clawmoat 0.2.1

package/src/scanners/prompt-injection.js

@@ -0,0 +1,138 @@
+/**
+ * ClawMoat — Prompt Injection Scanner
+ * 
+ * Detects prompt injection attempts in text using:
+ * 1. Pattern matching (known injection patterns)
+ * 2. Heuristic scoring (instruction-like language in data context)
+ * 3. (Future) ML classifier via LlamaFirewall/NeMo
+ */
+
+// Known prompt injection patterns (case-insensitive)
+const INJECTION_PATTERNS = [
+  // Direct instruction override
+  { pattern: /ignore\s+(all\s+)?(previous|prior|above|earlier)\s+(instructions?|prompts?|rules?|guidelines?)/i, severity: 'critical', name: 'instruction_override' },
+  { pattern: /disregard\s+(all\s+)?(previous|prior|your)\s+(instructions?|prompts?|rules?|programming)/i, severity: 'critical', name: 'instruction_override' },
+  { pattern: /forget\s+(all\s+)?(previous|prior|your|everything)/i, severity: 'high', name: 'instruction_override' },
+  { pattern: /override\s+(your|all|the)\s+(instructions?|rules?|guidelines?|programming)/i, severity: 'critical', name: 'instruction_override' },
+  
+  // Role manipulation
+  { pattern: /you\s+are\s+now\s+(a|an|the|my)\s+/i, severity: 'high', name: 'role_manipulation' },
+  { pattern: /act\s+as\s+(a|an|if|though)\s+/i, severity: 'medium', name: 'role_manipulation' },
+  { pattern: /pretend\s+(you('re| are)|to\s+be)\s+/i, severity: 'high', name: 'role_manipulation' },
+  { pattern: /switch\s+to\s+(\w+\s+)?mode/i, severity: 'medium', name: 'role_manipulation' },
+  { pattern: /enter\s+(DAN|jailbreak|developer|god|sudo|admin)\s+mode/i, severity: 'critical', name: 'role_manipulation' },
+  
+  // System prompt extraction
+  { pattern: /(?:show|reveal|display|print|output|repeat|echo)\s+(?:me\s+)?(?:your|the)\s+(?:system\s+)?(?:prompt|instructions?|rules?|guidelines?)/i, severity: 'high', name: 'system_prompt_extraction' },
+  { pattern: /what\s+(?:are|is)\s+your\s+(?:system\s+)?(?:prompt|instructions?|rules?|initial\s+message)/i, severity: 'medium', name: 'system_prompt_extraction' },
+  { pattern: /(?:beginning|start)\s+of\s+(?:the\s+)?(?:system|initial)\s+(?:prompt|message|instruction)/i, severity: 'high', name: 'system_prompt_extraction' },
+
+  // Data exfiltration attempts
+  { pattern: /(?:send|post|upload|transmit|exfiltrate|forward)\s+(?:all|the|my|this|your)\s+(?:data|files?|info|content|messages?|history|conversation)/i, severity: 'critical', name: 'data_exfiltration' },
+  { pattern: /curl\s+.*\|\s*(?:bash|sh)/i, severity: 'critical', name: 'data_exfiltration' },
+  
+  // Delimiter/encoding attacks
+  { pattern: /```\s*system\b/i, severity: 'high', name: 'delimiter_attack' },
+  { pattern: /<\/?(?:system|instruction|prompt|message)\s*>/i, severity: 'high', name: 'delimiter_attack' },
+  { pattern: /\[INST\]|\[\/INST\]|\[SYSTEM\]/i, severity: 'high', name: 'delimiter_attack' },
+  { pattern: /<<\s*SYS\s*>>|<<\s*\/SYS\s*>>/i, severity: 'high', name: 'delimiter_attack' },
+  
+  // Invisible/encoded text
+  { pattern: /[\u200B-\u200F\u2028-\u202F\uFEFF]{3,}/i, severity: 'high', name: 'invisible_text' },
+  { pattern: /(?:base64|atob|decode)\s*\(/i, severity: 'medium', name: 'encoded_payload' },
+
+  // Tool abuse instructions
+  { pattern: /(?:run|execute|call|use)\s+(?:the\s+)?(?:exec|shell|terminal|command|bash)\s+(?:tool|function)/i, severity: 'medium', name: 'tool_abuse' },
+  { pattern: /(?:read|access|open)\s+(?:the\s+)?(?:file|path)\s+(?:\/etc|~\/\.ssh|~\/\.aws|\.env)/i, severity: 'high', name: 'tool_abuse' },
