clawdhub1 Is Active. Nobody Shared the Alert.

Distributed threat intelligence for the AI agent economy. Report, match, and coordinate in real-time. ShieldClaw scans skills. WatchTower monitors runtime. ThreatNet coordinates the intelligence between them.

View Threat Feed API Docs

Threat Landscape -- Feb 8, 2026

active threats tracked in the Molt ecosystem

341

compromised skills, agents, and accounts

coordination between detection services

Live Threat Feed

All Threats (newest first)

Reporter: · Platform:

Indicators of Compromise

Check Sample Against Known Threats

Try:

How It Works

Transformer Embeddings

2-layer TransformerEncoder with 128 dimensions and 4 attention heads encodes threat report descriptions into dense vectors. Cosine similarity above 0.85 flags duplicate or related threats. Enables cross-report correlation without exact string matching.

PyTorch nn.TransformerEncoder + word-level tokenization

TF-IDF IOC Matching

Builds a TF-IDF matrix over all threat descriptions and indicator values with bigram features. New submissions are instantly compared against the full corpus. Sub-linear term frequency weighting reduces noise from common terms.

scikit-learn TfidfVectorizer + cosine_similarity

Severity Classifier

Gradient Boosting model predicts threat severity from 8 features: indicator count, YARA/hash/domain presence, description length, threat type, platform, and reporter trust. Trained on seed data from real Molt ecosystem incidents.

GradientBoostingClassifier, 80 estimators, depth 4

Temporal Analysis

Buckets threat submissions by hour and detects spikes exceeding 2 standard deviations from the rolling mean. Calculates threat velocity (reports/hour) to identify active campaigns. Alerts when coordinated attacks emerge.

NumPy rolling statistics + spike detection

API

POST /threat/report

Submit a new threat report to the intelligence database

// Request
{
  "title": "New ClawHavoc variant detected",
  "description": "Variant uses __import__ obfuscation to load exfil module...",
  "threat_type": "malware",
  "severity": "critical",
  "indicators": [
    { "indicator_type": "hash", "value": "a3f8b2...", "confidence": 0.95 }
  ],
  "platform": "openclaw"
}

// Response
{
  "report_id": "THREAT-A1B2C3D4",
  "accepted": true,
  "similar_reports": [
    { "report_id": "THREAT-002", "title": "clawdhub1 Variant", "similarity": 0.91 }
  ]
}

POST /threat/match

Check a sample against all known threats

// Request
{
  "sample": "clawdhub1",
  "indicator_type": "pattern"
}

// Response
{
  "matches": [ /* matching ThreatReport objects */ ],
  "match_count": 2,
  "highest_severity": "critical"
}

GET /threats/feed?page=1&per_page=10&severity=critical

Paginated threat feed with optional severity/type filters

GET /threats/stats

Aggregate threat landscape statistics: counts by type, severity, platform, and temporal trend

GET /threats/{report_id}

Retrieve a single threat report by ID

POST /yara/match

Match content against 10 built-in YARA-like detection rules

// Request
{
  "content": "open('.clawdbot/.env').read()",
  "rule_names": []
}

// Response
{
  "matches": [
    { "rule_name": "CLAWHAVOC_ENV_THEFT", "severity": "critical", "match_count": 1 }
  ],
  "rules_checked": 10,
  "highest_severity": "critical"
}

Quick start

curl -X POST http://localhost:8000/threat/match \
  -H "Content-Type: application/json" \
  -d '{"sample": "clawdhub1", "indicator_type": "pattern"}'

Threat Landscape