Skip to content

Releases: north-echo/waingro

v0.4.0 — MCP Ecosystem Scanner

28 Mar 20:56
@north-echo north-echo
v0.4.0
65f6ded

Choose a tag to compare

View all tags
v0.4.0 — MCP Ecosystem Scanner Latest
Latest

MCP Ecosystem Scanner

16 detection rules for MCP (Model Context Protocol) servers, mapped to the OWASP MCP Top 10 and Adversa AI MCP Security Top 25.

New: waingro mcp commands

# Scan a single MCP server
waingro mcp scan ./mcp-server-github/

# Discover servers from npm, GitHub, and awesome lists
waingro mcp discover --awesome awesome-mcp-servers/README.md -o manifest.json

# Batch scan from discovery manifest
waingro mcp batch manifest.json --results results.json --cleanup

16 MCP Detection Rules

Rule What it catches
MCP-001 Tool description prompt injection
MCP-002 Parameter schema injection
MCP-003 Obfuscated tool handler code
MCP-004 Remote code fetch in handlers
MCP-005 Credential file/env access
MCP-006 Sensitive file access
MCP-007 MCP client config manipulation
MCP-008 Transport exfiltration (tunnels, reverse shells)
MCP-009 Rug pull indicators (lifecycle hooks)
MCP-010 Scope escalation
MCP-011 Missing authentication
MCP-012 Path traversal patterns
MCP-013 Tool name spoofing / homoglyphs
MCP-014 Unsafe network binding (NeighborJack)
MCP-015 Resource content poisoning surface
MCP-016 Package name typosquatting

Validated at Scale

Scanned 1,139 MCP servers from npm, GitHub, and awesome-mcp-servers. Results forthcoming in research paper.

Existing OpenClaw rules unchanged

All 30 OpenClaw skill detection rules carry forward. 247 tests passing.

Assets 2
Loading

v0.3.0 — Concealment Detection

20 Mar 12:52
@north-echo north-echo
v0.3.0
1d04a01

Choose a tag to compare

View all tags
v0.3.0 — Concealment Detection

WAINGRO v0.3.0

Detection focused on what the ClawHub audit taught us: the real threats are concealed, not visible.

What's New

EXEC-006: Hidden Execution in Bundled Scripts

New rule detects os.system, subprocess, and child_process.exec calls containing URLs or IP addresses in bundled .py/.sh/.js files. This is the Polymarket trojan pattern — malicious code hidden inside working scripts that users wouldn't normally read before installing. Only fires on bundled scripts, not SKILL.md body.

NET-002: External C2 Blocklist

Replaced hardcoded C2 IP list with data/c2_blocklist.txt. Now includes both ClawHavoc (91.92.242.30) and Polymarket trojan (54.91.154.110). Campaign name included in finding references. Add new IPs from confirmed TPs without code changes.

Semantic Analysis: tool_use

Switched from raw JSON prompting to Claude API tool_use with structured schema (submit_verdict tool). Eliminates JSON parsing failures. All 11 test calls now parse successfully.

Noise Reduction

  • EXEC-003: Skip .exec() method calls (regex.exec, db.exec) via negative lookbehind
  • EXEC-005: Skip ANSI escape codes (\x1b[) mistaken for hex-encoded commands
  • EXFIL-001: Remove bare .key pattern, add documentation context exclusions, skip .env.template/.env.sample
  • EXFIL-006: Skip placeholder API keys (abcdef, xxxx, fake, test, example)
  • SOCIAL-001: Expanded known-good package list from 34 to 500+ packages
  • Comment filtering: Skip # comments and error message strings in bundled scripts

Infrastructure

  • scripts/monitor_disclosure.py — cron-ready monitoring of 10 known-malicious skills
  • scripts/bulk_scan.py — now serializes confidence, security_tool_score, and risk_profile

Numbers

  • 29 detection rules (EXEC-006 added)
  • 238 tests
  • 25 confirmed TPs from ClawHub audit (12 ClawHavoc C2 + 9 reverse shells + 2 Polymarket trojan + 1 jailbreak + 1 multi-pattern)

Install

pip install git+https://github.com/north-echo/waingro.git
Loading

v0.2.0 — Context-Aware Detection

19 Mar 23:58
@north-echo north-echo
v0.2.0
c333c83

Choose a tag to compare

View all tags
v0.2.0 — Context-Aware Detection

WAINGRO v0.2.0

Context-aware detection, OBFUSC-001 tuning, and multi-dimensional risk scoring. Informed by the ClawHub audit where 20/43 initial TPs were reclassified as FPs — all legitimate security tools whose detection signatures triggered the same rules as actual malware.

