diff --git a/runbooks/atomic-rootkit-scan/readme.md b/runbooks/atomic-rootkit-scan/readme.md
new file mode 100644
index 0000000..0cbd216
--- /dev/null
+++ b/runbooks/atomic-rootkit-scan/readme.md
@@ -0,0 +1,21 @@
+# Context
+
+This folder contains a simple package checker to see if any locally installed
+AUR packages are in the list of compromised packages that we need to worry about.
+
+
+This is a super barebones script and more of a sanity check rather than
+something to be an end all be all safety check.
+
+
+# Running the script
+
+
+Paste link is optional in case any of the package lists out there become
+outdated. Usage: `python scan.py [rawpaste link]`
+
+
+
+
+
+
diff --git a/runbooks/atomic-rootkit-scan/scan.py b/runbooks/atomic-rootkit-scan/scan.py
new file mode 100644
index 0000000..b9fd3e9
--- /dev/null
+++ b/runbooks/atomic-rootkit-scan/scan.py
@@ -0,0 +1,33 @@
+from sys import argv
+from requests import get
+from subprocess import check_output
+
+def local_package_list():
+    pkgs = check_output('pacman -Qqm'.split())
+    return [ pkg.decode() for pkg in pkgs.splitlines()]
+
+
+def get_remote(url):
+    pkgs = get(url)
+    pkgs = [pkg.decode() for pkg in pkgs.content.splitlines()]
+    return set(pkgs)
+
+
+def pkg_in_remote(pkg_name, remote_set):
+    return pkg_name in remote_set
+    
+
+if __name__ == '__main__':
+    if len(argv) == 2:
+        paste_url = argv[1]
+    else:
+        paste_url = 'https://paste.cachyos.org/73a714d'
+
+    remote_package_list = get_remote(paste_url)
+    for pkg in local_package_list():
+        if pkg_in_remote(pkg, remote_package_list):
+            print(f'COMPROMISED - {pkg}')
+        else:
+            print(f'CLEAN - {pkg}')
+
+