/execution_sandbox/check_9.sh +17 -0
package/scripts/repair/execution_sandbox/logs/security-scan.log +10 -0
package/scripts/repair/memory_poisoning/_common.sh +336 -0
package/scripts/repair/memory_poisoning/check_1.sh +51 -0
package/scripts/repair/memory_poisoning/check_2.sh +26 -0
package/scripts/repair/memory_poisoning/check_3.sh +24 -0
package/scripts/repair/memory_poisoning/check_4.sh +27 -0
package/scripts/repair/memory_poisoning/check_5.sh +20 -0
package/scripts/repair/network_exposure/_common.sh +330 -0
package/scripts/repair/network_exposure/check_1.sh +86 -0
package/scripts/repair/network_exposure/check_10.sh +16 -0
package/scripts/repair/network_exposure/check_11.sh +31 -0
package/scripts/repair/network_exposure/check_12.sh +24 -0
package/scripts/repair/network_exposure/check_2.sh +26 -0
package/scripts/repair/network_exposure/check_3.sh +43 -0
package/scripts/repair/network_exposure/check_4.sh +23 -0
package/scripts/repair/network_exposure/check_5.sh +16 -0
package/scripts/repair/network_exposure/check_6.sh +98 -0
package/scripts/repair/network_exposure/check_7.sh +35 -0
package/scripts/repair/network_exposure/check_8.sh +19 -0
package/scripts/repair/network_exposure/check_9.sh +19 -0
package/scripts/repair/resource_cost/_common.sh +303 -0
package/scripts/repair/resource_cost/check_1.sh +16 -0
package/scripts/repair/resource_cost/check_2.sh +16 -0
package/scripts/repair/resource_cost/check_3.sh +23 -0
package/scripts/repair/supply_chain/_common.sh +222 -0
package/scripts/repair/supply_chain/check_1.sh +95 -0
package/scripts/repair/supply_chain/check_10.sh +60 -0
package/scripts/repair/supply_chain/check_11.sh +63 -0
package/scripts/repair/supply_chain/check_12.sh +36 -0
package/scripts/repair/supply_chain/check_13.sh +44 -0
package/scripts/repair/supply_chain/check_14.sh +33 -0
package/scripts/repair/supply_chain/check_15.sh +33 -0
package/scripts/repair/supply_chain/check_16.sh +34 -0
package/scripts/repair/supply_chain/check_17.sh +61 -0
package/scripts/repair/supply_chain/check_18.sh +62 -0
package/scripts/repair/supply_chain/check_2.sh +93 -0
package/scripts/repair/supply_chain/check_3.sh +78 -0
package/scripts/repair/supply_chain/check_4.sh +72 -0
package/scripts/repair/supply_chain/check_5.sh +73 -0
package/scripts/repair/supply_chain/check_6.sh +81 -0
package/scripts/repair/supply_chain/check_7.sh +52 -0
package/scripts/repair/supply_chain/check_8.sh +71 -0
package/scripts/repair/supply_chain/check_9.sh +78 -0
package/scripts/repair/supply_chain/logs/security-scan.log +77 -0
package/scripts/scan.sh +228 -0
package/webui/index.html +1551 -0

package/scripts/repair/network_exposure/check_7.sh ADDED Viewed

@@ -0,0 +1,35 @@
+#!/bin/bash
+# CHECK 7 (origin 20): mDNS/Bonjour Exposure
+# Usage: ./check_7.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Disable mDNS broadcasting:
+   openclaw config set discovery.mdns.mode off
+2. Or set to minimal (name only, no paths):
+   openclaw config set discovery.mdns.mode minimal
+3. Verify mDNS is no longer broadcasting:
+   avahi-browse -a
+   # Should show no openclaw entries
+4. Disable avahi-daemon entirely (if not needed):
+   sudo systemctl stop avahi-daemon
+   sudo systemctl disable avahi-daemon
+5. Or restrict avahi to localhost only (/etc/avahi/avahi-daemon.conf):
+   [server]
+   allow-interfaces=lo
+   deny-interfaces=eth0,wlan0
+   Then restart:
+   sudo systemctl restart avahi-daemon
+EOF
+exit 0

package/scripts/repair/network_exposure/check_8.sh ADDED Viewed

@@ -0,0 +1,19 @@
+#!/bin/bash
+# CHECK 8 (origin 34): SSRF Protection
+# Usage: ./check_8.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw:
+   openclaw update
+2. Audit cron webhook targets for internal endpoints:
+   openclaw config get cron
+EOF
+exit 0

