clawmoat 0.2.1 → 0.5.0

package/CHANGELOG.md

@@ -0,0 +1,32 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.3.0] - 2025-02-18
+
+### Added
+- **Excessive Agency Scanner (ASI02/ASI03)**: Advanced security scanning for AI agent behaviors with comprehensive test coverage
+- **OpenClaw Skill Integration**: Security scanning capabilities specifically designed for AI agent sessions
+- **CI/CD Workflow**: Automated testing and continuous integration setup
+- **SVG Brand Assets**: New logo, mark, and mark-with-moat SVG assets for better branding
+
+### Changed
+- **Renamed Pro Skill to Security Kit**: Better reflects the comprehensive security features
+- **New Pricing Structure**: 
+  - Pro Skill (Security Kit) now available as one-time $29 purchase
+  - Shield and Team subscriptions with 30-day trial period
+  - 14-day money-back guarantee
+- **Improved Documentation**: Enhanced README with better feature descriptions and setup instructions
+
+### Fixed
+- Checkout system now points to live Railway URL for better reliability
+- Various styling improvements for better user experience
+
+### UI/UX Improvements
+- Bigger, transparent SVG logo with left-aligned navigation
+- More space between logo and navigation links
+- Narrower pill-shaped "Get Access" button
+- Enhanced "Join Waitlist" and "Get Started" button styling and functionality
+
+## [0.2.1] - Previous Release
+- Initial stable release with core security features

package/Dockerfile

@@ -0,0 +1,22 @@
+FROM node:20-alpine
+
+# Set working directory
+WORKDIR /app
+
+# Install dependencies
+COPY package.json ./
+RUN npm install --omit=dev
+
+# Copy source code
+COPY . .
+
+# Ensure CLI is executable
+RUN chmod +x bin/clawmoat.js
+
+# Environment variables
+ENV NODE_ENV=production
+ENV CLAWMOAT_POLICY=strict
+
+# CLI entrypoint
+ENTRYPOINT ["node", "bin/clawmoat.js"]
+

package/README.md

@@ -1,8 +1,8 @@
 <p align="center">
-  <img src="https://img.shields.io/badge/🏰-ClawMoat-0F172A?style=for-the-badge&labelColor=10B981" alt="ClawMoat">
+  <img src="logo.png" alt="ClawMoat" width="400">
 </p>
 
-<h1 align="center">🏰 ClawMoat</h1>
+<h1 align="center">ClawMoat</h1>
 <p align="center"><strong>Security moat for AI agents</strong></p>
 <p align="center">Runtime protection against prompt injection, tool misuse, and data exfiltration.</p>
 
@@ -20,6 +20,21 @@
 
 ---
 
+## Why ClawMoat?
+
+Building with **LangChain**, **CrewAI**, **AutoGen**, or **OpenAI Agents**? Your agents have real capabilities — shell access, file I/O, web browsing, email. That's powerful, but one prompt injection in an email or scraped webpage can hijack your agent into exfiltrating secrets, running malicious commands, or poisoning its own memory.
+
+**ClawMoat is the missing security layer.** Drop it in front of your agent and get:
+
+- 🛡️ **Prompt injection detection** — multi-layer scanning catches instruction overrides, delimiter attacks, encoded payloads
+- 🔐 **Secret & PII scanning** — 30+ credential patterns + PII detection on outbound text
+- ⚡ **Zero dependencies** — pure Node.js, no ML models to download, sub-millisecond scans
+- 🔧 **CI/CD ready** — GitHub Actions workflow included, fail builds on security violations
+- 📋 **Policy engine** — YAML-based rules for shell, file, browser, and network access
+- 🏰 **OWASP coverage** — maps to all 10 risks in the OWASP Top 10 for Agentic AI
+
+**Works with any agent framework.** ClawMoat scans text — it doesn't care if it came from LangChain, CrewAI, AutoGen, or your custom agent.
+
 ## The Problem
 
