clawmoat 0.4.0 → 0.5.0

package/README.md

@@ -61,6 +61,16 @@ clawmoat protect --config clawmoat.yml
 clawmoat dashboard
 ```
 
+### New in v0.5.0
+
+- 🔑 **Credential Monitor** — watches `~/.openclaw/credentials/` for unauthorized access and modifications using file hashing
+- 🧩 **Skill Integrity Checker** — hashes all SKILL.md and script files, detects tampering, flags suspicious patterns (eval, base64, curl to external URLs). CLI: `clawmoat skill-audit`
+- 🌐 **Network Egress Logger** — parses session logs for all outbound URLs, maintains domain allowlists, flags known-bad domains (webhook.site, ngrok, etc.)
+- 🚨 **Alert Delivery System** — unified alerts via console, file (audit.log), or webhook with severity levels and 5-minute rate limiting
+- 🤝 **Inter-Agent Message Scanner** — heightened-sensitivity scanning for agent-to-agent messages detecting impersonation, concealment, credential exfiltration, and safety bypasses
+- 📊 **Activity Reports** — `clawmoat report` generates 24h summaries of agent activity, tool usage, and network egress
+- 👻 **Daemon Mode** — `clawmoat watch --daemon` runs in background with PID file; `--alert-webhook=URL` for remote alerting
+
 ### As an OpenClaw Skill
 
 ```bash

package/bin/clawmoat.js

@@ -16,6 +16,10 @@ const path = require('path');
 const ClawMoat = require('../src/index');
 const { scanSkillContent } = require('../src/scanners/supply-chain');
 const { calculateGrade, generateBadgeSVG, getShieldsURL } = require('../src/badge');
+const { SkillIntegrityChecker } = require('../src/guardian/skill-integrity');
+const { NetworkEgressLogger } = require('../src/guardian/network-log');
+const { AlertManager } = require('../src/guardian/alerts');
+const { CredentialMonitor } = require('../src/guardian/index');
 
 const VERSION = require('../package.json').version;
 const BOLD = '\x1b[1m';
@@ -41,6 +45,12 @@ switch (command) {
   case 'watch':
     cmdWatch(args.slice(1));
     break;
+  case 'skill-audit':
+    cmdSkillAudit(args.slice(1));
+    break;
+  case 'report':
+    cmdReport(args.slice(1));
+    break;
   case 'test':
     cmdTest();
     break;
@@ -339,16 +349,46 @@ function cmdTest() {
 }
 
 function cmdWatch(args) {
-  const agentDir = args[0] || path.join(process.env.HOME, '.openclaw/agents/main');
+  const isDaemon = args.includes('--daemon');
+  const webhookArg = args.find(a => a.startsWith('--alert-webhook='));
+  const webhookUrl = webhookArg ? webhookArg.split('=').slice(1).join('=') : null;
+  const filteredArgs = args.filter(a => a !== '--daemon' && !a.startsWith('--alert-webhook='));
+  const agentDir = filteredArgs[0] || path.join(process.env.HOME, '.openclaw/agents/main');
   const { watchSessions } = require('../src/middleware/openclaw');
 
+  // Daemon mode: fork to background
+  if (isDaemon) {
+    const { spawn } = require('child_process');
+    const daemonArgs = process.argv.slice(2).filter(a => a !== '--daemon');
+    const child = spawn(process.execPath, [__filename, ...daemonArgs], {
+      detached: true,
+      stdio: 'ignore',
+    });
+    child.unref();
+    const pidFile = path.join(process.env.HOME, '.clawmoat.pid');
+    fs.writeFileSync(pidFile, String(child.pid));
+    console.log(`${BOLD}🏰 ClawMoat daemon started${RESET} (PID: ${child.pid})`);
+    console.log(`${DIM}PID file: ${pidFile}${RESET}`);
+    process.exit(0);
+  }
+
+  // Set up alert manager
+  const alertChannels = ['console'];
+  if (webhookUrl) alertChannels.push('webhook');
+  const alertMgr = new AlertManager({ channels: alertChannels, webhookUrl });
+
   console.log(`${BOLD}🏰 ClawMoat Live Monitor${RESET}`);
   console.log(`${DIM}Watching: ${agentDir}${RESET}`);
+  if (webhookUrl) console.log(`${DIM}Webhook: ${webhookUrl}${RESET}`);
   console.log(`${DIM}Press Ctrl+C to stop${RESET}\n`);
 
   const monitor = watchSessions({ agentDir });
   if (!monitor) process.exit(1);
 
