| name | woc-release-malware-audit |
| description | Perform a whole-tree World of ClaudeCraft release malware audit using the deterministic scanner plus contextual triage. Use before a release, for a release tag or branch, after suspicious dependency or install changes, or when explicitly asked for a malware-focused security review. |
Release Malware Audit
Determine whether the release tree contains deliberate malicious behavior or unresolved
indicators that make release unsafe. This is read-only: do not modify files,
dependencies, Git history, or remote state.
Establish scope
- Read the root
CLAUDE.md and instructions for relevant release, script, server,
deployment, and security paths.
- Run
git status --short.
- Record the exact commit, branch, tag, or working tree.
- Audit the whole release tree, not only the latest diff.
Do not expose secrets or inspect unrelated private data.
Scan once
The coordinating agent runs:
node scripts/malware_scan.mjs --json --quiet
Exit 0 means no findings, 1 means findings need triage, and 2 means the scan failed.
Capture structured output under a temporary path only when needed and preserve evidence.
Triage
Group findings by category and file. Dispatch independent read-only triage in parallel
when useful. Specialists inspect files and shared output without rerunning the scanner.
Review credential or wallet theft, exfiltration, covert telemetry, backdoors, auth
bypasses, command execution, obfuscated or fetched payloads, dependency and lifecycle
abuse, cryptomining, resource hijacking, and instruction injection. Include sensitive
behavior hidden in tests, fixtures, generated assets, documentation, and release tools.
For each flag, inspect context, reachability, intent, data flow, and whether it ships or
executes. Accidental defects belong in a normal security review, but unresolved ambiguity
in executable or release-critical content still blocks release.
Return PASS only when every finding and manual concern has a supported benign
explanation. Return BLOCK for malicious, reachable suspicious, or unresolved behavior.
Report the revision, tree state, scanner count, confirmed and unresolved indicators,
dismissed flags with evidence, manual coverage, limitations, and verdict.