 AI agents have shell access, browser control, email, and file system access. A single prompt injection in an email or webpage can hijack your agent into exfiltrating data, running malicious commands, or impersonating you.
@@ -46,6 +61,16 @@ clawmoat protect --config clawmoat.yml
 clawmoat dashboard
 ```
 
+### New in v0.5.0
+
+- 🔑 **Credential Monitor** — watches `~/.openclaw/credentials/` for unauthorized access and modifications using file hashing
+- 🧩 **Skill Integrity Checker** — hashes all SKILL.md and script files, detects tampering, flags suspicious patterns (eval, base64, curl to external URLs). CLI: `clawmoat skill-audit`
+- 🌐 **Network Egress Logger** — parses session logs for all outbound URLs, maintains domain allowlists, flags known-bad domains (webhook.site, ngrok, etc.)
+- 🚨 **Alert Delivery System** — unified alerts via console, file (audit.log), or webhook with severity levels and 5-minute rate limiting
+- 🤝 **Inter-Agent Message Scanner** — heightened-sensitivity scanning for agent-to-agent messages detecting impersonation, concealment, credential exfiltration, and safety bypasses
+- 📊 **Activity Reports** — `clawmoat report` generates 24h summaries of agent activity, tool usage, and network egress
+- 👻 **Daemon Mode** — `clawmoat watch --daemon` runs in background with PID file; `--alert-webhook=URL` for remote alerting
+
 ### As an OpenClaw Skill
 
 ```bash
@@ -54,6 +79,36 @@ openclaw skills add clawmoat
 
 Automatically scans inbound messages, audits tool calls, blocks violations, and logs events.
 
+## GitHub Action
+
+Add ClawMoat to your CI pipeline to catch prompt injection and secret leaks before they merge:
+
+```yaml
+# .github/workflows/clawmoat.yml
+name: ClawMoat Scan
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - uses: darfaz/clawmoat/.github/actions/scan@main
+        with:
+          paths: '.'
+          fail-on: 'critical'    # critical | high | medium | low | none
+          format: 'summary'
+```
+
+Results appear as PR comments and job summaries. See [`examples/github-action-workflow.yml`](examples/github-action-workflow.yml) for more patterns.
+
 ## Features
 