+];
+
+// Heuristic signals that text contains instruction-like content (in a data context)
+const INSTRUCTION_SIGNALS = [
+  { pattern: /\byou\s+(?:must|should|need\s+to|have\s+to|are\s+(?:required|instructed))\b/i, weight: 2 },
+  { pattern: /\b(?:do\s+not|don'?t|never)\s+(?:mention|reveal|tell|say|disclose)\b/i, weight: 3 },
+  { pattern: /\b(?:important|critical|urgent|mandatory)\s*[:\-!]\s*/i, weight: 1 },
+  { pattern: /\b(?:new\s+)?instructions?\s*:/i, weight: 3 },
+  { pattern: /\bstep\s+\d+\s*:/i, weight: 1 },
+  { pattern: /\bfrom\s+now\s+on\b/i, weight: 2 },
+  { pattern: /\binstead\s*,?\s+(?:you\s+)?(?:should|must|will)\b/i, weight: 2 },
+  { pattern: /\breal\s+(?:task|instruction|objective|goal)\b/i, weight: 3 },
+  { pattern: /\bhidden\s+(?:instruction|task|message)\b/i, weight: 3 },
+];
+
+/**
+ * Scan text for prompt injection
+ * @param {string} text - Text to scan
+ * @param {object} opts - Options
+ * @param {string} opts.context - Where this text came from (message, email, web, tool_output)
+ * @returns {object} Scan result
+ */
+function scanPromptInjection(text, opts = {}) {
+  if (!text || typeof text !== 'string') {
+    return { clean: true, score: 0, findings: [] };
+  }
+
+  const findings = [];
+  let maxSeverity = 'low';
+
+  // 1. Pattern matching
+  for (const { pattern, severity, name } of INJECTION_PATTERNS) {
+    const match = text.match(pattern);
+    if (match) {
+      findings.push({
+        type: 'prompt_injection',
+        subtype: name,
+        severity,
+        matched: match[0].substring(0, 100),
+        position: match.index,
+      });
+      if (severityRank(severity) > severityRank(maxSeverity)) {
+        maxSeverity = severity;
+      }
+    }
+  }
+
+  // 2. Heuristic scoring (instruction-like language in data)
+  let heuristicScore = 0;
+  for (const { pattern, weight } of INSTRUCTION_SIGNALS) {
+    if (pattern.test(text)) {
+      heuristicScore += weight;
+    }
+  }
+
+  // Boost score if text is from untrusted context
+  const contextMultiplier = opts.context === 'email' ? 1.5 :
+                            opts.context === 'web' ? 1.5 :
+                            opts.context === 'tool_output' ? 1.3 : 1.0;
+  heuristicScore *= contextMultiplier;
+
+  if (heuristicScore >= 5 && findings.length === 0) {
+    findings.push({
+      type: 'prompt_injection',
+      subtype: 'heuristic_detection',
+      severity: heuristicScore >= 8 ? 'high' : 'medium',
+      score: heuristicScore,
+      message: 'Text contains multiple instruction-like patterns in data context',
+    });
+    if (heuristicScore >= 8 && severityRank('high') > severityRank(maxSeverity)) {
+      maxSeverity = 'high';
+    }
+  }
+
+  // Composite score (0-100)
+  const patternScore = Math.min(findings.length * 25, 75);
+  const compositeScore = Math.min(patternScore + Math.min(heuristicScore * 5, 25), 100);
+
+  return {
+    clean: findings.length === 0,
+    score: compositeScore,
+    severity: findings.length > 0 ? maxSeverity : null,
+    findings,
+    heuristicScore,
+  };
+}
+
+function severityRank(s) {
+  return { low: 0, medium: 1, high: 2, critical: 3 }[s] || 0;
+}
+
+module.exports = { scanPromptInjection, INJECTION_PATTERNS };

package/src/scanners/secrets.js

@@ -0,0 +1,97 @@
+/**
+ * ClawMoat — Secret/Credential Scanner
+ * 
+ * Detects API keys, passwords, tokens, and other secrets in text
+ * to prevent exfiltration via outbound messages.
