Provides a comprehensive shell script checklist to detect compromised axios versions and malware art

建议给你的 Agents（包括 OpenClaw）都投喂如下提示词，好好排查下是否存在这波 axios 被投毒事件影响：

参考下面这个方法排查一遍我们的环境是否存在被投毒的 [email protected] 与 [email protected]，及恶意模块 plain-crypto-js，不能漏，确保排查全面：
Check for the malicious axios versions in your project:
npm list axios 2>/dev/null | grep -E "1\.14\.1|0\.30\.4"
grep -A1 '"axios"' package-lock.json | grep -E "1\.14\.1|0\.30\.4"
Check for plain-crypto-js in node_modules:
ls node_modules/plain-crypto-js 2>/dev/null && echo "POTENTIALLY AFFECTED"
If setup.js already ran, package.jsoninside this directory will have been replaced with a clean stub. The presence of the directory is sufficient evidence the dropper executed.
Check for RAT artifacts on affected systems:
# macOS
ls -la /Library/Caches/com.apple.act.mond 2>/dev/null && echo "COMPROMISED"

# Linux
ls -la /tmp/ld.py 2>/dev/null && echo "COMPROMISED"

 "COMPROMISED"

# Windows (cmd.exe)
dir "%PROGRAMDATA%\wt.exe" 2>nul && echo COMPROMISED