Run any Skill in Manus with one click

$pwd:

mal-develop

Name: Mal Develop
Author: chainreactors

// MAL (Malice Scripting Language) plugin development guide. Helps users write Lua plugins for IoM, covering plugin structure, command registration, BOF invocation, resource management, event callbacks, testing, debugging, and publishing workflows. Trigger conditions: when users want to write MAL plugins, extend IoM commands, write Lua scripts, integrate BOFs, develop custom modules, or ask questions like "how to write a mal plugin", "how to add a new command to IoM", or "what Lua APIs are available".

Run Skill in Manus

$ git log --oneline --stat

stars:452

forks:67

updated:March 19, 2026 at 05:00

File Explorer

5 files

SKILL.md

readonly

name

mal-develop

description

MAL (Malice Scripting Language) plugin development guide. Helps users write Lua plugins for IoM, covering plugin structure, command registration, BOF invocation, resource management, event callbacks, testing, debugging, and publishing workflows. Trigger conditions: when users want to write MAL plugins, extend IoM commands, write Lua scripts, integrate BOFs, develop custom modules, or ask questions like "how to write a mal plugin", "how to add a new command to IoM", or "what Lua APIs are available".

MAL Plugin Development Guide

MAL is the Lua 5.1 plugin system for IoM. It extends the client with Lua scripts. Each plugin can register new commands, invoke BOFs, execute implant modules, and listen for events.

Plugin Structure at a Glance

my-plugin/
├── mal.yaml             # Plugin manifest (required)
├── main.lua             # Entry script (required)
├── modules/             # Lua modules (optional, used via require)
│   └── utils.lua
└── resources/           # Resource files (optional, BOFs, DLLs, etc.)
    └── bof/
        ├── tool.x64.o
        └── tool.x86.o

mal.yaml

name: my-plugin
type: lua
author: your-name
version: 1.0.0
entry: main.lua          # Entry file
lib: false               # true = library-only plugin (does not register commands)
depend_modules: []       # Required implant modules
depend_armory: []        # Required armory resources

See reference/plugin-structure.md for details.

Quick Example: Registering a Command

-- main.lua
local function run_hello(arg_name, cmd)
    print("Hello, " .. (arg_name or "world"))
end

local cmd = command("hello", run_hello, "Say hello", "")
opsec("hello", 10.0)
help("hello", "Usage: hello [name]")

High-Frequency API Quick Reference

Sorted by usage frequency, these are the most commonly used functions when developing MAL plugins:

Function	Purpose	Frequency
`command(name, fn, short, ttp)`	Register a command	Highest
`active()`	Get the current session	Very high
`script_resource(path)`	Get a plugin resource path	Very high
`opsec(name, score)`	Set OPSEC score	High
`bof(session, path, args, output)`	Execute a BOF	High
`bof_pack(format, ...)`	Pack BOF arguments	High
`bexecute_assembly(session, path, args)`	Execute .NET assembly	Medium
`help(name, text)`	Set help text	Medium
`new_sacrifice(ppid, block, etw, amsi, argue)`	Sacrifice process config	Medium

Parameter Conventions

local function handler(arg_target, flag_port, cmdline, args, cmd)
    -- arg_target  -> positional argument    flag_port -> --port flag
    -- cmdline     -> command line           args      -> argument array
    -- cmd         -> cobra.Command object
end

BOF Argument Format

bof_pack("Ziz", wide_string, integer, ansi_string)
-- z=ANSI string  Z=wide string  i=int32  s=int16  b=binary

See reference/api-reference.md for the full API reference.

Development Workflow

 Create          Write          Load          Verify         Debug          Publish
┌─────┐      ┌─────┐      ┌─────┐      ┌─────┐      ┌─────┐      ┌─────┐
│mkdir│─────→│ lua │─────→│load │─────→│test │─────→│ fix │─────→│push │
│yaml │      │code │      │     │      │     │      │     │      │     │
└─────┘      └─────┘      └─────┘      └─────┘      └──┬──┘      └─────┘
                                                        │
                                                  ┌─────┘
                                                  ↓ loop
                                               ┌─────┐
                                               │write │
                                               └─────┘

1. Create

mkdir -p my-plugin/resources/bof
# Write mal.yaml

2. Write

# Write main.lua, starting with the simplest command
# Refer to patterns in reference/examples.md

3. Load and Test

mal load /path/to/my-plugin

4. Verify

search_commands("my-command")       # Confirm command registration succeeded
my-command --help                   # Confirm help text is correct
my-command <test-args>              # Execute for real (requires a session)

5. Debug (on failure)

# Check logs
# print() in Lua outputs directly to the terminal
# After modifications, reload:
mal remove my-plugin
mal load /path/to/my-plugin

6. Publish

mal install /path/to/my-plugin.tar.gz    # Local install
# Or submit to https://github.com/chainreactors/mal-community

See reference/testing.md for detailed testing and verification methods.