package/scripts/repair/network_exposure/check_9.sh ADDED Viewed

@@ -0,0 +1,19 @@
+#!/bin/bash
+# CHECK 9 (origin 36): ACP Permission Auto-Approval
+# Usage: ./check_9.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw:
+   openclaw update
+2. Disable ACP auto-approve until patched:
+   openclaw config set acp.autoApprove false
+EOF
+exit 0

package/scripts/repair/resource_cost/_common.sh ADDED Viewed

@@ -0,0 +1,303 @@
+#!/bin/bash
+# Exit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+# IOC_DIR="$PROJECT_DIR/ioc"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+IOC_DIR="$PROJECT_DIR/ioc"
+SELF_DIR_NAME="$(basename "$PROJECT_DIR")"
+# Default OpenClaw paths
+# OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/.openclaw}"
+OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/test/openclaw-1}"
+SKILLS_DIR="$OPENCLAW_DIR/workspace/skills"
+WORKSPACE_DIR="$OPENCLAW_DIR/workspace"
+# LOG_DIR="$OPENCLAW_DIR/logs"
+LOG_DIR="logs"
+LOG_FILE="$LOG_DIR/security-scan.log"
+TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+export PATH="$HOME/.local/bin:/opt/homebrew/opt/node@22/bin:/opt/homebrew/bin:/usr/local/bin:$PATH"
+# Overall counters
+CRITICAL=0
+WARNINGS=0
+CLEAN=0
+# Per-category counters
+CATEGORY_NAME=""
+CATEGORY_TOTAL_CHECKS=0
+CATEGORY_CRITICAL=0
+CATEGORY_WARNINGS=0
+CATEGORY_CLEAN=0
+mkdir -p "$LOG_DIR"
+log() {
+    echo "$1" | tee -a "$LOG_FILE"
+}
+header() {
+    # Usage: header <new_index> <message>
+    log ""
+    log "[$1/$CATEGORY_TOTAL_CHECKS] $2"
+}
+result_clean() {
+    log "CLEAN: $1"
+    CLEAN=$((CLEAN + 1))
+    CATEGORY_CLEAN=$((CATEGORY_CLEAN + 1))
+}
+result_warn() {
+    log "WARNING: $1"
+    WARNINGS=$((WARNINGS + 1))
+    CATEGORY_WARNINGS=$((CATEGORY_WARNINGS + 1))
+}
+result_critical() {
+    log "CRITICAL: $1"
+    CRITICAL=$((CRITICAL + 1))
+    CATEGORY_CRITICAL=$((CATEGORY_CRITICAL + 1))
+}
+category_start() {
+    # Usage: category_start <name> <total_checks>
+    CATEGORY_NAME="$1"
+    CATEGORY_TOTAL_CHECKS="$2"
+    CATEGORY_CRITICAL=0
+    CATEGORY_WARNINGS=0
+    CATEGORY_CLEAN=0
+    log ""
+    log "----------------------------------------"
+    log "CATEGORY START: $CATEGORY_NAME ($CATEGORY_TOTAL_CHECKS checks)"
+    log "----------------------------------------"
+}
+category_end() {
+    log ""
+    log "CATEGORY SUMMARY: $CATEGORY_NAME"
+    log "  critical: $CATEGORY_CRITICAL"
+    log "  warning : $CATEGORY_WARNINGS"
+    log "  clean   : $CATEGORY_CLEAN"
+    log "----------------------------------------"
+}
+# Use timeout if available (macOS may only have gtimeout via coreutils)
+TIMEOUT_BIN=""
+if command -v timeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="timeout"
+elif command -v gtimeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="gtimeout"
+fi
+run_with_timeout() {
+    local secs="$1"
+    shift
+    if [ -n "$TIMEOUT_BIN" ]; then
+        "$TIMEOUT_BIN" "$secs" "$@"
+    elif command -v python3 >/dev/null 2>&1; then
+        python3 - "$secs" "$@" <<'PY'
+import subprocess
+import sys
+def main():
+    try:
+        secs = float(sys.argv[1])
+    except Exception:
+        secs = 0
+    cmd = sys.argv[2:]
+    if not cmd:
+        sys.exit(1)
+    try:
+        proc = subprocess.Popen(cmd)
+        try:
+            proc.wait(timeout=secs if secs > 0 else None)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+            proc.wait()
+            sys.exit(124)
+        sys.exit(proc.returncode if proc.returncode is not None else 0)
+    except FileNotFoundError:
+        sys.exit(127)
+if __name__ == "__main__":
+    main()
+PY
+    else
+        "$@"
+    fi
+}
+# Load IOC data
+load_ips() {
+    if [ -f "$IOC_DIR/c2-ips.txt" ]; then
+        grep -v '^#' "$IOC_DIR/c2-ips.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "91.92.242"
+    fi
+}
+load_domains() {