+  // Also start credential monitor
+  const credMon = new CredentialMonitor({ quiet: false, onAlert: (a) => alertMgr.send(a) });
+  credMon.start();
+
   // Print summary every 60s
   setInterval(() => {
     const summary = monitor.getSummary();
@@ -359,12 +399,150 @@ function cmdWatch(args) {
 
   process.on('SIGINT', () => {
     monitor.stop();
+    credMon.stop();
     const summary = monitor.getSummary();
     console.log(`\n${BOLD}Session Summary:${RESET} ${summary.scanned} scanned, ${summary.blocked} blocked, ${summary.warnings} warnings`);
     process.exit(0);
   });
 }
 
+function cmdSkillAudit(args) {
+  const skillsDir = args[0] || path.join(process.env.HOME, '.openclaw', 'workspace', 'skills');
+
+  console.log(`${BOLD}🏰 ClawMoat Skill Integrity Audit${RESET}`);
+  console.log(`${DIM}Directory: ${skillsDir}${RESET}\n`);
+
+  if (!fs.existsSync(skillsDir)) {
+    console.log(`${YELLOW}Skills directory not found: ${skillsDir}${RESET}`);
+    console.log(`${DIM}Specify path: clawmoat skill-audit /path/to/skills${RESET}`);
+    process.exit(0);
+  }
+
+  const checker = new SkillIntegrityChecker({ skillsDir });
+  const initResult = checker.init();
+
+  console.log(`Files hashed: ${initResult.files}`);
+  console.log(`New files: ${initResult.new}`);
+  console.log(`Changed files: ${initResult.changed}`);
+  console.log();
+
+  if (initResult.suspicious.length > 0) {
+    console.log(`${RED}${BOLD}Suspicious patterns found:${RESET}`);
+    for (const f of initResult.suspicious) {
+      console.log(`  ${RED}⚠${RESET} ${f.file}: ${f.label} ${DIM}(${f.severity})${RESET}`);
+      if (f.matched) console.log(`    ${DIM}Matched: ${f.matched}${RESET}`);
+    }
+  } else {
+    console.log(`${GREEN}✅ No suspicious patterns found${RESET}`);
+  }
+
+  // Run audit against stored hashes
+  const audit = checker.audit();
+  if (!audit.ok) {
+    console.log();
+    if (audit.changed.length) console.log(`${RED}Changed files:${RESET} ${audit.changed.join(', ')}`);
+    if (audit.missing.length) console.log(`${YELLOW}Missing files:${RESET} ${audit.missing.join(', ')}`);
+  }
+
+  process.exit(initResult.suspicious.length > 0 || initResult.changed > 0 ? 1 : 0);
+}
+
+function cmdReport(args) {
+  const sessionsDir = args[0] || path.join(process.env.HOME, '.openclaw/agents/main/sessions');
+
+  console.log(`${BOLD}🏰 ClawMoat Activity Report (Last 24h)${RESET}`);
+  console.log(`${DIM}Sessions: ${sessionsDir}${RESET}\n`);
+
+  if (!fs.existsSync(sessionsDir)) {
+    console.log(`${YELLOW}Sessions directory not found${RESET}`);
+    process.exit(0);
+  }
+
+  const oneDayAgo = Date.now() - 86400000;
+  const files = fs.readdirSync(sessionsDir).filter(f => f.endsWith('.jsonl'));
+  let recentFiles = 0;
+  let totalEntries = 0;
+  let toolCalls = 0;
+  let threats = 0;
+  const toolUsage = {};
+
+  for (const file of files) {
+    const filePath = path.join(sessionsDir, file);
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.mtimeMs < oneDayAgo) continue;
+    } catch { continue; }
+
+    recentFiles++;