 | Feature | Description | Status |
@@ -63,7 +118,90 @@ Automatically scans inbound messages, audits tool calls, blocks violations, and
 | 📋 **Policy Engine** | YAML rules for shell, files, browser, network | ✅ v0.1 |
 | 🕵️ **Jailbreak Detection** | Heuristic + classifier pipeline | ✅ v0.1 |
 | 📊 **Session Audit Trail** | Full tamper-evident action log | ✅ v0.1 |
-| 🧠 **Behavioral Analysis** | Anomaly detection on agent behavior | 🔜 v0.3 |
+| 🧠 **Behavioral Analysis** | Anomaly detection on agent behavior | 🔜 v0.5 |
+| 🏠 **Host Guardian** | Runtime security for laptop-hosted agents | ✅ v0.4 |
+
+## 🏠 Host Guardian — Security for Laptop-Hosted Agents
+
+Running an AI agent on your actual laptop? **Host Guardian** is the trust layer that makes it safe. It monitors every file access, command, and network request — blocking dangerous actions before they execute.
+
+### Permission Tiers
+
+Start locked down, open up as trust grows:
+
+| Mode | File Read | File Write | Shell | Network | Use Case |
+|------|-----------|------------|-------|---------|----------|
+| **Observer** | Workspace only | ❌ | ❌ | ❌ | Testing a new agent |
+| **Worker** | Workspace only | Workspace only | Safe commands | Fetch only | Daily use |
+| **Standard** | System-wide | Workspace only | Most commands | ✅ | Power users |
+| **Full** | Everything | Everything | Everything | ✅ | Audit-only mode |
+
+### Quick Start
+
+```js
+const { HostGuardian } = require('clawmoat');
+
+const guardian = new HostGuardian({ mode: 'standard' });
+
+// Check before every tool call
+guardian.check('read', { path: '~/.ssh/id_rsa' });
+// => { allowed: false, reason: 'Protected zone: SSH keys', severity: 'critical' }
+
+guardian.check('exec', { command: 'rm -rf /' });
+// => { allowed: false, reason: 'Dangerous command blocked: Recursive force delete', severity: 'critical' }
+
+guardian.check('exec', { command: 'git status' });
+// => { allowed: true, decision: 'allow' }
+
+// Runtime mode switching
+guardian.setMode('worker');  // Lock down further
+
+// Full audit trail
+console.log(guardian.report());
+```
+
+### What It Protects
+
+**🔒 Forbidden Zones** (always blocked):
+- SSH keys, GPG keys, AWS/GCloud/Azure credentials
+- Browser cookies & login data, password managers
+- Crypto wallets, `.env` files, `.netrc`
+- System files (`/etc/shadow`, `/etc/sudoers`)
+
+**⚡ Dangerous Commands** (blocked by tier):
+- Destructive: `rm -rf`, `mkfs`, `dd`
+- Escalation: `sudo`, `chmod +s`, `su -`
+- Network: reverse shells, `ngrok`, `curl | bash`
+- Persistence: `crontab`, modifying `.bashrc`
+- Exfiltration: `curl --data`, `scp` to unknown hosts
+
+**📋 Audit Trail**: Every action recorded with timestamps, verdicts, and reasons. Generate reports anytime.
+
+### Configuration
+
+```js
+const guardian = new HostGuardian({
+  mode: 'worker',
+  workspace: '~/.openclaw/workspace',
+  safeZones: ['~/projects', '~/Documents'],     // Additional allowed paths
+  forbiddenZones: ['~/tax-returns'],             // Custom protected paths
+  onViolation: (tool, args, verdict) => {        // Alert callback
+    notify(`⚠️ Blocked: ${verdict.reason}`);
+  },
+});
+```
+
+Or via `clawmoat.yml`:
+
+```yaml
+guardian:
+  mode: standard
+  workspace: ~/.openclaw/workspace
+  safe_zones:
+    - ~/projects
+  forbidden_zones:
+    - ~/tax-returns
+```
 
 ## Architecture
 
@@ -146,7 +284,7 @@ ClawMoat maps to the [OWASP Top 10 for Agentic AI (2026)](https://genai.owasp.or
 | OWASP Risk | Description | ClawMoat Protection | Status |
 |-----------|-------------|---------------------|--------|
 | **ASI01** | Prompt Injection & Manipulation | Multi-layer injection scanning on all inbound content | ✅ |
-| **ASI02** | Excessive Agency & Permissions | Policy engine enforces least-privilege per tool | ✅ |
+| **ASI02** | Excessive Agency & Permissions | Escalation detection + policy engine enforces least-privilege | ✅ |
 | **ASI03** | Insecure Tool Use | Command validation & argument sanitization | ✅ |
 | **ASI04** | Insufficient Output Validation | Output scanning for secrets, PII, dangerous code | ✅ |
 | **ASI05** | Memory & Context Poisoning | Context integrity checks on memory retrievals | 🔜 |
@@ -167,7 +305,8 @@ clawmoat/
 │   │   ├── prompt-injection.js
 │   │   ├── jailbreak.js
 │   │   ├── secrets.js
-│   │   └── pii.js
+│   │   ├── pii.js
+│   │   └── excessive-agency.js
 │   ├── policies/             # Policy enforcement
 │   │   ├── engine.js
 │   │   ├── exec.js