Reference Documentation

Topic	Reference File
Full API Reference	reference/api-reference.md
Plugin Structure Details	reference/plugin-structure.md
Practical Examples	reference/examples.md
Testing, Verification & Debugging	reference/testing.md

External Documentation

Resource	Link
MAL Quick Start	https://chainreactors.github.io/wiki/IoM/manual/mal/quickstart/
IoM Wiki	https://chainreactors.github.io/wiki/IoM/
Community Plugin Repository	https://github.com/chainreactors/mal-community
Implant Repository	https://github.com/chainreactors/malefic
Community Plugin Source	`helper/intl/community/modules/` (best learning reference)

related-skills.json

same repository

iom-pentest.md

from "chainreactors/malice-network"

Autonomous penetration testing through IoM C2 MCP tools. Covers the full engagement lifecycle: reconnaissance, privilege escalation, credential harvesting, lateral movement, and persistence. Operates in an OODA loop — each phase analyzes results before deciding the next action. Use this skill whenever the user wants to run automated pentest, red team assessment, privilege escalation analysis, post-exploitation, or any offensive operation through IoM — even if they just mention "pentest", "提权", "横向", "信息收集", "凭据", "持久化", or "自动化测试".

2026-03-19452

iom-opsec.md

from "chainreactors/malice-network"

IoM Operational Security (OPSEC) advisor. Provides OPSEC methodology guidance, helps users understand operational risks, build secure operating habits, and accumulate experience through a case library. Does not execute commands directly; serves as decision support. Concrete technical specifications and OPSEC scoring are maintained in the iom-pentest skill. Trigger conditions: use when the user asks "is this safe?", "will this be detected?", "how should I think about OPSEC?", "risk assessment", "operational security advice", or "help me analyze the detection surface".

2026-03-19452

iom-pentest.md

from "chainreactors/malice-network"

Autonomous penetration testing via IoM C2 MCP tools. Adaptively executes based on user intent: situational awareness, reconnaissance, privilege escalation, credential harvesting, lateral movement, persistence, and more. Presents an execution plan and waits for user confirmation before sensitive operations. Trigger conditions: user mentions penetration testing, red team, post-exploitation, privilege escalation, lateral movement, credentials, persistence, situational awareness, or any scenario involving security assessment of a target through IoM.

2026-03-19452

iom.md

from "chainreactors/malice-network"

Complete user guide for the IoM (Implant-over-Middleware) C2 framework. Covers architecture concepts, basic operations, startup parameters, authentication configuration, troubleshooting, documentation resources, and community feedback. Trigger conditions: use this skill when the user asks about how IoM works, command usage, architecture concepts, configuration methods, how to troubleshoot issues, where to find documentation, or how to file an issue. Should also trigger for questions like "how do I connect", "what is a session", "I got an error", or "is there documentation".

2026-03-19452

package.json

"author": "chainreactors"

"repository": "chainreactors/malice-network"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

name

mal-develop

description

MAL Plugin Development Guide

MAL is the Lua 5.1 plugin system for IoM. It extends the client with Lua scripts. Each plugin can register new commands, invoke BOFs, execute implant modules, and listen for events.

Plugin Structure at a Glance

my-plugin/
├── mal.yaml             # Plugin manifest (required)
├── main.lua             # Entry script (required)
├── modules/             # Lua modules (optional, used via require)
│   └── utils.lua
└── resources/           # Resource files (optional, BOFs, DLLs, etc.)
    └── bof/
        ├── tool.x64.o
        └── tool.x86.o

mal.yaml

name: my-plugin
type: lua
author: your-name
version: 1.0.0
entry: main.lua          # Entry file
lib: false               # true = library-only plugin (does not register commands)
depend_modules: []       # Required implant modules
depend_armory: []        # Required armory resources

See reference/plugin-structure.md for details.

