clawmoat 0.2.1 → 0.4.0

package/CHANGELOG.md

@@ -0,0 +1,32 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.3.0] - 2025-02-18
+
+### Added
+- **Excessive Agency Scanner (ASI02/ASI03)**: Advanced security scanning for AI agent behaviors with comprehensive test coverage
+- **OpenClaw Skill Integration**: Security scanning capabilities specifically designed for AI agent sessions
+- **CI/CD Workflow**: Automated testing and continuous integration setup
+- **SVG Brand Assets**: New logo, mark, and mark-with-moat SVG assets for better branding
+
+### Changed
+- **Renamed Pro Skill to Security Kit**: Better reflects the comprehensive security features
+- **New Pricing Structure**: 
+  - Pro Skill (Security Kit) now available as one-time $29 purchase
+  - Shield and Team subscriptions with 30-day trial period
+  - 14-day money-back guarantee
+- **Improved Documentation**: Enhanced README with better feature descriptions and setup instructions
+
+### Fixed
+- Checkout system now points to live Railway URL for better reliability
+- Various styling improvements for better user experience
+
+### UI/UX Improvements
+- Bigger, transparent SVG logo with left-aligned navigation
+- More space between logo and navigation links
+- Narrower pill-shaped "Get Access" button
+- Enhanced "Join Waitlist" and "Get Started" button styling and functionality
+
+## [0.2.1] - Previous Release
+- Initial stable release with core security features

package/Dockerfile

@@ -0,0 +1,22 @@
+FROM node:20-alpine
+
+# Set working directory
+WORKDIR /app
+
+# Install dependencies
+COPY package.json ./
+RUN npm install --omit=dev
+
+# Copy source code
+COPY . .
+
+# Ensure CLI is executable
+RUN chmod +x bin/clawmoat.js
+
+# Environment variables
+ENV NODE_ENV=production
+ENV CLAWMOAT_POLICY=strict
+
+# CLI entrypoint
+ENTRYPOINT ["node", "bin/clawmoat.js"]
+

package/README.md

@@ -1,8 +1,8 @@
 <p align="center">
-  <img src="https://img.shields.io/badge/🏰-ClawMoat-0F172A?style=for-the-badge&labelColor=10B981" alt="ClawMoat">
+  <img src="logo.png" alt="ClawMoat" width="400">
 </p>
 
-<h1 align="center">🏰 ClawMoat</h1>
+<h1 align="center">ClawMoat</h1>
 <p align="center"><strong>Security moat for AI agents</strong></p>
 <p align="center">Runtime protection against prompt injection, tool misuse, and data exfiltration.</p>
 
@@ -20,6 +20,21 @@
 
 ---
 
+## Why ClawMoat?
+
+Building with **LangChain**, **CrewAI**, **AutoGen**, or **OpenAI Agents**? Your agents have real capabilities — shell access, file I/O, web browsing, email. That's powerful, but one prompt injection in an email or scraped webpage can hijack your agent into exfiltrating secrets, running malicious commands, or poisoning its own memory.
+
+**ClawMoat is the missing security layer.** Drop it in front of your agent and get:
+
+- 🛡️ **Prompt injection detection** — multi-layer scanning catches instruction overrides, delimiter attacks, encoded payloads
+- 🔐 **Secret & PII scanning** — 30+ credential patterns + PII detection on outbound text
+- ⚡ **Zero dependencies** — pure Node.js, no ML models to download, sub-millisecond scans
+- 🔧 **CI/CD ready** — GitHub Actions workflow included, fail builds on security violations
+- 📋 **Policy engine** — YAML-based rules for shell, file, browser, and network access
+- 🏰 **OWASP coverage** — maps to all 10 risks in the OWASP Top 10 for Agentic AI
+
+**Works with any agent framework.** ClawMoat scans text — it doesn't care if it came from LangChain, CrewAI, AutoGen, or your custom agent.
+
 ## The Problem
 
 AI agents have shell access, browser control, email, and file system access. A single prompt injection in an email or webpage can hijack your agent into exfiltrating data, running malicious commands, or impersonating you.
@@ -54,6 +69,36 @@ openclaw skills add clawmoat
 
 Automatically scans inbound messages, audits tool calls, blocks violations, and logs events.
 