package/SECURITY.md

@@ -0,0 +1,63 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+|---------|--------------------|
+| 0.1.x   | ✅ Current release |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in ClawMoat, **please report it responsibly**.
+
+### How to Report
+
+1. **Email:** Send details to **security@clawmoat.com**
+2. **Subject line:** `[SECURITY] Brief description`
+3. **Include:**
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+### What to Expect
+
+- **Acknowledgment** within 48 hours
+- **Assessment** within 7 days
+- **Fix timeline** communicated within 14 days
+- **Credit** in the release notes (unless you prefer anonymity)
+
+### What NOT to Do
+
+- Do not open a public GitHub issue for security vulnerabilities
+- Do not exploit the vulnerability beyond what's needed to demonstrate it
+- Do not access or modify other users' data
+
+## Scope
+
+The following are in scope:
+
+- **Scanner bypasses** — Attacks that evade ClawMoat's detection
+- **Policy engine bypasses** — Tool calls that circumvent policy rules
+- **Audit log tampering** — Ways to modify or forge audit entries
+- **Dependency issues** — Vulnerabilities in ClawMoat's dependencies (currently: none)
+
+The following are out of scope:
+
+- Denial of service via large inputs (expected behavior — use input size limits)
+- False positives/negatives in detection (please open a regular issue)
+- Vulnerabilities in upstream LLM providers
+
+## Security Best Practices
+
+When using ClawMoat:
+
+1. Keep ClawMoat updated to the latest version
+2. Enable all relevant scanners for your use case
+3. Use strict policy configurations in production
+4. Review audit logs regularly
+5. Set up alerts for critical-severity findings
+
+## PGP Key
+
+For encrypted communications, use our PGP key (available on request at security@clawmoat.com).

package/bin/clawmoat.js

@@ -16,6 +16,10 @@ const path = require('path');
 const ClawMoat = require('../src/index');
 const { scanSkillContent } = require('../src/scanners/supply-chain');
 const { calculateGrade, generateBadgeSVG, getShieldsURL } = require('../src/badge');
+const { SkillIntegrityChecker } = require('../src/guardian/skill-integrity');
+const { NetworkEgressLogger } = require('../src/guardian/network-log');
+const { AlertManager } = require('../src/guardian/alerts');
+const { CredentialMonitor } = require('../src/guardian/index');
 
 const VERSION = require('../package.json').version;
 const BOLD = '\x1b[1m';
@@ -41,6 +45,12 @@ switch (command) {
   case 'watch':
     cmdWatch(args.slice(1));
     break;
+  case 'skill-audit':
+    cmdSkillAudit(args.slice(1));
+    break;
+  case 'report':
+    cmdReport(args.slice(1));
+    break;
   case 'test':
     cmdTest();
     break;
@@ -339,16 +349,46 @@ function cmdTest() {
 }
 
 function cmdWatch(args) {
-  const agentDir = args[0] || path.join(process.env.HOME, '.openclaw/agents/main');
+  const isDaemon = args.includes('--daemon');
+  const webhookArg = args.find(a => a.startsWith('--alert-webhook='));
+  const webhookUrl = webhookArg ? webhookArg.split('=').slice(1).join('=') : null;
+  const filteredArgs = args.filter(a => a !== '--daemon' && !a.startsWith('--alert-webhook='));
+  const agentDir = filteredArgs[0] || path.join(process.env.HOME, '.openclaw/agents/main');
   const { watchSessions } = require('../src/middleware/openclaw');
 
+  // Daemon mode: fork to background
+  if (isDaemon) {
+    const { spawn } = require('child_process');
+    const daemonArgs = process.argv.slice(2).filter(a => a !== '--daemon');
+    const child = spawn(process.execPath, [__filename, ...daemonArgs], {
+      detached: true,
+      stdio: 'ignore',
+    });
+    child.unref();
+    const pidFile = path.join(process.env.HOME, '.clawmoat.pid');
+    fs.writeFileSync(pidFile, String(child.pid));
+    console.log(`${BOLD}🏰 ClawMoat daemon started${RESET} (PID: ${child.pid})`);
+    console.log(`${DIM}PID file: ${pidFile}${RESET}`);
+    process.exit(0);
+  }
+
+  // Set up alert manager
+  const alertChannels = ['console'];
+  if (webhookUrl) alertChannels.push('webhook');
+  const alertMgr = new AlertManager({ channels: alertChannels, webhookUrl });
+
   console.log(`${BOLD}🏰 ClawMoat Live Monitor${RESET}`);
   console.log(`${DIM}Watching: ${agentDir}${RESET}`);
+  if (webhookUrl) console.log(`${DIM}Webhook: ${webhookUrl}${RESET}`);
   console.log(`${DIM}Press Ctrl+C to stop${RESET}\n`);
 
   const monitor = watchSessions({ agentDir });
   if (!monitor) process.exit(1);
 