+ */
+
+const SECRET_PATTERNS = [
+  // API Keys & Tokens
+  { name: 'aws_access_key', pattern: /\bAKIA[0-9A-Z]{16}\b/, severity: 'critical' },
+  { name: 'aws_secret_key', pattern: /\b[A-Za-z0-9/+=]{40}\b/, severity: 'high', requireContext: /aws|secret|key/i },
+  { name: 'github_token', pattern: /\b(ghp|gho|ghs|ghu|ghr)_[A-Za-z0-9_]{36,}\b/, severity: 'critical' },
+  { name: 'github_fine_grained', pattern: /\bgithub_pat_[A-Za-z0-9_]{22,}\b/, severity: 'critical' },
+  { name: 'openai_key', pattern: /\bsk-[A-Za-z0-9]{20,}T3BlbkFJ[A-Za-z0-9]{20,}\b/, severity: 'critical' },
+  { name: 'openai_key_v2', pattern: /\bsk-proj-[A-Za-z0-9_-]{40,}\b/, severity: 'critical' },
+  { name: 'anthropic_key', pattern: /\bsk-ant-[A-Za-z0-9_-]{40,}\b/, severity: 'critical' },
+  { name: 'stripe_key', pattern: /\b[sr]k_(test|live)_[A-Za-z0-9]{20,}\b/, severity: 'critical' },
+  { name: 'stripe_webhook', pattern: /\bwhsec_[A-Za-z0-9]{20,}\b/, severity: 'critical' },
+  { name: 'slack_token', pattern: /\bxox[baprs]-[0-9]{10,}-[A-Za-z0-9-]+\b/, severity: 'critical' },
+  { name: 'discord_token', pattern: /\b[MN][A-Za-z0-9]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}\b/, severity: 'critical' },
+  { name: 'telegram_bot_token', pattern: /\b\d{8,10}:[A-Za-z0-9_-]{35}\b/, severity: 'critical' },
+  { name: 'google_api_key', pattern: /\bAIza[A-Za-z0-9_-]{35}\b/, severity: 'high' },
+  { name: 'heroku_api_key', pattern: /\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b/, severity: 'medium', requireContext: /heroku|api.key/i },
+  { name: 'sendgrid_key', pattern: /\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b/, severity: 'critical' },
+  { name: 'twilio_key', pattern: /\bSK[0-9a-fA-F]{32}\b/, severity: 'high' },
+  { name: 'resend_key', pattern: /\bre_[A-Za-z0-9]{20,}\b/, severity: 'critical' },
+  { name: 'jwt_token', pattern: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/, severity: 'high' },
+
+  // SSH & Crypto
+  { name: 'private_key', pattern: /-----BEGIN\s+(RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, severity: 'critical' },
+  { name: 'ssh_key_content', pattern: /ssh-(rsa|ed25519|ecdsa)\s+[A-Za-z0-9+/=]{100,}/, severity: 'high' },
+
+  // Generic patterns
+  { name: 'generic_password', pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"]?[^\s'"]{8,}['"]?/i, severity: 'high' },
+  { name: 'generic_secret', pattern: /(?:secret|token|api[_-]?key)\s*[:=]\s*['"]?[A-Za-z0-9_-]{16,}['"]?/i, severity: 'high' },
+  { name: 'connection_string', pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s]+:[^\s]+@/i, severity: 'critical' },
+
+  // Entropy-based (long hex/base64 strings that look like secrets)
+  { name: 'high_entropy_hex', pattern: /\b[0-9a-f]{32,}\b/i, severity: 'medium', requireContext: /key|secret|token|password|credential/i },
+];
+
+/**
+ * Scan text for secrets and credentials
+ * @param {string} text - Text to scan
+ * @param {object} opts - Options
+ * @param {string} opts.direction - 'inbound' or 'outbound'
+ * @returns {object} Scan result
+ */
+function scanSecrets(text, opts = {}) {
+  if (!text || typeof text !== 'string') {
+    return { clean: true, findings: [] };
+  }
+
+  const findings = [];
+
+  for (const { name, pattern, severity, requireContext } of SECRET_PATTERNS) {
+    const match = text.match(pattern);
+    if (match) {
+      // If requireContext is set, only flag if context keywords are nearby