+## GitHub Action
+
+Add ClawMoat to your CI pipeline to catch prompt injection and secret leaks before they merge:
+
+```yaml
+# .github/workflows/clawmoat.yml
+name: ClawMoat Scan
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - uses: darfaz/clawmoat/.github/actions/scan@main
+        with:
+          paths: '.'
+          fail-on: 'critical'    # critical | high | medium | low | none
+          format: 'summary'
+```
+
+Results appear as PR comments and job summaries. See [`examples/github-action-workflow.yml`](examples/github-action-workflow.yml) for more patterns.
+
 ## Features
 
 | Feature | Description | Status |
@@ -63,7 +108,90 @@ Automatically scans inbound messages, audits tool calls, blocks violations, and
 | 📋 **Policy Engine** | YAML rules for shell, files, browser, network | ✅ v0.1 |
 | 🕵️ **Jailbreak Detection** | Heuristic + classifier pipeline | ✅ v0.1 |
 | 📊 **Session Audit Trail** | Full tamper-evident action log | ✅ v0.1 |
-| 🧠 **Behavioral Analysis** | Anomaly detection on agent behavior | 🔜 v0.3 |
+| 🧠 **Behavioral Analysis** | Anomaly detection on agent behavior | 🔜 v0.5 |
+| 🏠 **Host Guardian** | Runtime security for laptop-hosted agents | ✅ v0.4 |
+
+## 🏠 Host Guardian — Security for Laptop-Hosted Agents
+
+Running an AI agent on your actual laptop? **Host Guardian** is the trust layer that makes it safe. It monitors every file access, command, and network request — blocking dangerous actions before they execute.
+
+### Permission Tiers
+
+Start locked down, open up as trust grows:
+
+| Mode | File Read | File Write | Shell | Network | Use Case |
+|------|-----------|------------|-------|---------|----------|
+| **Observer** | Workspace only | ❌ | ❌ | ❌ | Testing a new agent |
+| **Worker** | Workspace only | Workspace only | Safe commands | Fetch only | Daily use |
+| **Standard** | System-wide | Workspace only | Most commands | ✅ | Power users |
+| **Full** | Everything | Everything | Everything | ✅ | Audit-only mode |
+
+### Quick Start
+
+```js
+const { HostGuardian } = require('clawmoat');
+
+const guardian = new HostGuardian({ mode: 'standard' });
+
+// Check before every tool call
+guardian.check('read', { path: '~/.ssh/id_rsa' });
+// => { allowed: false, reason: 'Protected zone: SSH keys', severity: 'critical' }
+
+guardian.check('exec', { command: 'rm -rf /' });
+// => { allowed: false, reason: 'Dangerous command blocked: Recursive force delete', severity: 'critical' }
+
+guardian.check('exec', { command: 'git status' });
+// => { allowed: true, decision: 'allow' }
+
+// Runtime mode switching
+guardian.setMode('worker');  // Lock down further
+
+// Full audit trail
+console.log(guardian.report());
+```
+
+### What It Protects
+
+**🔒 Forbidden Zones** (always blocked):
+- SSH keys, GPG keys, AWS/GCloud/Azure credentials
+- Browser cookies & login data, password managers
+- Crypto wallets, `.env` files, `.netrc`
+- System files (`/etc/shadow`, `/etc/sudoers`)
+
+**⚡ Dangerous Commands** (blocked by tier):
+- Destructive: `rm -rf`, `mkfs`, `dd`
+- Escalation: `sudo`, `chmod +s`, `su -`
+- Network: reverse shells, `ngrok`, `curl | bash`
+- Persistence: `crontab`, modifying `.bashrc`
+- Exfiltration: `curl --data`, `scp` to unknown hosts
+
+**📋 Audit Trail**: Every action recorded with timestamps, verdicts, and reasons. Generate reports anytime.
+
+### Configuration
+
+```js
+const guardian = new HostGuardian({
+  mode: 'worker',
+  workspace: '~/.openclaw/workspace',
+  safeZones: ['~/projects', '~/Documents'],     // Additional allowed paths
+  forbiddenZones: ['~/tax-returns'],             // Custom protected paths
+  onViolation: (tool, args, verdict) => {        // Alert callback
+    notify(`⚠️ Blocked: ${verdict.reason}`);
+  },
+});
+```
+
+Or via `clawmoat.yml`:
+
+```yaml
+guardian:
+  mode: standard
+  workspace: ~/.openclaw/workspace
+  safe_zones:
+    - ~/projects
+  forbidden_zones:
+    - ~/tax-returns
+```
 
