VirusTotal tells you “not a virus.” But in an ecosystem of 38,000+ AI agent tools, “not a virus” is a low bar. After the ClawHavoc incident exposed 1,184 malicious Skills on ClawHub, the real question shifted from “is this safe?” to “is this actually good?”

v0.7.9 answers that question with three things: a static security scanner, a badge system anyone can embed, and a cross-layer alignment audit that closes every gap between CLI, MCP Server, and the browser.

Both @rotifer/playground and @rotifer/mcp-server are updated on npm.

V(g) Security Scanner

rotifer vg is a new CLI command that performs static analysis on AI tool source code. It scans for seven categories of risk, from code execution patterns to suspicious network calls:

rotifer vg scan ./my-skill/src

Output:

{
  "grade": "B",
  "findings": [
    {
      "rule": "S-04",
      "severity": "HIGH",
      "file": "src/api.ts",
      "line": 42,
      "snippet": "fetch('https://api.openai.com/...')",
      "note": "Known API endpoint"
    }
  ],
  "stats": { "files_scanned": 3, "lines_of_code": 245 }
}

The Seven Rules

Rule	Detects	Severity
S-01	Dynamic code execution (`eval()`, `new Function`)	CRITICAL
S-02	System command execution (`child_process`, `exec`, `spawn`)	CRITICAL
S-03	Code obfuscation (`atob()` + eval combos, base64 decode chains)	CRITICAL
S-04	Suspicious external communication (`fetch`, `http.request` to unknown domains)	HIGH
S-05	Environment variable access (`process.env`, `Deno.env`)	HIGH
S-06	Persistent outbound connections (`WebSocket`, `net.Socket`)	HIGH
S-07	File system operations (`fs.readFile`, `fs.writeFile`, `fs.unlink`)	MEDIUM

Grading: A Through D

Results roll up into a letter grade:

Grade	Criteria	Badge Color
A	Zero CRITICAL + zero HIGH findings	Green
B	Zero CRITICAL + ≤2 HIGH with reasonable justification	Light green
C	Zero CRITICAL + >2 HIGH findings	Yellow
D	Any CRITICAL finding	Red
?	Prompt-only tool (no scannable code)	Grey

The scanner only reports objective facts — “found eval() at line 17” — never claims malicious intent. It’s a complement to VirusTotal, not a replacement.

Badge System: badge.rotifer.dev

Every scan result feeds into a badge service running on Cloudflare Workers. The endpoint follows the shields.io JSON schema, so any developer can drop a trust badge into their README:

![Safety](https://img.shields.io/endpoint?url=https://badge.rotifer.dev/safety/@author/my-skill)

Four badge types are available:

Badge	Endpoint	Data Source
Safety grade	`/safety/:skill_id`	V(g) scan result (Worker KV)
Gene reputation	`/gene/:id`	Cloud reputation score
Gene fitness	`/gene/:id/fitness`	Arena F(g) performance data
Developer reputation	`/dev/:username`	Aggregate developer score

Responses are cached for one hour and served over CORS for embedding anywhere.

Badge Generator

A dedicated page lets you generate badge markup without touching the API directly. Enter a tool name, see a live preview across four badge styles (flat, flat-square, for-the-badge, plastic), and copy the Markdown with one click.

Top 50 Scan: What We Found

We scanned the 50 most-installed Skills on ClawHub to establish a baseline. The full report is published separately, but the headline: 100% of scannable Skills triggered at least one finding.

Finding	Prevalence
External network calls (S-04)	94%
Environment variable access (S-05)	72%
File system operations (S-07)	58%
System command execution (S-02)	36%
Dynamic code evaluation (S-01)	14%

This doesn’t mean 100% of Skills are dangerous — fetch() is how API-wrapping tools work. But it does mean the ecosystem lacks visibility into what tools actually do at the code level.

Grade distribution:

Grade	Count	Percent
A	0	0%
B	6	12%
C	22	44%
D	8	16%
? (prompt-only)	14	28%

The absence of any Grade A result is notable. Even well-intentioned tools typically make at least one fetch() call that the scanner flags. The question isn’t whether findings exist — it’s whether they’re justified.

Important: these results describe code patterns, not malicious intent. A Grade D tool might be perfectly safe if its eval() usage is deliberate and sandboxed. The scanner provides data; developers provide judgment.

WebMCP: From Declaration to Execution

Prior to v0.7.9, the WebMCP tools on our marketplace site were declaration-only — <form hidden> tags that told browser agents what tools existed, but couldn’t actually run them. Agents would discover 5 tools and then… nothing.

Now there are 13 WebMCP tools with full browser-native execution:

Site	Tools	Capability
Marketplace (rotifer.ai)	10	Gene search, detail, comparison, arena rankings, developer profiles, reputation, version history, leaderboard, stats, and a meta capability tool
Documentation (rotifer.dev)	3	Doc search, MCP config generation, domain suggestion

Each tool uses navigator.modelContext.registerTool() to provide a real execute() function. When a browser agent calls get_gene_detail(name="search.web.google-v2"), the tool resolves the human-readable name to a UUID via a shared resolveGeneId() function, fetches the data from the cloud API, and returns structured results.

This is WebMCP as it was meant to work: tools that run inside the browser, using the user’s already-authenticated session, with same-origin protection. No additional API keys needed.

Cross-Layer Alignment: CLI ↔ MCP ↔ WebMCP ↔ Docs

A systematic cross-layer audit exposed gaps at every junction:

Before	After
MCP docs covered 9 of 28 tools (32%)	28 of 28 tools documented (100%) — English and Chinese
WebMCP had 5 declarative tools	13 tools with execute logic
`get_gene_detail` WebMCP used `name`, MCP expected UUID `id`	Unified via `resolveGeneId()` translation layer
4 CLI doc pages had no Chinese translation	All translated
No CLI ↔ MCP feature mapping for developers	Mapping table added to MCP setup guide

The MCP documentation now groups all 28 tools into four categories — Gene Lifecycle, Query & Discovery, Arena & Reputation, and Agent & Auth — with parameter descriptions and example responses for each.

CLI ↔ MCP Mapping

A new reference table in the MCP setup guide shows developers which CLI commands correspond to which MCP tools:

CLI: rotifer search <query>     →  MCP: search_genes
CLI: rotifer info <gene-id>     →  MCP: get_gene_detail
CLI: rotifer vg scan <path>     →  (CLI only — local scanning)
MCP: get_mcp_stats              →  (MCP only — server metadata)

Some operations are intentionally asymmetric: rotifer vg runs locally (no MCP equivalent needed), while get_mcp_stats is server metadata that makes no sense in a CLI context.

What’s Next: v0.8 — Iron Shell

v0.8 shifts focus to security hardening — deep Supabase audit covering the new attack surfaces introduced by Hybrid Genes and the Badge Worker, WASM sandbox escape testing with crafted malicious payloads, and the P2P Protocol RFC (design only, no implementation until v0.9).

The security scanner built in v0.7.9 scans other people’s code. v0.8 turns that same scrutiny inward.

Install / Upgrade

npm install -g @rotifer/[email protected]

For MCP Server users:

npm install -g @rotifer/[email protected]

VSCode extension: search “Rotifer” in the Extensions panel, or install from the .vsix in the latest release.