+    const lines = fs.readFileSync(filePath, 'utf8').split('\n').filter(Boolean);
+
+    for (const line of lines) {
+      try {
+        const entry = JSON.parse(line);
+        totalEntries++;
+
+        if (entry.role === 'assistant' && Array.isArray(entry.content)) {
+          for (const part of entry.content) {
+            if (part.type === 'toolCall') {
+              toolCalls++;
+              toolUsage[part.name] = (toolUsage[part.name] || 0) + 1;
+            }
+          }
+        }
+
+        // Quick threat scan
+        const text = extractContent(entry);
+        if (text) {
+          const result = moat.scan(text, { context: 'report' });
+          if (!result.safe) threats++;
+        }
+      } catch {}
+    }
+  }
+
+  // Network egress
+  const netLogger = new NetworkEgressLogger();
+  const netResult = netLogger.scanSessions(sessionsDir, { maxAge: 86400000 });
+
+  console.log(`${BOLD}Activity:${RESET}`);
+  console.log(`  Sessions active: ${recentFiles}`);
+  console.log(`  Total entries: ${totalEntries}`);
+  console.log(`  Tool calls: ${toolCalls}`);
+  console.log(`  Threats detected: ${threats}`);
+  console.log();
+
+  if (Object.keys(toolUsage).length > 0) {
+    console.log(`${BOLD}Tool Usage:${RESET}`);
+    const sorted = Object.entries(toolUsage).sort((a, b) => b[1] - a[1]);
+    for (const [tool, count] of sorted.slice(0, 15)) {
+      console.log(`  ${tool}: ${count}`);
+    }
+    console.log();
+  }
+
+  console.log(`${BOLD}Network Egress:${RESET}`);
+  console.log(`  URLs contacted: ${netResult.totalUrls}`);
+  console.log(`  Unique domains: ${netResult.domains.length}`);
+  console.log(`  Flagged (not in allowlist): ${netResult.flagged.length}`);
+  console.log(`  Known-bad domains: ${netResult.badDomains.length}`);
+
+  if (netResult.flagged.length > 0) {
+    console.log(`\n  ${YELLOW}Flagged domains:${RESET}`);
+    for (const d of netResult.flagged.slice(0, 20)) {
+      console.log(`    • ${d}`);
+    }
+  }
+
+  if (netResult.badDomains.length > 0) {
+    console.log(`\n  ${RED}Bad domains:${RESET}`);
+    for (const b of netResult.badDomains) {
+      console.log(`    🚨 ${b.domain} (in ${b.file})`);
+    }
+  }
+
+  process.exit(threats > 0 || netResult.badDomains.length > 0 ? 1 : 0);
+}
+
 function extractContent(entry) {
   if (typeof entry.content === 'string') return entry.content;
   if (Array.isArray(entry.content)) {
@@ -387,6 +565,10 @@ ${BOLD}USAGE${RESET}
   clawmoat audit [session-dir]    Audit OpenClaw session logs
   clawmoat audit --badge          Audit + generate security score badge SVG
   clawmoat watch [agent-dir]      Live monitor OpenClaw sessions
+  clawmoat watch --daemon         Daemonize watch mode (background, PID file)
+  clawmoat watch --alert-webhook=URL   Send alerts to webhook
+  clawmoat skill-audit [skills-dir]    Verify skill file integrity & scan for suspicious patterns
+  clawmoat report [sessions-dir]  24-hour activity summary report
   clawmoat test                   Run detection test suite
   clawmoat version                Show version
 