 ## Architecture
 
@@ -146,7 +274,7 @@ ClawMoat maps to the [OWASP Top 10 for Agentic AI (2026)](https://genai.owasp.or
 | OWASP Risk | Description | ClawMoat Protection | Status |
 |-----------|-------------|---------------------|--------|
 | **ASI01** | Prompt Injection & Manipulation | Multi-layer injection scanning on all inbound content | ✅ |
-| **ASI02** | Excessive Agency & Permissions | Policy engine enforces least-privilege per tool | ✅ |
+| **ASI02** | Excessive Agency & Permissions | Escalation detection + policy engine enforces least-privilege | ✅ |
 | **ASI03** | Insecure Tool Use | Command validation & argument sanitization | ✅ |
 | **ASI04** | Insufficient Output Validation | Output scanning for secrets, PII, dangerous code | ✅ |
 | **ASI05** | Memory & Context Poisoning | Context integrity checks on memory retrievals | 🔜 |
@@ -167,7 +295,8 @@ clawmoat/
 │   │   ├── prompt-injection.js
 │   │   ├── jailbreak.js
 │   │   ├── secrets.js
-│   │   └── pii.js
+│   │   ├── pii.js
+│   │   └── excessive-agency.js
 │   ├── policies/             # Policy enforcement
 │   │   ├── engine.js
 │   │   ├── exec.js

package/SECURITY.md

@@ -0,0 +1,63 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| 0.1.x   | ✅ Current release |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in ClawMoat, **please report it responsibly**.
+
+### How to Report
+
+1. **Email:** Send details to **security@clawmoat.com**
+2. **Subject line:** `[SECURITY] Brief description`
+3. **Include:**
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+### What to Expect
+
+- **Acknowledgment** within 48 hours
+- **Assessment** within 7 days
+- **Fix timeline** communicated within 14 days
+- **Credit** in the release notes (unless you prefer anonymity)
+
+### What NOT to Do
+
+- Do not open a public GitHub issue for security vulnerabilities
+- Do not exploit the vulnerability beyond what's needed to demonstrate it
+- Do not access or modify other users' data
+
+## Scope
+
+The following are in scope:
+
+- **Scanner bypasses** — Attacks that evade ClawMoat's detection
+- **Policy engine bypasses** — Tool calls that circumvent policy rules
+- **Audit log tampering** — Ways to modify or forge audit entries
+- **Dependency issues** — Vulnerabilities in ClawMoat's dependencies (currently: none)
+
+The following are out of scope:
+
+- Denial of service via large inputs (expected behavior — use input size limits)
+- False positives/negatives in detection (please open a regular issue)
+- Vulnerabilities in upstream LLM providers
+
+## Security Best Practices
+
+When using ClawMoat:
+
+1. Keep ClawMoat updated to the latest version
+2. Enable all relevant scanners for your use case
+3. Use strict policy configurations in production
+4. Review audit logs regularly
+5. Set up alerts for critical-severity findings
+
+## PGP Key
+
+For encrypted communications, use our PGP key (available on request at security@clawmoat.com).