What's New

OBFUSC-001 Tuning

  • Raised base64 detection threshold from 40 to 80 characters
  • Added exclusion patterns for git commit hashes, hex strings (SHA), blockchain addresses, file paths, and UUIDs
  • Expected to reduce OBFUSC-001 noise by ~90% on real-world corpora

Layer 1: Security Tool Heuristics (analyzers/context.py)

  • Computes security_tool_score (0.0–1.0) based on metadata keywords, defensive headings, detection markers, and multi-category finding profiles
  • Reduces finding confidence when the skill is likely a security tool
  • NET-002 (known C2 IPs) findings never have confidence reduced
  • New REVIEW verdict for skills that are probably security tools with detection signatures

Layer 2: Section-Aware Parsing (parsers/sections.py)

  • Parses markdown into sections with heading classification (usage/detection/documentation/configuration)
  • Findings in "detection" sections get additional confidence reduction
  • Integrated into the context analyzer for more precise scoring

Layer 3: Multi-Signal Risk Profiles (analyzers/risk_profile.py)

  • Dimensional risk scoring: execution, exfiltration, persistence, network, injection
  • Network risk gets 2x weight in composite scoring
  • Security tool score dampens overall risk
  • Scanner profile meta-rule: many diverse categories + no real C2 = likely scanner

Layer 4: Semantic Analysis (analyzers/semantic.py)

  • Claude API integration for ambiguous findings (--semantic flag)
  • Only called for REVIEW/SUSPICIOUS verdicts with moderate security_tool_score
  • Budget-capped (--semantic-budget, default $5.00)
  • Determines execution vs detection context per finding

Numbers

  • 216 tests (up from 182 in v0.1.0)
  • 28 detection rules across 8 categories
  • 4 analysis layers: static rules → context heuristics → risk profiles → semantic analysis

Install

pip install git+https://github.com/north-echo/waingro.git

# For semantic analysis (optional)
pip install anthropic
export ANTHROPIC_API_KEY=your-key
waingro scan <path> --semantic
Loading

v0.1.0 — Initial Release

18 Mar 16:58
@north-echo north-echo
v0.1.0
aa20c0a

Choose a tag to compare

View all tags
v0.1.0 — Initial Release

WAINGRO v0.1.0

AI Agent Skill Security Scanner. Format-aware static analysis for OpenClaw/Agent Skills format skill files.

Highlights

  • 28 detection rules across 8 categories: execution, exfiltration, persistence, network/C2, obfuscation, injection, social engineering, typosquatting
  • Bundled script scanning — analyzes .sh, .py, .js, .json files alongside SKILL.md
  • Shared content searchsearch_skill_content() searches body, code blocks, and bundled files uniformly
  • 166 tests including a 27-fixture corpus with parametrized precision tests
  • CLIwaingro scan, waingro audit, JSON output, --fail-on for CI/CD
  • Audit pipeline — bulk scanning, triage prep, interactive and automated triage, report generation

ClawhHub Audit

First ecosystem audit completed: 30,037 skills scanned in 355 seconds, 43 confirmed malicious skills including a 12-skill coordinated C2 campaign. Aggregate results published. Responsible disclosure filed (GHSA-c59g-h434-28gw).

Detection Comparison (ClawhHub C2 Campaign)

Method Detection Rate
WAINGRO 100% (12/12)
ClawhHub moderation 75% (9/12)
VirusTotal 0% (0/12)

Install

pip install git+https://github.com/north-echo/waingro.git

Known Limitations

  • OBFUSC-001 (base64 string detection) has a high false positive rate at the current 40-char threshold — tuning planned for v0.2.0
  • Static analysis only — no dynamic execution or semantic AI analysis (planned for v2)

Requirements

  • Python 3.11+
  • Dependencies: click, rich, pyyaml
Loading