@@ -394,6 +576,9 @@ ${BOLD}EXAMPLES${RESET}
   clawmoat scan "Ignore all previous instructions"
   clawmoat scan --file suspicious-email.txt
   clawmoat audit ~/.openclaw/agents/main/sessions/
+  clawmoat watch --daemon --alert-webhook=https://hooks.example.com/alerts
+  clawmoat skill-audit ~/.openclaw/workspace/skills
+  clawmoat report
   clawmoat test
 
 ${BOLD}CONFIG${RESET}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawmoat",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Security moat for AI agents. Runtime protection against prompt injection, tool misuse, and data exfiltration.",
   "main": "src/index.js",
   "bin": {

package/src/guardian/alerts.js

@@ -0,0 +1,138 @@
+/**
+ * ClawMoat Alert Delivery System
+ * 
+ * Unified alerting with console, file, and webhook delivery.
+ * Rate-limited to avoid alert storms.
+ * 
+ * @module clawmoat/guardian/alerts
+ */
+
+const fs = require('fs');
+const path = require('path');
+const http = require('http');
+const https = require('https');
+
+const SEVERITY_RANK = { info: 0, warning: 1, critical: 2 };
+
+class AlertManager {
+  /**
+   * @param {Object} opts
+   * @param {string[]} [opts.channels] - ['console', 'file', 'webhook']
+   * @param {string} [opts.logFile] - Path for file channel (default: audit.log)
+   * @param {string} [opts.webhookUrl] - URL for webhook channel
+   * @param {number} [opts.rateLimitMs] - Min ms between duplicate alerts (default: 300000 = 5 min)
+   * @param {boolean} [opts.quiet] - Suppress console output
+   */
+  constructor(opts = {}) {
+    this.channels = opts.channels || ['console'];
+    this.logFile = opts.logFile || 'audit.log';
+    this.webhookUrl = opts.webhookUrl || null;
+    this.rateLimitMs = opts.rateLimitMs ?? 300000;
+    this.quiet = opts.quiet || false;
+    this._recentAlerts = new Map(); // key -> timestamp
+    this._alertCount = 0;
+  }
+
+  /**
+   * Send an alert through configured channels.
+   * @param {Object} alert
+   * @param {string} alert.severity - 'info' | 'warning' | 'critical'
+   * @param {string} alert.type - Alert category
+   * @param {string} alert.message - Human-readable message
+   * @param {Object} [alert.details] - Additional data
+   * @returns {{ delivered: boolean, rateLimited: boolean }}
+   */
+  send(alert) {
+    const key = `${alert.type}:${alert.message}`;
+    const now = Date.now();
+    const lastSent = this._recentAlerts.get(key);
+
+    if (lastSent && (now - lastSent) < this.rateLimitMs) {
+      return { delivered: false, rateLimited: true };
+    }
+
+    this._recentAlerts.set(key, now);
+    this._alertCount++;
+
+    // Prune old entries periodically
+    if (this._recentAlerts.size > 1000) {
+      for (const [k, ts] of this._recentAlerts) {
+        if (now - ts > this.rateLimitMs) this._recentAlerts.delete(k);
+      }
+    }
+
+    const entry = {
+      timestamp: new Date().toISOString(),
+      severity: alert.severity || 'info',
+      type: alert.type || 'unknown',
+      message: alert.message || '',
+      details: alert.details || null,
+    };
+
+    for (const channel of this.channels) {
+      switch (channel) {
+        case 'console':
+          this._deliverConsole(entry);
+          break;
+        case 'file':
+          this._deliverFile(entry);
+          break;
+        case 'webhook':
+          this._deliverWebhook(entry);
+          break;
+      }
+    }
+
+    return { delivered: true, rateLimited: false };
+  }
+
+  _deliverConsole(entry) {
+    if (this.quiet) return;
+    const colors = { info: '\x1b[36m', warning: '\x1b[33m', critical: '\x1b[31m' };
+    const icons = { info: 'ℹ️', warning: '⚠️', critical: '🚨' };
+    const c = colors[entry.severity] || '';
+    const icon = icons[entry.severity] || '•';
+    console.error(
+      `${icon} ${c}[${entry.severity.toUpperCase()}]\x1b[0m ${entry.type}: ${entry.message}`
+    );
+  }
+
+  _deliverFile(entry) {
+    try {
+      const dir = path.dirname(this.logFile);
+      if (dir !== '.' && !fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+      fs.appendFileSync(this.logFile, JSON.stringify(entry) + '\n');
+    } catch {}
+  }
+
+  _deliverWebhook(entry) {
+    if (!this.webhookUrl) return;
+    try {
+      const url = new URL(this.webhookUrl);
+      const transport = url.protocol === 'https:' ? https : http;
+      const body = JSON.stringify(entry);
+      const req = transport.request({
+        hostname: url.hostname,
+        port: url.port,
+        path: url.pathname + url.search,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) },
+      });
+      req.on('error', () => {});
+      req.write(body);
+      req.end();
+    } catch {}
+  }
+
+  /** Get total alerts sent. */
+  get count() {
+    return this._alertCount;
+  }
+
+  /** Clear rate limit cache. */
+  clearRateLimit() {
+    this._recentAlerts.clear();
+  }
+}
+
+module.exports = { AlertManager, SEVERITY_RANK };

package/src/guardian/index.js

@@ -22,8 +22,10 @@
  * const log = guardian.audit();
  */
 
+const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const crypto = require('crypto');
 const { SecurityLogger } = require('../utils/logger');
 