+      if (requireContext) {
+        const surrounding = text.substring(
+          Math.max(0, match.index - 50),
+          Math.min(text.length, match.index + match[0].length + 50)
+        );
+        if (!requireContext.test(surrounding)) continue;
+      }
+
+      findings.push({
+        type: 'secret_detected',
+        subtype: name,
+        severity,
+        matched: redact(match[0]),
+        position: match.index,
+        direction: opts.direction || 'unknown',
+      });
+    }
+  }
+
+  return {
+    clean: findings.length === 0,
+    findings,
+    severity: findings.length > 0
+      ? findings.reduce((max, f) => severityRank(f.severity) > severityRank(max) ? f.severity : max, 'low')
+      : null,
+  };
+}
+
+function redact(value) {
+  if (value.length <= 8) return '****';
+  return value.substring(0, 4) + '*'.repeat(Math.min(value.length - 8, 20)) + value.substring(value.length - 4);
+}
+
+function severityRank(s) {
+  return { low: 0, medium: 1, high: 2, critical: 3 }[s] || 0;
+}
+
+module.exports = { scanSecrets, SECRET_PATTERNS };

package/src/scanners/supply-chain.js

@@ -0,0 +1,155 @@
+/**
+ * ClawMoat — Supply Chain Scanner
+ * 
+ * Scans OpenClaw skills for malicious patterns.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const KNOWN_GOOD_SOURCES = [
+  'github.com/openclaw', 'github.com/darfaz', 'openclaw.com',
+  'npmjs.com', 'github.com/anthropics',
+];
+
+const SKILL_PATTERNS = [
+  // Outbound network requests
+  { pattern: /\bcurl\s+/i, severity: 'medium', name: 'network_curl' },
+  { pattern: /\bwget\s+/i, severity: 'medium', name: 'network_wget' },
+  { pattern: /\bfetch\s*\(/i, severity: 'medium', name: 'network_fetch' },
+  { pattern: /\bXMLHttpRequest\b/i, severity: 'medium', name: 'network_xhr' },
+  { pattern: /\brequire\s*\(\s*['"](?:http|https|net|dgram|request|axios|node-fetch)['"]\s*\)/i, severity: 'high', name: 'network_module' },
+
+  // Sensitive file access
+  { pattern: /~\/\.ssh\b|\/\.ssh\b/i, severity: 'critical', name: 'sensitive_ssh' },
+  { pattern: /~\/\.aws\b|\/\.aws\b/i, severity: 'critical', name: 'sensitive_aws' },
+  { pattern: /\bcredentials?\b.*(?:read|cat|open|access)/i, severity: 'high', name: 'sensitive_credentials' },
+  { pattern: /\/etc\/(?:passwd|shadow|sudoers)\b/i, severity: 'critical', name: 'sensitive_system' },
+  { pattern: /\.env\b.*(?:read|cat|source|load)/i, severity: 'high', name: 'sensitive_env' },
+
+  // Obfuscated code
+  { pattern: /\beval\s*\(/i, severity: 'high', name: 'obfuscated_eval' },
+  { pattern: /\bFunction\s*\(/i, severity: 'high', name: 'obfuscated_function' },
+  { pattern: /\batob\s*\(/i, severity: 'medium', name: 'obfuscated_atob' },
+  { pattern: /\bBuffer\.from\s*\([^,]+,\s*['"]base64['"]\s*\)/i, severity: 'medium', name: 'obfuscated_buffer' },
+  { pattern: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){5,}/i, severity: 'high', name: 'obfuscated_hex' },
+
+  // System configuration modification
+  { pattern: /\bcrontab\b/i, severity: 'high', name: 'system_crontab' },
+  { pattern: /\/etc\/(?:cron|systemd|init)\b/i, severity: 'high', name: 'system_config' },
+  { pattern: /\bsystemctl\s+(?:enable|start|restart)\b/i, severity: 'medium', name: 'system_service' },
+  { pattern: /\bchmod\s+(?:\+s|[0-7]*[4-7][0-7]{2})\b/i, severity: 'high', name: 'system_permissions' },
+];
+
+/**
