This rule aims to detect suspicious child process executions initiated by the OpenClaw, Moltbot, or Clawdbot AI assistants, specifically when they run under Node.js environments. These assistants have been found to execute malicious shell commands through skill or prompt injection exploits, notably targeting cryptocurrency wallets and credential theft. The rule focuses on identifying potential misuse of these AI coding tools through the spawning of various scripting shells and common living-off-the-land binaries (LOLBins). By monitoring specific indicators such as the parent process name being `node` alongside coded command patterns typical of these AI agents, this security measure alerts organizations to possible unauthorized activities resulting from these frameworks. Proper investigatory steps include verifying the legitimacy of OpenClaw occurrences, examining command lines for malicious intent, checking parent processes, and scrutinizing installed skills for exploits. Moreover, the response to any detected anomalies includes terminating malicious instances and possibly rotating affected credentials to prevent further harm.