 // ─── Permission Tiers ───────────────────────────────────────────────
@@ -539,4 +541,146 @@ class HostGuardian {
   }
 }
 
-module.exports = { HostGuardian, TIERS, FORBIDDEN_ZONES, DANGEROUS_COMMANDS, SAFE_COMMANDS };
+// ─── Credential Monitor ─────────────────────────────────────────
+
+class CredentialMonitor {
+  /**
+   * Watch ~/.openclaw/credentials/ for file access and modifications.
+   * @param {Object} opts
+   * @param {string} [opts.credDir] - Credentials directory path
+   * @param {Function} [opts.onAlert] - Alert callback
+   * @param {boolean} [opts.quiet] - Suppress console output
+   */
+  constructor(opts = {}) {
+    this.credDir = opts.credDir || path.join(os.homedir(), '.openclaw', 'credentials');
+    this.onAlert = opts.onAlert || null;
+    this.quiet = opts.quiet || false;
+    this.watcher = null;
+    this.fileHashes = {};
+  }
+
+  /**
+   * Hash all credential files and start watching.
+   * @returns {{ files: number, watching: boolean }}
+   */
+  start() {
+    // Initial hash of all credential files
+    this._hashAllFiles();
+
+    if (!fs.existsSync(this.credDir)) {
+      return { files: 0, watching: false };
+    }
+
+    this.watcher = fs.watch(this.credDir, (eventType, filename) => {
+      if (!filename) return;
+      const filePath = path.join(this.credDir, filename);
+
+      if (eventType === 'change') {
+        const oldHash = this.fileHashes[filename];
+        const newHash = this._hashFile(filePath);
+
+        if (oldHash && newHash && oldHash !== newHash) {
+          this._alert({
+            severity: 'critical',
+            type: 'credential_modified',
+            message: `Credential file modified: ${filename}`,
+            details: { file: filename, oldHash, newHash },
+          });
+          this.fileHashes[filename] = newHash;
+        } else if (!oldHash && newHash) {
+          this._alert({
+            severity: 'warning',
+            type: 'credential_accessed',
+            message: `Credential file accessed: ${filename}`,
+            details: { file: filename },
+          });
+          this.fileHashes[filename] = newHash;
+        }
+      }
+
+      if (eventType === 'rename') {
+        if (fs.existsSync(filePath)) {
+          // File created
+          const hash = this._hashFile(filePath);
+          this._alert({
+            severity: 'warning',
+            type: 'credential_created',
+            message: `New credential file: ${filename}`,
+            details: { file: filename, hash },
+          });
+          this.fileHashes[filename] = hash;
+        } else {
+          // File deleted
+          this._alert({
+            severity: 'critical',
+            type: 'credential_deleted',
+            message: `Credential file deleted: ${filename}`,
+            details: { file: filename },
+          });
+          delete this.fileHashes[filename];
+        }
+      }
+    });
+
+    return { files: Object.keys(this.fileHashes).length, watching: true };
+  }
+
+  stop() {
+    if (this.watcher) {
+      this.watcher.close();
+      this.watcher = null;
+    }
+  }
+
+  /** Verify credential file integrity against stored hashes. */
+  verify() {
+    const results = { ok: true, changed: [], missing: [] };
+    for (const [filename, storedHash] of Object.entries(this.fileHashes)) {
+      const filePath = path.join(this.credDir, filename);
+      const currentHash = this._hashFile(filePath);
+      if (!currentHash) {
+        results.missing.push(filename);
+        results.ok = false;
+      } else if (currentHash !== storedHash) {
+        results.changed.push(filename);
+        results.ok = false;
+      }
+    }
+    return results;
+  }
+
+  /** Get current file hashes. */
+  getHashes() {
+    return { ...this.fileHashes };
+  }
+
+  _hashAllFiles() {
+    if (!fs.existsSync(this.credDir)) return;
+    try {
+      const files = fs.readdirSync(this.credDir);
+      for (const f of files) {
+        const hash = this._hashFile(path.join(this.credDir, f));
+        if (hash) this.fileHashes[f] = hash;
+      }
+    } catch {}
+  }
+
+  _hashFile(filePath) {
+    try {
+      const content = fs.readFileSync(filePath);
+      return crypto.createHash('sha256').update(content).digest('hex');
+    } catch {
+      return null;
+    }
+  }
+
+  _alert(alert) {
+    if (!this.quiet) {
+      const icons = { info: 'ℹ️', warning: '⚠️', critical: '🚨' };
+      console.error(`${icons[alert.severity] || '•'} [CredentialMonitor] ${alert.message}`);
+    }
+    if (this.onAlert) this.onAlert(alert);
+  }
+}
+
+module.exports = { HostGuardian, CredentialMonitor, TIERS, FORBIDDEN_ZONES, DANGEROUS_COMMANDS, SAFE_COMMANDS };