+    if [ -f "$IOC_DIR/malicious-domains.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-domains.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "webhook.site"
+    fi
+}
+sha256_file() {
+    # Cross-platform SHA-256 for a file
+    local target="$1"
+    [ -f "$target" ] || return 1
+    if command -v sha256sum >/dev/null 2>&1; then
+        sha256sum "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v shasum >/dev/null 2>&1; then
+        shasum -a 256 "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v openssl >/dev/null 2>&1; then
+        openssl dgst -sha256 "$target" 2>/dev/null | sed -E 's/^.*= //' | tr '[:upper:]' '[:lower:]'
+    else
+        return 1
+    fi
+}
+load_hash_iocs() {
+    # Expected format: <sha256>|<campaign>
+    # Similar to c2-ips.txt storage style
+    if [ -f "$IOC_DIR/malicious-hashes.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-hashes.txt" | grep -v '^$' || true
+    fi
+}
+lookup_malicious_hash_campaign() {
+    local needle
+    needle="$(printf "%s" "${1:-}" | tr '[:upper:]' '[:lower:]')"
+    [ -n "$needle" ] || return 1
+    while IFS='|' read -r hash_val campaign rest; do
+        hash_val="$(printf "%s" "$hash_val" | tr '[:upper:]' '[:lower:]')"
+        if [ "$hash_val" = "$needle" ]; then
+            printf "%s\n" "${campaign:-unknown}"
+            return 0
+        fi
+    done < <(load_hash_iocs)  # ← 进程替换，不产生子shell
+    return 1
+}
+extract_github_account_age_days() {
+    # Best-effort local metadata extraction only.
+    # We cannot reliably infer GitHub account age from filesystem alone unless
+    # the skill metadata explicitly records it.
+    local skill_dir="$1"
+    local val=""
+    for meta in "$skill_dir/package.json" "$skill_dir/config.json" "$skill_dir/SKILL.md"; do
+        [ -f "$meta" ] || continue
+        # JSON-ish keys
+        val="$(grep -iEo '"(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)"[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+        # YAML / markdown frontmatter-ish keys
+        val="$(grep -iE '^(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+    done
+    return 1
+}
+OPENCLAW_PRESENT=false
+if command -v openclaw >/dev/null 2>&1; then
+    OPENCLAW_PRESENT=true
+fi
+OC_VERSION="unknown"
+PARSED_OC_VERSION=""
+OC_MAJOR=""
+OC_MINOR=""
+OC_PATCH=""
+if [ "$OPENCLAW_PRESENT" = true ]; then
+    OC_VERSION="$(run_with_timeout 5 openclaw --version 2>/dev/null || echo "unknown")"
+    PARSED_OC_VERSION="$(echo "$OC_VERSION" | grep -oE '[0-9]{4}\.[0-9]+\.[0-9]+' | head -1 || true)"
+    if [ -n "$PARSED_OC_VERSION" ]; then
+        OC_MAJOR="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f1)"
+        OC_MINOR="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f2)"
+        OC_PATCH="$(echo "$PARSED_OC_VERSION" | cut -d'.' -f3)"
+    fi
+fi
+version_ge() {
+    local t_major="$1"
+    local t_minor="$2"
+    local t_patch="$3"
+    if [ -z "$PARSED_OC_VERSION" ]; then
+        return 1
+    fi
+    if [ "$OC_MAJOR" -gt "$t_major" ] 2>/dev/null; then
+        return 0
+    fi
+    if [ "$OC_MAJOR" -lt "$t_major" ] 2>/dev/null; then
+        return 1
+    fi
+    if [ "$OC_MINOR" -gt "$t_minor" ] 2>/dev/null; then
+        return 0
+    fi
+    if [ "$OC_MINOR" -lt "$t_minor" ] 2>/dev/null; then
+        return 1
+    fi
+    if [ "$OC_PATCH" -ge "$t_patch" ] 2>/dev/null; then
+        return 0
+    fi
+    return 1
+}
+version_lt() {
+    if [ -z "$PARSED_OC_VERSION" ]; then
+        return 1
+    fi
+    if version_ge "$1" "$2" "$3"; then
+        return 1
+    fi
+    return 0
+}
+# ------------------------------------------------------------
+# Cron frequency check
+# ------------------------------------------------------------
+has_high_freq_cron() {
+grep -Eq '^[[:space:]]*(\*[[:space:]]+\*[[:space:]]+\*[[:space:]]+\*[[:space:]]+\*|\*/[1-4][[:space:]]+\*[[:space:]]+\*[[:space:]]+\*[[:space:]]+\*)' "$1" 2>/dev/null
+}
+TOTAL_TOKENS=0
+TOTAL_COST=0
+HOURLY_COST=0

