VirusTotal tells you "not a virus." But in an ecosystem of 13,000+ AI agent tools, "not a virus" is a low bar. After the ClawHavoc incident exposed 1,184 malicious Skills on ClawHub, the real question shifted from "is this safe?" to "is this actually good?"
v0.7.9 answers that question with three things: a static security scanner, a badge system anyone can embed, and a cross-layer alignment audit that closes every gap between CLI, MCP Server, and the browser.
Both @rotifer/playground and @rotifer/mcp-server are updated on npm.
V(g) Security Scanner
rotifer vg is a new CLI command that performs static analysis on AI tool source code. It scans for seven categories of risk, from code execution patterns to suspicious network calls:
rotifer vg scan ./my-skill/src
Output:
{
"grade": "B",
"findings": [
{
"rule": "S-04",
"severity": "HIGH",
"file": "src/api.ts",
"line": 42,
"snippet": "fetch('https://api.openai.com/...')",
"note": "Known API endpoint"
}
],
"stats": { "files_scanned": 3, "lines_of_code": 245 }
}
The Seven Rules
| Rule | Detects | Severity |
|---|---|---|
| S-01 | Dynamic code execution (eval(), new Function) |
CRITICAL |
| S-02 | System command execution (child_process, exec, spawn) |
CRITICAL |
| S-03 | Code obfuscation (atob() + eval combos, base64 decode chains) |
CRITICAL |
| S-04 | Suspicious external communication (fetch, http.request to unknown domains) |
HIGH |
| S-05 | Environment variable access (process.env, Deno.env) |
HIGH |
| S-06 | Persistent outbound connections (WebSocket, net.Socket) |
HIGH |
| S-07 | File system operations (fs.readFile, fs.writeFile, fs.unlink) |
MEDIUM |
Grading: A Through D
Results roll up into a letter grade:
| Grade | Criteria | Badge Color |
|---|---|---|
| A | Zero CRITICAL + zero HIGH findings | Green |
| B | Zero CRITICAL + ≤2 HIGH with reasonable justification | Light green |
| C | Zero CRITICAL + >2 HIGH findings | Yellow |
| D | Any CRITICAL finding | Red |
| ? | Prompt-only tool (no scannable code) | Grey |
The scanner only reports objective facts — "found eval() at line 17" — never claims malicious intent. It's a complement to VirusTotal, not a replacement.
Badge System: badge.rotifer.dev
Every scan result feeds into a badge service running on Cloudflare Workers. The endpoint follows the shields.io JSON schema, so any developer can drop a trust badge into their README:
Four badge types are available:
| Badge | Endpoint | Data Source |
|---|---|---|
| Safety grade | /safety/:skill_id |
V(g) scan result (Worker KV) |
| Gene reputation | /gene/:id |
Cloud reputation score |
| Gene fitness | /gene/:id/fitness |
Arena F(g) performance data |
| Developer reputation | /dev/:username |
Aggregate developer score |
Responses are cached for one hour and served over CORS for embedding anywhere.
Badge Generator
A dedicated page lets you generate badge markup without touching the API directly. Enter a tool name, see a live preview across four badge styles (flat, flat-square, for-the-badge, plastic), and copy the Markdown with one click.
Top 50 Scan: What We Found
We scanned the 50 most-installed Skills on ClawHub to establish a baseline. The full report is published separately, but the headline: 100% of scannable Skills triggered at least one finding.
| Finding | Prevalence |
|---|---|
| External network calls (S-04) | 94% |
| Environment variable access (S-05) | 72% |
| File system operations (S-07) | 58% |
| System command execution (S-02) | 36% |
| Dynamic code evaluation (S-01) | 14% |
This doesn't mean 100% of Skills are dangerous — fetch() is how API-wrapping tools work. But it does mean the ecosystem lacks visibility into what tools actually do at the code level.
Grade distribution:
| Grade | Count | Percent |
|---|---|---|
| A | 0 | 0% |
| B | 6 | 12% |
| C | 22 | 44% |
| D | 8 | 16% |
| ? (prompt-only) | 14 | 28% |
The absence of any Grade A result is notable. Even well-intentioned tools typically make at least one fetch() call that the scanner flags. The question isn't whether findings exist — it's whether they're justified.
Important: these results describe code patterns, not malicious intent. A Grade D tool might be perfectly safe if its eval() usage is deliberate and sandboxed. The scanner provides data; developers provide judgment.
WebMCP: From Declaration to Execution
Prior to v0.7.9, the WebMCP tools on our marketplace site were declaration-only — <form hidden> tags that told browser agents what tools existed, but couldn't actually run them. Agents would discover 5 tools and then... nothing.
Now there are 13 WebMCP tools with full browser-native execution:
| Site | Tools | Capability |
|---|---|---|
| Marketplace (rotifer.ai) | 10 | Gene search, detail, comparison, arena rankings, developer profiles, reputation, version history, leaderboard, stats, and a meta capability tool |
| Documentation (rotifer.dev) | 3 | Doc search, MCP config generation, domain suggestion |
Each tool uses navigator.modelContext.registerTool() to provide a real execute() function. When a browser agent calls get_gene_detail(name="search.web.google-v2"), the tool resolves the human-readable name to a UUID via a shared resolveGeneId() function, fetches the data from the cloud API, and returns structured results.
This is WebMCP as it was meant to work: tools that run inside the browser, using the user's already-authenticated session, with same-origin protection. No additional API keys needed.
Cross-Layer Alignment: CLI ↔ MCP ↔ WebMCP ↔ Docs
A systematic cross-layer audit exposed gaps at every junction:
| Before | After |
|---|---|
| MCP docs covered 9 of 28 tools (32%) | 28 of 28 tools documented (100%) — English and Chinese |
| WebMCP had 5 declarative tools | 13 tools with execute logic |
get_gene_detail WebMCP used name, MCP expected UUID id
|
Unified via resolveGeneId() translation layer |
| 4 CLI doc pages had no Chinese translation | All translated |
| No CLI ↔ MCP feature mapping for developers | Mapping table added to MCP setup guide |
The MCP documentation now groups all 28 tools into four categories — Gene Lifecycle, Query & Discovery, Arena & Reputation, and Agent & Auth — with parameter descriptions and example responses for each.
CLI ↔ MCP Mapping
A new reference table in the MCP setup guide shows developers which CLI commands correspond to which MCP tools:
CLI: rotifer search <query> → MCP: search_genes
CLI: rotifer info <gene-id> → MCP: get_gene_detail
CLI: rotifer vg scan <path> → (CLI only — local scanning)
MCP: get_mcp_stats → (MCP only — server metadata)
Some operations are intentionally asymmetric: rotifer vg runs locally (no MCP equivalent needed), while get_mcp_stats is server metadata that makes no sense in a CLI context.
What's Next: v0.8 — Iron Shell
v0.8 shifts focus to security hardening — deep Supabase audit covering the new attack surfaces introduced by Hybrid Genes and the Badge Worker, WASM sandbox escape testing with crafted malicious payloads, and the P2P Protocol RFC (design only, no implementation until v0.9).
The security scanner built in v0.7.9 scans other people's code. v0.8 turns that same scrutiny inward.
Install / Upgrade
npm install -g @rotifer/playground@0.7.9
For MCP Server users:
npm install -g @rotifer/mcp-server@0.7.9
VSCode extension: search "Rotifer" in the Extensions panel, or install from the .vsix in the latest release.
This article was originally published on rotifer.dev. Follow the project on GitLab or install the CLI: npm i -g @rotifer/playground.
Top comments (0)