package/src/guardian/network-log.js

@@ -0,0 +1,281 @@
+/**
+ * ClawMoat Network Egress Logger
+ * 
+ * Parses session JSONL files for outbound network activity,
+ * maintains domain allowlists, and flags suspicious destinations.
+ * 
+ * @module clawmoat/guardian/network-log
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { URL } = require('url');
+
+// Known-bad domains commonly used for exfiltration
+const KNOWN_BAD_DOMAINS = [
+  'webhook.site',
+  'requestbin.com',
+  'pipedream.net',
+  'ngrok.io',
+  'ngrok-free.app',
+  'ngrok.app',
+  'burpcollaborator.net',
+  'interact.sh',
+  'oastify.com',
+  'canarytokens.com',
+  'dnslog.cn',
+  'beeceptor.com',
+  'hookbin.com',
+  'requestcatcher.com',
+  'mockbin.org',
+  'postb.in',
+  'ptsv2.com',
+  'transfer.sh',
+  'file.io',
+  '0x0.st',
+  'hastebin.com',
+  'pastebin.com',
+  'paste.ee',
+  'dpaste.org',
+  'serveo.net',
+  'localtunnel.me',
+  'localhost.run',
+];
+
+// Default safe domains
+const DEFAULT_ALLOWLIST = [
+  'github.com',
+  'api.github.com',
+  'raw.githubusercontent.com',
+  'npmjs.org',
+  'registry.npmjs.org',
+  'google.com',
+  'googleapis.com',
+  'stackoverflow.com',
+  'developer.mozilla.org',
+  'nodejs.org',
+  'docs.python.org',
+];
+
+/**
+ * Extract URLs from a text string.
+ * @param {string} text
+ * @returns {string[]} Extracted URLs
+ */
+function extractUrls(text) {
+  if (!text) return [];
+  const urlRegex = /https?:\/\/[^\s"'<>\]\)]+/gi;
+  return (text.match(urlRegex) || []);
+}
+
+/**
+ * Extract domain from a URL string.
+ * @param {string} urlStr
+ * @returns {string|null}
+ */
+function extractDomain(urlStr) {
+  try {
+    const u = new URL(urlStr);
+    return u.hostname.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Parse a session JSONL file for network activity.
+ * @param {string} filePath - Path to .jsonl file
+ * @returns {{ urls: string[], domains: Set<string>, toolCalls: Array }}
+ */
+function parseSessionFile(filePath) {
+  const urls = [];
+  const domains = new Set();
+  const toolCalls = [];
+
+  let content;
+  try {
+    content = fs.readFileSync(filePath, 'utf8');
+  } catch {
+    return { urls, domains, toolCalls };
+  }
+
+  const lines = content.split('\n').filter(Boolean);
+
+  for (const line of lines) {
+    let entry;
+    try { entry = JSON.parse(line); } catch { continue; }
+
+    // Check tool calls from assistant
+    if (entry.role === 'assistant' && Array.isArray(entry.content)) {
+      for (const part of entry.content) {
+        if (part.type !== 'toolCall') continue;
+        const name = part.name || '';
+        const args = part.arguments || {};
+
+        if (name === 'web_fetch' || name === 'web_search') {
+          const url = args.url || args.query || '';
+          const extracted = extractUrls(url);
+          if (extracted.length) {
+            urls.push(...extracted);
+          } else if (url.startsWith('http')) {
+            urls.push(url);
+          }
+          toolCalls.push({ tool: name, args, session: filePath });
+        }
+
+        if (name === 'exec') {
+          const cmd = args.command || '';
+          if (/\b(curl|wget|fetch|http)\b/i.test(cmd)) {
+            const cmdUrls = extractUrls(cmd);
+            urls.push(...cmdUrls);
+            toolCalls.push({ tool: 'exec', args, session: filePath });
+          }
+        }
+      }
+    }
+  }
+
+  for (const u of urls) {
+    const d = extractDomain(u);
+    if (d) domains.add(d);
+  }
+
+  return { urls, domains, toolCalls };
+}
+
+class NetworkEgressLogger {
+  /**
+   * @param {Object} opts
+   * @param {string[]} [opts.allowlist] - Additional allowed domains
+   * @param {string[]} [opts.badDomains] - Additional known-bad domains
+   * @param {Function} [opts.onAlert] - Callback for alerts
+   */
+  constructor(opts = {}) {