+  // Also start credential monitor
+  const credMon = new CredentialMonitor({ quiet: false, onAlert: (a) => alertMgr.send(a) });
+  credMon.start();
+
   // Print summary every 60s
   setInterval(() => {
     const summary = monitor.getSummary();
@@ -359,12 +399,150 @@ function cmdWatch(args) {
 
   process.on('SIGINT', () => {
     monitor.stop();
+    credMon.stop();
     const summary = monitor.getSummary();
     console.log(`\n${BOLD}Session Summary:${RESET} ${summary.scanned} scanned, ${summary.blocked} blocked, ${summary.warnings} warnings`);
     process.exit(0);
   });
 }
 
+function cmdSkillAudit(args) {
+  const skillsDir = args[0] || path.join(process.env.HOME, '.openclaw', 'workspace', 'skills');
+
+  console.log(`${BOLD}🏰 ClawMoat Skill Integrity Audit${RESET}`);
+  console.log(`${DIM}Directory: ${skillsDir}${RESET}\n`);
+
+  if (!fs.existsSync(skillsDir)) {
+    console.log(`${YELLOW}Skills directory not found: ${skillsDir}${RESET}`);
+    console.log(`${DIM}Specify path: clawmoat skill-audit /path/to/skills${RESET}`);
+    process.exit(0);
+  }
+
+  const checker = new SkillIntegrityChecker({ skillsDir });
+  const initResult = checker.init();
+
+  console.log(`Files hashed: ${initResult.files}`);
+  console.log(`New files: ${initResult.new}`);
+  console.log(`Changed files: ${initResult.changed}`);
+  console.log();
+
+  if (initResult.suspicious.length > 0) {
+    console.log(`${RED}${BOLD}Suspicious patterns found:${RESET}`);
+    for (const f of initResult.suspicious) {
+      console.log(`  ${RED}⚠${RESET} ${f.file}: ${f.label} ${DIM}(${f.severity})${RESET}`);
+      if (f.matched) console.log(`    ${DIM}Matched: ${f.matched}${RESET}`);
+    }
+  } else {
+    console.log(`${GREEN}✅ No suspicious patterns found${RESET}`);
+  }
+
+  // Run audit against stored hashes
+  const audit = checker.audit();
+  if (!audit.ok) {
+    console.log();
+    if (audit.changed.length) console.log(`${RED}Changed files:${RESET} ${audit.changed.join(', ')}`);
+    if (audit.missing.length) console.log(`${YELLOW}Missing files:${RESET} ${audit.missing.join(', ')}`);
+  }
+
+  process.exit(initResult.suspicious.length > 0 || initResult.changed > 0 ? 1 : 0);
+}
+
+function cmdReport(args) {
+  const sessionsDir = args[0] || path.join(process.env.HOME, '.openclaw/agents/main/sessions');
+
+  console.log(`${BOLD}🏰 ClawMoat Activity Report (Last 24h)${RESET}`);
+  console.log(`${DIM}Sessions: ${sessionsDir}${RESET}\n`);
+
+  if (!fs.existsSync(sessionsDir)) {
+    console.log(`${YELLOW}Sessions directory not found${RESET}`);
+    process.exit(0);
+  }
+
+  const oneDayAgo = Date.now() - 86400000;
+  const files = fs.readdirSync(sessionsDir).filter(f => f.endsWith('.jsonl'));
+  let recentFiles = 0;
+  let totalEntries = 0;
+  let toolCalls = 0;
+  let threats = 0;
+  const toolUsage = {};
+
+  for (const file of files) {
+    const filePath = path.join(sessionsDir, file);
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.mtimeMs < oneDayAgo) continue;
+    } catch { continue; }
+
+    recentFiles++;
+    const lines = fs.readFileSync(filePath, 'utf8').split('\n').filter(Boolean);
+
+    for (const line of lines) {
+      try {
+        const entry = JSON.parse(line);
+        totalEntries++;
+