+ * Scan a skill file for malicious patterns
+ * @param {string} skillPath - Path to skill directory or file
+ * @returns {object} Scan result { clean, findings[], severity }
+ */
+function scanSkill(skillPath) {
+  const findings = [];
+
+  try {
+    const stat = fs.statSync(skillPath);
+    const files = stat.isDirectory()
+      ? walkDir(skillPath).filter(f => /\.(js|sh|py|rb|ts|yaml|yml|md)$/i.test(f))
+      : [skillPath];
+
+    for (const file of files) {
+      const content = fs.readFileSync(file, 'utf8');
+      const result = scanSkillContent(content);
+      if (!result.clean) {
+        for (const f of result.findings) {
+          f.file = path.relative(skillPath, file) || path.basename(file);
+          findings.push(f);
+        }
+      }
+    }
+
+    // Check source (look for source in SKILL.md or package.json)
+    const skillMd = files.find(f => f.endsWith('SKILL.md'));
+    if (skillMd) {
+      const content = fs.readFileSync(skillMd, 'utf8');
+      const sourceMatch = content.match(/(?:source|origin|from|url)\s*[:=]\s*(.+)/i);
+      if (sourceMatch) {
+        const source = sourceMatch[1].trim();
+        const trusted = KNOWN_GOOD_SOURCES.some(s => source.includes(s));
+        if (!trusted) {
+          findings.push({
+            type: 'supply_chain',
+            subtype: 'untrusted_source',
+            severity: 'medium',
+            matched: source.substring(0, 100),
+          });
+        }
+      }
+    }
+  } catch (err) {
+    findings.push({
+      type: 'supply_chain',
+      subtype: 'scan_error',
+      severity: 'low',
+      matched: err.message,
+    });
+  }
+
+  const maxSev = findings.length > 0
+    ? findings.reduce((max, f) => rank(f.severity) > rank(max) ? f.severity : max, 'low')
+    : null;
+
+  return { clean: findings.length === 0, findings, severity: maxSev };
+}
+
+/**
+ * Scan skill content string for malicious patterns
+ * @param {string} content - Skill content
+ * @returns {object} Scan result { clean, findings[], severity }
+ */
+function scanSkillContent(content) {
+  if (!content || typeof content !== 'string') {
+    return { clean: true, findings: [], severity: null };
+  }
+
+  const findings = [];
+
+  for (const { pattern, severity, name } of SKILL_PATTERNS) {
+    const match = content.match(pattern);
+    if (match) {
+      findings.push({
+        type: 'supply_chain',
+        subtype: name,
+        severity,
+        matched: match[0].substring(0, 100),
+        position: match.index,
+      });
+    }
+  }
+
+  const maxSev = findings.length > 0
+    ? findings.reduce((max, f) => rank(f.severity) > rank(max) ? f.severity : max, 'low')
+    : null;
+
+  return { clean: findings.length === 0, findings, severity: maxSev };
+}
+
+function walkDir(dir) {
+  const results = [];
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory() && entry.name !== 'node_modules' && entry.name !== '.git') {
+        results.push(...walkDir(full));
+      } else if (entry.isFile()) {
+        results.push(full);
+      }
+    }
+  } catch {}
+  return results;
+}
+
+function rank(s) {
+  return { low: 0, medium: 1, high: 2, critical: 3 }[s] || 0;
+}
+
+module.exports = { scanSkill, scanSkillContent };

package/src/scanners/urls.js

@@ -0,0 +1,142 @@
+/**
+ * ClawMoat — Phishing URL Detection Scanner
+ * 
+ * Detects malicious/suspicious URLs in inbound messages.