+    this.allowlist = new Set([...DEFAULT_ALLOWLIST, ...(opts.allowlist || [])]);
+    this.badDomains = new Set([...KNOWN_BAD_DOMAINS, ...(opts.badDomains || [])]);
+    this.seenDomains = new Set();
+    this.onAlert = opts.onAlert || null;
+    this.log = []; // { timestamp, url, domain, status }
+  }
+
+  /**
+   * Scan session directory for network egress.
+   * @param {string} sessionsDir - Path to sessions directory
+   * @param {Object} [opts]
+   * @param {number} [opts.maxAge] - Only scan files modified within this many ms
+   * @returns {{ totalUrls: number, domains: string[], flagged: Array, badDomains: Array, firstSeen: string[] }}
+   */
+  scanSessions(sessionsDir, opts = {}) {
+    if (!fs.existsSync(sessionsDir)) {
+      return { totalUrls: 0, domains: [], flagged: [], badDomains: [], firstSeen: [] };
+    }
+
+    const files = fs.readdirSync(sessionsDir).filter(f => f.endsWith('.jsonl'));
+    const allUrls = [];
+    const allDomains = new Set();
+    const flagged = [];
+    const badFound = [];
+    const firstSeen = [];
+
+    for (const file of files) {
+      const filePath = path.join(sessionsDir, file);
+
+      // Optional age filter
+      if (opts.maxAge) {
+        try {
+          const stat = fs.statSync(filePath);
+          if (Date.now() - stat.mtimeMs > opts.maxAge) continue;
+        } catch { continue; }
+      }
+
+      const result = parseSessionFile(filePath);
+      allUrls.push(...result.urls);
+
+      for (const domain of result.domains) {
+        allDomains.add(domain);
+
+        // Check bad domains
+        if (this._isBadDomain(domain)) {
+          badFound.push({ domain, file, urls: result.urls.filter(u => extractDomain(u) === domain) });
+          this._alert({
+            severity: 'critical',
+            type: 'bad_domain',
+            message: `Known-bad domain contacted: ${domain}`,
+            details: { domain, session: file },
+          });
+        }
+
+        // Check first-seen
+        if (!this.seenDomains.has(domain) && !this.allowlist.has(domain)) {
+          firstSeen.push(domain);
+          this._alert({
+            severity: 'info',
+            type: 'first_seen_domain',
+            message: `First-seen domain: ${domain}`,
+            details: { domain, session: file },
+          });
+        }
+
+        this.seenDomains.add(domain);
+      }
+    }
+
+    // Flag non-allowlisted domains
+    for (const d of allDomains) {
+      if (!this.allowlist.has(d)) {
+        flagged.push(d);
+      }
+    }
+
+    return {
+      totalUrls: allUrls.length,
+      domains: [...allDomains],
+      flagged,
+      badDomains: badFound,
+      firstSeen,
+    };
+  }
+
+  /**
+   * Check a single URL against rules.
+   * @param {string} url
+   * @returns {{ allowed: boolean, domain: string|null, reason: string|null }}
+   */
+  checkUrl(url) {
+    const domain = extractDomain(url);
+    if (!domain) return { allowed: true, domain: null, reason: null };
+
+    if (this._isBadDomain(domain)) {
+      return { allowed: false, domain, reason: `Known-bad domain: ${domain}` };
+    }
+
+    if (!this.allowlist.has(domain)) {
+      return { allowed: true, domain, reason: `Not in allowlist: ${domain}` };
+    }
+
+    return { allowed: true, domain, reason: null };
+  }
+
+  _isBadDomain(domain) {
+    if (this.badDomains.has(domain)) return true;
+    // Check subdomains (e.g. xyz.ngrok.io)
+    for (const bad of this.badDomains) {
+      if (domain.endsWith('.' + bad)) return true;
+    }
+    return false;
+  }
+
+  _alert(alert) {
+    this.log.push({ timestamp: Date.now(), ...alert });
+    if (this.onAlert) this.onAlert(alert);
+  }
+}
+
+module.exports = {
+  NetworkEgressLogger,
+  extractUrls,
+  extractDomain,
+  parseSessionFile,
+  KNOWN_BAD_DOMAINS,
+  DEFAULT_ALLOWLIST,
+};