package/scripts/repair/resource_cost/check_1.sh ADDED Viewed

@@ -0,0 +1,16 @@
+#!/bin/bash
+# CHECK 1: Webhook DoS
+# Usage: ./check_1.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw:
+   openclaw update
+EOF
+exit 0

package/scripts/repair/resource_cost/check_2.sh ADDED Viewed

@@ -0,0 +1,16 @@
+#!/bin/bash
+# CHECK 2: fetchWithGuard DoS
+# Usage: ./check_2.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Update OpenClaw:
+   openclaw update
+EOF
+exit 0

package/scripts/repair/resource_cost/check_3.sh ADDED Viewed

@@ -0,0 +1,23 @@
+#!/bin/bash
+# CHECK 3: High frequency cron
+# Usage: ./check_3.sh
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/_common.sh"
+# Guidance
+cat <<EOF
+RECOMMENDED ACTIONS:
+1. Review current crontab schedules:
+   crontab -l | grep -iE "openclaw|clawdbot|moltbot"
+2. Edit and reduce trigger frequency (no more than once per 5 minutes):
+   crontab -e
+   # Change */1 to */5 or higher
+3. Consider switching to event-driven triggers instead of fixed schedules:
+   openclaw config set scheduler.mode event-driven
+EOF
+exit 0