Quick Example: Registering a Command

-- main.lua
local function run_hello(arg_name, cmd)
    print("Hello, " .. (arg_name or "world"))
end

local cmd = command("hello", run_hello, "Say hello", "")
opsec("hello", 10.0)
help("hello", "Usage: hello [name]")

High-Frequency API Quick Reference

Sorted by usage frequency, these are the most commonly used functions when developing MAL plugins:

Function	Purpose	Frequency
`command(name, fn, short, ttp)`	Register a command	Highest
`active()`	Get the current session	Very high
`script_resource(path)`	Get a plugin resource path	Very high
`opsec(name, score)`	Set OPSEC score	High
`bof(session, path, args, output)`	Execute a BOF	High
`bof_pack(format, ...)`	Pack BOF arguments	High
`bexecute_assembly(session, path, args)`	Execute .NET assembly	Medium
`help(name, text)`	Set help text	Medium
`new_sacrifice(ppid, block, etw, amsi, argue)`	Sacrifice process config	Medium

Parameter Conventions

local function handler(arg_target, flag_port, cmdline, args, cmd)
    -- arg_target  -> positional argument    flag_port -> --port flag
    -- cmdline     -> command line           args      -> argument array
    -- cmd         -> cobra.Command object
end

BOF Argument Format

bof_pack("Ziz", wide_string, integer, ansi_string)
-- z=ANSI string  Z=wide string  i=int32  s=int16  b=binary

See reference/api-reference.md for the full API reference.

Development Workflow

 Create          Write          Load          Verify         Debug          Publish
┌─────┐      ┌─────┐      ┌─────┐      ┌─────┐      ┌─────┐      ┌─────┐
│mkdir│─────→│ lua │─────→│load │─────→│test │─────→│ fix │─────→│push │
│yaml │      │code │      │     │      │     │      │     │      │     │
└─────┘      └─────┘      └─────┘      └─────┘      └──┬──┘      └─────┘
                                                        │
                                                  ┌─────┘
                                                  ↓ loop
                                               ┌─────┐
                                               │write │
                                               └─────┘

1. Create

mkdir -p my-plugin/resources/bof
# Write mal.yaml

2. Write

# Write main.lua, starting with the simplest command
# Refer to patterns in reference/examples.md

3. Load and Test

mal load /path/to/my-plugin

4. Verify

search_commands("my-command")       # Confirm command registration succeeded
my-command --help                   # Confirm help text is correct
my-command <test-args>              # Execute for real (requires a session)

5. Debug (on failure)

# Check logs
# print() in Lua outputs directly to the terminal
# After modifications, reload:
mal remove my-plugin
mal load /path/to/my-plugin

6. Publish

mal install /path/to/my-plugin.tar.gz    # Local install
# Or submit to https://github.com/chainreactors/mal-community

See reference/testing.md for detailed testing and verification methods.

Reference Documentation

Topic	Reference File
Full API Reference	reference/api-reference.md
Plugin Structure Details	reference/plugin-structure.md
Practical Examples	reference/examples.md
Testing, Verification & Debugging	reference/testing.md

External Documentation

Resource	Link
MAL Quick Start	https://chainreactors.github.io/wiki/IoM/manual/mal/quickstart/
IoM Wiki	https://chainreactors.github.io/wiki/IoM/
Community Plugin Repository	https://github.com/chainreactors/mal-community
Implant Repository	https://github.com/chainreactors/malefic
Community Plugin Source	`helper/intl/community/modules/` (best learning reference)

mal-develop

MAL Plugin Development Guide

Plugin Structure at a Glance

mal.yaml

Quick Example: Registering a Command

High-Frequency API Quick Reference

Parameter Conventions

BOF Argument Format

Development Workflow

1. Create

2. Write

3. Load and Test

4. Verify

5. Debug (on failure)

6. Publish

Reference Documentation

External Documentation

More from this repository

More from this repository

MAL Plugin Development Guide

Plugin Structure at a Glance

mal.yaml

Quick Example: Registering a Command

High-Frequency API Quick Reference

Parameter Conventions

BOF Argument Format

Development Workflow

1. Create

2. Write

3. Load and Test

4. Verify

5. Debug (on failure)

6. Publish

Reference Documentation

External Documentation