mallcop

Documentation

Everything you need to install, configure, and run mallcop. Full source and docs are also on GitHub.

Guides & Reference

Quick Start Guide

Step-by-step from install to automated monitoring.

  • Install
  • Create deployment repo
  • Initialize and configure credentials
  • First scan
  • Set up cron schedule
  • 14-day learning period
  • Go live

Configuration Reference

Complete mallcop.yaml schema and all options.

  • mallcop.yaml schema
  • Connector configuration
  • Routing configuration (actor chains)
  • Budget controls (circuit breaker, caps)
  • Secret backends (env, github, azure)
  • Baseline tuning
  • Self-improvement settings

Connector Catalog

Auth setup, event types, and configuration for each platform.

  • Azure Activity Log, Container Apps, Cosmos DB, Defender
  • AWS CloudTrail - IAM, security groups, S3
  • GitHub - audit log, Dependabot, security alerts
  • Microsoft 365 - sign-ins, admin actions, Exchange
  • Vercel - deployments, audit log, team membership
  • Container Logs - stdout/stderr queries
  • Supabase - auth audit, project config, edge functions
  • OpenClaw - skill integrity, behavior, gateway security

Detector Catalog

What each detector catches, how to tune it, and how to write your own.

  • new-actor
  • priv-escalation
  • auth-failure-burst
  • unusual-timing
  • volume-anomaly
  • injection-probe
  • log-format-drift
  • new-external-access
  • unusual-resource-access
  • git-oops
  • malicious-skill
  • openclaw-config-drift
  • Writing custom detectors (YAML + Python)

Actor System

How AI agents triage and investigate findings.

  • Agent vs. channel actor types
  • POST.md playbook system
  • Actor routing and chaining
  • Tool permissions and sandboxing
  • Budget controls per actor
  • Dual-mode: autonomous + interactive
  • Writing custom actors

Self-Improvement

How mallcop writes its own patches.

  • What self-improvement means
  • Artifact safety tiers
  • The improvement loop with retry
  • Approval levels: always, gated, autonomous, yolo
  • Shakedown harness (quality validation)
  • CLI: mallcop improve

Skills

Domain expertise injected into investigation actors.

  • SKILL.md format and frontmatter fields
  • Built-in skills: privilege-analysis, aws-iam, openclaw-security
  • Skill hierarchy and parent inheritance
  • Writing and deploying custom skills
  • CLI: mallcop skill sign, verify, lock

Trust & Signing

Cryptographic verification for skills loaded into actor context.

  • Why skill signing matters (ToxicSkills, ClawHavoc)
  • Trust anchors and the mallcop root key
  • Endorsing authors: scope, level, expiry
  • Trust web chain traversal
  • skills.lock hash pinning
  • Org trust bootstrap walkthrough

CLI Reference

Every mallcop command with flags, options, and examples.

  • Pipeline: init, scan, detect, escalate, watch
  • Investigation: review, investigate, events, baseline
  • Feedback: ack, feedback
  • Operations: status, upgrade, heal
  • Academy: exam run, exam bakeoff, improve
  • Plugins: scaffold, verify
  • Skills & Trust: skill, trust