+        if (entry.role === 'assistant' && Array.isArray(entry.content)) {
+          for (const part of entry.content) {
+            if (part.type === 'toolCall') {
+              toolCalls++;
+              toolUsage[part.name] = (toolUsage[part.name] || 0) + 1;
+            }
+          }
+        }
+
+        // Quick threat scan
+        const text = extractContent(entry);
+        if (text) {
+          const result = moat.scan(text, { context: 'report' });
+          if (!result.safe) threats++;
+        }
+      } catch {}
+    }
+  }
+
+  // Network egress
+  const netLogger = new NetworkEgressLogger();
+  const netResult = netLogger.scanSessions(sessionsDir, { maxAge: 86400000 });
+
+  console.log(`${BOLD}Activity:${RESET}`);
+  console.log(`  Sessions active: ${recentFiles}`);
+  console.log(`  Total entries: ${totalEntries}`);
+  console.log(`  Tool calls: ${toolCalls}`);
+  console.log(`  Threats detected: ${threats}`);
+  console.log();
+
+  if (Object.keys(toolUsage).length > 0) {
+    console.log(`${BOLD}Tool Usage:${RESET}`);
+    const sorted = Object.entries(toolUsage).sort((a, b) => b[1] - a[1]);
+    for (const [tool, count] of sorted.slice(0, 15)) {
+      console.log(`  ${tool}: ${count}`);
+    }
+    console.log();
+  }
+
+  console.log(`${BOLD}Network Egress:${RESET}`);
+  console.log(`  URLs contacted: ${netResult.totalUrls}`);
+  console.log(`  Unique domains: ${netResult.domains.length}`);
+  console.log(`  Flagged (not in allowlist): ${netResult.flagged.length}`);
+  console.log(`  Known-bad domains: ${netResult.badDomains.length}`);
+
+  if (netResult.flagged.length > 0) {
+    console.log(`\n  ${YELLOW}Flagged domains:${RESET}`);
+    for (const d of netResult.flagged.slice(0, 20)) {
+      console.log(`    • ${d}`);
+    }
+  }
+
+  if (netResult.badDomains.length > 0) {
+    console.log(`\n  ${RED}Bad domains:${RESET}`);
+    for (const b of netResult.badDomains) {
+      console.log(`    🚨 ${b.domain} (in ${b.file})`);
+    }
+  }
+
+  process.exit(threats > 0 || netResult.badDomains.length > 0 ? 1 : 0);
+}
+
 function extractContent(entry) {
   if (typeof entry.content === 'string') return entry.content;
   if (Array.isArray(entry.content)) {
@@ -387,6 +565,10 @@ ${BOLD}USAGE${RESET}
   clawmoat audit [session-dir]    Audit OpenClaw session logs
   clawmoat audit --badge          Audit + generate security score badge SVG
   clawmoat watch [agent-dir]      Live monitor OpenClaw sessions
+  clawmoat watch --daemon         Daemonize watch mode (background, PID file)
+  clawmoat watch --alert-webhook=URL   Send alerts to webhook
+  clawmoat skill-audit [skills-dir]    Verify skill file integrity & scan for suspicious patterns
+  clawmoat report [sessions-dir]  24-hour activity summary report
   clawmoat test                   Run detection test suite
   clawmoat version                Show version
 
@@ -394,6 +576,9 @@ ${BOLD}EXAMPLES${RESET}
   clawmoat scan "Ignore all previous instructions"
   clawmoat scan --file suspicious-email.txt
   clawmoat audit ~/.openclaw/agents/main/sessions/
+  clawmoat watch --daemon --alert-webhook=https://hooks.example.com/alerts
+  clawmoat skill-audit ~/.openclaw/workspace/skills
+  clawmoat report
   clawmoat test
 
 ${BOLD}CONFIG${RESET}