+ */
+
+const PHISHING_TLDS = ['.zip', '.mov', '.tk', '.ml', '.ga', '.cf', '.gq'];
+
+const URL_SHORTENERS = [
+  'bit.ly', 'tinyurl.com', 't.co', 'goo.gl', 'ow.ly', 'is.gd', 'buff.ly',
+  'adf.ly', 'bit.do', 'mcaf.ee', 'su.pr', 'db.tt', 'qr.ae', 'cur.lv',
+  'lnkd.in', 'yourls.org', 'rb.gy', 'short.io', 'cutt.ly', 'v.gd',
+];
+
+const SUSPICIOUS_PATH_KEYWORDS = /\b(?:login|signin|sign-in|verify|account|security|update|confirm|authenticate|banking|password|reset|suspend)/i;
+
+const TRUSTED_DOMAINS = [
+  'google.com', 'github.com', 'microsoft.com', 'apple.com', 'amazon.com',
+  'facebook.com', 'twitter.com', 'linkedin.com', 'stackoverflow.com',
+  'wikipedia.org', 'youtube.com', 'reddit.com', 'npmjs.com', 'mozilla.org',
+];
+
+const URL_REGEX = /(?:https?:\/\/|data:)[^\s<>"')\]]+/gi;
+
+/**
+ * Scan text for suspicious/phishing URLs
+ * @param {string} text - Text to scan
+ * @param {object} opts - Options
+ * @returns {object} Scan result { clean, findings[], severity }
+ */
+function scanUrls(text, opts = {}) {
+  if (!text || typeof text !== 'string') {
+    return { clean: true, findings: [], severity: null };
+  }
+
+  const findings = [];
+  const urls = text.match(URL_REGEX) || [];
+
+  for (const url of urls) {
+    // Data URLs with executable content
+    if (/^data:/i.test(url)) {
+      if (/data:(?:text\/html|application\/javascript|text\/javascript)/i.test(url)) {
+        findings.push({
+          type: 'suspicious_url',
+          subtype: 'data_url_executable',
+          severity: 'critical',
+          matched: url.substring(0, 100),
+        });
+      }
+      continue;
+    }
+
+    let hostname = '';
+    try {
+      const parsed = new URL(url);
+      hostname = parsed.hostname.toLowerCase();
+      const pathname = parsed.pathname;
+
+      // IP-based URLs
+      if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+        findings.push({
+          type: 'suspicious_url',
+          subtype: 'ip_based_url',
+          severity: 'high',
+          matched: url.substring(0, 100),
+        });
+        continue;
+      }
+
+      // Punycode/homograph attacks
+      if (hostname.includes('xn--')) {
+        findings.push({
+          type: 'suspicious_url',
+          subtype: 'punycode_homograph',
+          severity: 'high',
+          matched: url.substring(0, 100),
+        });
+        continue;
+      }
+
+      // Phishing TLDs
+      const tld = hostname.substring(hostname.lastIndexOf('.'));
+      if (PHISHING_TLDS.includes(tld)) {
+        findings.push({
+          type: 'suspicious_url',
+          subtype: 'phishing_tld',
+          severity: 'medium',
+          matched: url.substring(0, 100),
+        });
+        continue;
+      }
+
+      // URL shorteners
+      if (URL_SHORTENERS.some(s => hostname === s || hostname.endsWith('.' + s))) {
+        findings.push({
+          type: 'suspicious_url',
+          subtype: 'url_shortener',
+          severity: 'medium',
+          matched: url.substring(0, 100),
+        });
+        continue;
+      }
+
+      // Excessive subdomains (4+ levels)
+      const parts = hostname.split('.');
+      if (parts.length >= 5) {
+        findings.push({
+          type: 'suspicious_url',
+          subtype: 'excessive_subdomains',
+          severity: 'high',
+          matched: url.substring(0, 100),
+        });
+        continue;
+      }
+
+      // Suspicious path keywords on non-trusted domains
+      const rootDomain = parts.slice(-2).join('.');
+      if (SUSPICIOUS_PATH_KEYWORDS.test(pathname) && !TRUSTED_DOMAINS.includes(rootDomain)) {
+        findings.push({
+          type: 'suspicious_url',
+          subtype: 'suspicious_path',
+          severity: 'medium',
+          matched: url.substring(0, 100),
+        });
+      }
+    } catch {