package/scripts/repair/supply_chain/_common.sh ADDED Viewed

@@ -0,0 +1,222 @@
+#!/bin/bash
+# Exit codes: 0=SECURE, 1=WARNINGS, 2=COMPROMISED
+set -uo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+# IOC_DIR="$PROJECT_DIR/ioc"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/../../.." && pwd)"
+IOC_DIR="$PROJECT_DIR/ioc"
+SELF_DIR_NAME="$(basename "$PROJECT_DIR")"
+# Default OpenClaw paths
+# OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/.openclaw}"
+OPENCLAW_DIR="${OPENCLAW_HOME:-$HOME/test/openclaw-1}"
+SKILLS_DIR="$OPENCLAW_DIR/workspace/skills"
+WORKSPACE_DIR="$OPENCLAW_DIR/workspace"
+# LOG_DIR="$OPENCLAW_DIR/logs"
+LOG_DIR="logs"
+LOG_FILE="$LOG_DIR/security-scan.log"
+TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
+export PATH="$HOME/.local/bin:/opt/homebrew/opt/node@22/bin:/opt/homebrew/bin:/usr/local/bin:$PATH"
+# Overall counters
+CRITICAL=0
+WARNINGS=0
+CLEAN=0
+# Per-category counters
+CATEGORY_NAME=""
+CATEGORY_TOTAL_CHECKS=0
+CATEGORY_CRITICAL=0
+CATEGORY_WARNINGS=0
+CATEGORY_CLEAN=0
+mkdir -p "$LOG_DIR"
+log() {
+    echo "$1" | tee -a "$LOG_FILE"
+}
+header() {
+    # Usage: header <new_index> <message>
+    log ""
+    log "[$1/$CATEGORY_TOTAL_CHECKS] $2"
+}
+result_clean() {
+    log "CLEAN: $1"
+    CLEAN=$((CLEAN + 1))
+    CATEGORY_CLEAN=$((CATEGORY_CLEAN + 1))
+}
+result_warn() {
+    log "WARNING: $1"
+    WARNINGS=$((WARNINGS + 1))
+    CATEGORY_WARNINGS=$((CATEGORY_WARNINGS + 1))
+}
+result_critical() {
+    log "CRITICAL: $1"
+    CRITICAL=$((CRITICAL + 1))
+    CATEGORY_CRITICAL=$((CATEGORY_CRITICAL + 1))
+}
+category_start() {
+    # Usage: category_start <name> <total_checks>
+    CATEGORY_NAME="$1"
+    CATEGORY_TOTAL_CHECKS="$2"
+    CATEGORY_CRITICAL=0
+    CATEGORY_WARNINGS=0
+    CATEGORY_CLEAN=0
+    log ""
+    log "----------------------------------------"
+    log "CATEGORY START: $CATEGORY_NAME ($CATEGORY_TOTAL_CHECKS checks)"
+    log "----------------------------------------"
+}
+category_end() {
+    log ""
+    log "CATEGORY SUMMARY: $CATEGORY_NAME"
+    log "  critical: $CATEGORY_CRITICAL"
+    log "  warning : $CATEGORY_WARNINGS"
+    log "  clean   : $CATEGORY_CLEAN"
+    log "----------------------------------------"
+}
+# Use timeout if available (macOS may only have gtimeout via coreutils)
+TIMEOUT_BIN=""
+if command -v timeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="timeout"
+elif command -v gtimeout >/dev/null 2>&1; then
+    TIMEOUT_BIN="gtimeout"
+fi
+run_with_timeout() {
+    local secs="$1"
+    shift
+    if [ -n "$TIMEOUT_BIN" ]; then
+        "$TIMEOUT_BIN" "$secs" "$@"
+    elif command -v python3 >/dev/null 2>&1; then
+        python3 - "$secs" "$@" <<'PY'
+import subprocess
+import sys
+def main():
+    try:
+        secs = float(sys.argv[1])
+    except Exception:
+        secs = 0
+    cmd = sys.argv[2:]
+    if not cmd:
+        sys.exit(1)
+    try:
+        proc = subprocess.Popen(cmd)
+        try:
+            proc.wait(timeout=secs if secs > 0 else None)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+            proc.wait()
+            sys.exit(124)
+        sys.exit(proc.returncode if proc.returncode is not None else 0)
+    except FileNotFoundError:
+        sys.exit(127)
+if __name__ == "__main__":
+    main()
+PY
+    else
+        "$@"
+    fi
+}
+# Load IOC data
+load_ips() {
+    if [ -f "$IOC_DIR/c2-ips.txt" ]; then
+        grep -v '^#' "$IOC_DIR/c2-ips.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "91.92.242"
+    fi
+}
+load_domains() {
+    if [ -f "$IOC_DIR/malicious-domains.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-domains.txt" | grep -v '^$' | cut -d'|' -f1
+    else
+        echo "webhook.site"
+    fi
+}
+sha256_file() {
+    # Cross-platform SHA-256 for a file
+    local target="$1"
+    [ -f "$target" ] || return 1
+    if command -v sha256sum >/dev/null 2>&1; then
+        sha256sum "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v shasum >/dev/null 2>&1; then
+        shasum -a 256 "$target" 2>/dev/null | awk '{print tolower($1)}'
+    elif command -v openssl >/dev/null 2>&1; then
+        openssl dgst -sha256 "$target" 2>/dev/null | sed -E 's/^.*= //' | tr '[:upper:]' '[:lower:]'
+    else
+        return 1
+    fi
+}
+load_hash_iocs() {
+    # Expected format: <sha256>|<campaign>
+    # Similar to c2-ips.txt storage style
+    if [ -f "$IOC_DIR/malicious-hashes.txt" ]; then
+        grep -v '^#' "$IOC_DIR/malicious-hashes.txt" | grep -v '^$' || true
+    fi
+}
+lookup_malicious_hash_campaign() {
+    local needle
+    needle="$(printf "%s" "${1:-}" | tr '[:upper:]' '[:lower:]')"
+    [ -n "$needle" ] || return 1
+    while IFS='|' read -r hash_val campaign rest; do
+        hash_val="$(printf "%s" "$hash_val" | tr '[:upper:]' '[:lower:]')"
+        if [ "$hash_val" = "$needle" ]; then
+            printf "%s\n" "${campaign:-unknown}"
+            return 0
+        fi
+    done < <(load_hash_iocs)  # ← 进程替换，不产生子shell
+    return 1
+}
+extract_github_account_age_days() {
+    # Best-effort local metadata extraction only.
+    # We cannot reliably infer GitHub account age from filesystem alone unless
+    # the skill metadata explicitly records it.
+    local skill_dir="$1"
+    local val=""
+    for meta in "$skill_dir/package.json" "$skill_dir/config.json" "$skill_dir/SKILL.md"; do
+        [ -f "$meta" ] || continue
+        # JSON-ish keys
+        val="$(grep -iEo '"(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)"[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+        # YAML / markdown frontmatter-ish keys
+        val="$(grep -iE '^(githubAccountAge|github_account_age|accountAgeDays|githubAccountAgeDays)[[:space:]]*:[[:space:]]*[0-9]+' "$meta" 2>/dev/null | head -1 | grep -oE '[0-9]+' || true)"
+        if [ -n "$val" ]; then
+            printf "%s\n" "$val"
+            return 0
+        fi
+    done
+    return 1
+}