Infostealer Malware Detector & Remover (v1.1.0)

Overview

This skill gives OpenClaw a complete workflow to search every file on the system, identify infostealer indicators, compute secure hashes, and verify them against live public databases.

Core principles (strict)

Primary detection: Targeted file search + SHA-256 hashing + VirusTotal/MalwareBazaar checks.
AV usage: Windows Defender (mpcmdrun.exe) or any other AV is permitted only when necessary (hash checks inconclusive, high suspicion remains, or user explicitly requests deeper scan).
Never default to AV – the agent must complete the full custom hash workflow first and document why AV escalation is needed.
Full user confirmation required before any quarantine or AV scan.
Full audit trail and quarantine before removal.

When to activate automatically

"My passwords are being stolen"
"Scan for infostealer / stealer malware"
"Check if RedLine / Vidar / Lumma is on my PC"
"Clean my system" (but follow custom-first rule)

Prerequisites

Internet connection (for hash lookups)
Optional but highly recommended: free VirusTotal API key (VT_API_KEY)
Python 3.8+ (for scripts/hash-checker.py)
Admin/root privileges for full system scan
Windows Defender enabled by default on Windows (no installation needed)

Step-by-Step Workflow (Custom Method First – Always)

Step 1: Scope the System & Identify High-Risk Areas

Run targeted discovery (fast & effective for infostealers):

# Windows (PowerShell)
Get-ChildItem -Path "$env:TEMP","$env:APPDATA","$env:LOCALAPPDATA","C:\ProgramData","C:\Users\*\AppData" -Recurse -File -Include *.exe,*.dll,*.bat,*.ps1,*.vbs,*.js -ErrorAction SilentlyContinue | Select-Object FullName,LastWriteTime,Length

# macOS / Linux
find /tmp ~/Library /Library /Users/*/Library /var/tmp -type f \( -name "*.exe" -o -name "*.dylib" -o -name "*.so" -o -name "*.sh" \) -mtime -30 2>/dev/null

Flag files meeting suspicious criteria (random names in Temp/AppData, recent creations <5 MB in browser folders, etc.).

Step 2: Compute Cryptographic Hashes

Use the bundled helper script (scripts/hash-checker.py):

#!/usr/bin/env python3
import hashlib, sys, json
from pathlib import Path

def sha256_file(file_path):
    try:
        h = hashlib.sha256()
        with open(file_path, "rb") as f:
            for chunk in iter(lambda: f.read(4096), b""):
                h.update(chunk)
        return h.hexdigest()
    except:
        return None

if __name__ == "__main__":
    paths = sys.argv[1:] or [input("Enter file or directory: ")]
    results = {}
    for p in paths:
        p = Path(p)
        if p.is_file():
            h = sha256_file(p)
            if h: results[str(p)] = h
        elif p.is_dir():
            for f in p.rglob("*"):
                if f.is_file() and f.stat().st_size < 50_000_000:
                    h = sha256_file(f)
                    if h: results[str(f)] = h
    print(json.dumps(results, indent=2))

Step 3: Cross-Reference with Public Sources (Primary Detection)

For each SHA-256 hash:

VirusTotal lookup (preferred):

curl -s --request GET "https://www.virustotal.com/api/v3/files/${HASH}" --header "x-apikey: $VT_API_KEY"

Fallback public links:
- https://www.virustotal.com/gui/file/${HASH}
- https://bazaar.abuse.ch/browse.php?search=sha256:${HASH}

Verdict rules (strict):

≥5 detections or known infostealer family → HIGH confidence malware
1–4 detections + IOC match → SUSPICIOUS
0 detections → clean (unless behavioral IOCs)

Step 4: Behavioral & IOC Validation

Check processes, browser databases, network connections to known C2 domains.

Step 5: Quarantine & Removal (User-Confirmed Only)

Create timestamped quarantine folder and move flagged files. Registry/startup cleanup if needed. Never delete without showing the user the exact list + VT links.

Step 6: AV Fallback (Non-Default – Use ONLY When Necessary)

After completing Steps 1–5: If hashes are inconclusive, files are locked, or suspicion remains extremely high (and you document the reason), then and only then escalate to platform-native AV.

Windows Defender (official CLI – never first choice):

# Full system scan (run from elevated prompt)
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

# Quick scan
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

# Scan specific folder
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Path\To\Quarantine"

Linux/macOS fallback (ClamAV – only if installed and requested):

freshclam
clamscan -r --move="$QUARANTINE" /path/to/scan

Microsoft Safety Scanner (portable, one-time use): Download from official Microsoft link only if Defender is insufficient.

Strict rule: The agent must never run any AV command as the first action. Always complete custom hash workflow first and obtain explicit user confirmation before AV escalation.

Step 7: Post-Remediation Verification

Re-run hash scan + quick Defender check (if AV was used). Reboot and monitor.

Quality Checklist (must pass)

Custom hash + VT workflow completed first
AV used only after custom method + documented reason
User explicitly approved every deletion/AV scan
Quarantine created
Full report with hashes, VT links, and actions

References & Official Sources

Microsoft Defender CLI (mpcmdrun.exe): https://learn.microsoft.com/en-us/defender-endpoint/command-line-arguments-microsoft-defender-antivirus
Microsoft Safety Scanner: https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download
ClamAV CLI examples: Standard clamscan -r --move=/quarantine (open-source reference)
VirusTotal API & MalwareBazaar for hash checking

This skill is custom-detection-first by design. Windows Defender (or any AV) is a conditional tool only – never the default.

Invoke with: /infostealer-malware-detector or describe the issue.

Related Skills

Skill	Relationship
documentation-verification	Document investigation evidence and remediation steps clearly
devops-tooling	Useful when collecting system data, logs, or command output during investigation