+      // Invalid URL, skip
+    }
+  }
+
+  const maxSev = findings.length > 0
+    ? findings.reduce((max, f) => rank(f.severity) > rank(max) ? f.severity : max, 'low')
+    : null;
+
+  return { clean: findings.length === 0, findings, severity: maxSev };
+}
+
+function rank(s) {
+  return { low: 0, medium: 1, high: 2, critical: 3 }[s] || 0;
+}
+
+module.exports = { scanUrls };

package/src/utils/config.js

@@ -0,0 +1,137 @@
+/**
+ * ClawMoat Configuration Loader
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+const DEFAULT_CONFIG = {
+  version: 1,
+  detection: {
+    prompt_injection: true,
+    jailbreak: true,
+    pii_outbound: true,
+    secret_scanning: true,
+  },
+  policies: {
+    exec: {
+      block_patterns: [
+        'rm -rf /',
+        'rm -rf ~',
+        'rm -rf *',
+        'mkfs',
+        'dd if=',
+        ':(){:|:&};:',              // fork bomb
+        'curl *| bash',
+        'curl *| sh',
+        'curl * | bash',
+        'curl * | sh',
+        'wget *| bash',
+        'wget *| sh',
+        'wget * | bash',
+        'wget * | sh',
+        'python -c * import socket',
+        'nc -e',
+        'ncat -e',
+        'base64 -d | bash',
+        'eval $(curl',
+        'eval $(wget',
+      ],
+      require_approval: [],
+      log_all: true,
+    },
+    file: {
+      deny_read: [
+        '~/.ssh/id_*',
+        '~/.ssh/config',
+        '~/.aws/credentials',
+        '~/.aws/config',
+        '**/.env',
+        '**/credentials.json',
+        '**/auth-profiles.json',
+        '~/.gnupg/*',
+        '~/.config/gh/hosts.yml',
+      ],
+      deny_write: [
+        '/etc/*',
+        '~/.bashrc',
+        '~/.bash_profile',
+        '~/.zshrc',
+        '~/.profile',
+        '~/.ssh/authorized_keys',
+      ],
+    },
+    browser: {
+      block_domains: [],
+      log_all: true,
+    },
+  },
+  alerts: {
+    webhook: null,
+    email: null,
+    telegram: null,
+    severity_threshold: 'medium',
+  },
+  cloud: {
+    enabled: false,
+    api_key: null,
+  },
+};
+
+function loadConfig(configPath) {
+  if (!configPath) {
+    // Search for config in common locations
+    const searchPaths = [
+      path.join(process.cwd(), 'clawmoat.yml'),
+      path.join(process.cwd(), 'clawmoat.yaml'),
+      path.join(process.cwd(), '.clawmoat.yml'),
+      path.join(process.env.HOME || '', '.clawmoat.yml'),
+    ];
+    for (const p of searchPaths) {
+      if (fs.existsSync(p)) {
+        configPath = p;
+        break;
+      }
+    }
+  }
+
+  if (!configPath || !fs.existsSync(configPath)) {
+    return { ...DEFAULT_CONFIG };
+  }
+
+  try {
+    // Simple YAML-like parsing for basic configs (avoid dependency)
+    const raw = fs.readFileSync(configPath, 'utf8');
+    const yaml = parseSimpleYaml(raw);
+    return deepMerge(DEFAULT_CONFIG, yaml);
+  } catch (err) {
+    console.error(`[ClawMoat] Failed to load config from ${configPath}: ${err.message}`);
+    return { ...DEFAULT_CONFIG };
+  }
+}
+
+// Very basic YAML parser for flat/nested configs (avoids js-yaml dependency for now)
+function parseSimpleYaml(text) {
+  try {
+    // Try JSON first (YAML is a superset of JSON)
+    return JSON.parse(text);
+  } catch {
+    // TODO: Add proper YAML parsing or make js-yaml a dependency
+    console.warn('[ClawMoat] Complex YAML config detected. Install js-yaml for full support. Using defaults.');
+    return {};
+  }
+}
+
+function deepMerge(target, source) {
+  const result = { ...target };
+  for (const key of Object.keys(source)) {
+    if (source[key] && typeof source[key] === 'object' && !Array.isArray(source[key])) {
+      result[key] = deepMerge(target[key] || {}, source[key]);
+    } else {
+      result[key] = source[key];
+    }
+  }
+  return result;
+}
+
+module.exports = { loadConfig, DEFAULT_CONFIG };