package/src/guardian/skill-integrity.js

@@ -0,0 +1,290 @@
+/**
+ * ClawMoat Skill Integrity Checker
+ * 
+ * Hashes skill files on startup, detects modifications, and flags
+ * suspicious patterns in skill content.
+ * 
+ * @module clawmoat/guardian/skill-integrity
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const HASH_FILE = '.clawmoat-hashes.json';
+
+// Suspicious patterns that may indicate malicious skills
+const SUSPICIOUS_PATTERNS = [
+  { pattern: /\bcurl\s+(?:https?:\/\/|ftp:\/\/)\S+/gi, label: 'curl to external URL', severity: 'warning' },
+  { pattern: /\bwget\s+(?:https?:\/\/|ftp:\/\/)\S+/gi, label: 'wget to external URL', severity: 'warning' },
+  { pattern: /\beval\s*\(/gi, label: 'eval() usage', severity: 'critical' },
+  { pattern: /\bnew\s+Function\s*\(/gi, label: 'new Function() usage', severity: 'critical' },
+  { pattern: /\batob\s*\(/gi, label: 'base64 decode (atob)', severity: 'warning' },
+  { pattern: /\bbtoa\s*\(/gi, label: 'base64 encode (btoa)', severity: 'warning' },
+  { pattern: /Buffer\.from\s*\([^)]*,\s*['"]base64['"]\s*\)/gi, label: 'Buffer base64 decode', severity: 'warning' },
+  { pattern: /\bbase64\b.*(?:decode|encode)/gi, label: 'base64 operation', severity: 'warning' },
+  { pattern: /(?:\/etc\/passwd|\/etc\/shadow|~\/\.ssh|~\/\.aws|~\/\.gnupg)/g, label: 'sensitive file reference', severity: 'critical' },
+  { pattern: /\bexec\s*\(\s*['"`]/gi, label: 'exec() with string', severity: 'warning' },
+  { pattern: /\bchild_process\b/gi, label: 'child_process usage', severity: 'warning' },
+  { pattern: /\brequire\s*\(\s*['"]child_process['"]\s*\)/gi, label: 'require child_process', severity: 'warning' },
+  { pattern: /(?:nc|netcat)\s+-[a-z]*e\s/gi, label: 'reverse shell pattern', severity: 'critical' },
+  { pattern: /\|\s*(?:bash|sh|zsh)\b/gi, label: 'pipe to shell', severity: 'critical' },
+];
+
+/**
+ * Hash a file's contents using SHA-256.
+ * @param {string} filePath
+ * @returns {string|null} hex hash or null if file unreadable
+ */
+function hashFile(filePath) {
+  try {
+    const content = fs.readFileSync(filePath);
+    return crypto.createHash('sha256').update(content).digest('hex');
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Recursively find skill files in a directory.
+ * Returns SKILL.md files and associated scripts (*.js, *.sh, *.py, *.ts).
+ * @param {string} dir - Skills directory
+ * @returns {string[]} Array of file paths
+ */
+function findSkillFiles(dir) {
+  const files = [];
+  if (!fs.existsSync(dir)) return files;
+
+  const walk = (d) => {
+    let entries;
+    try { entries = fs.readdirSync(d, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      const full = path.join(d, entry.name);
+      if (entry.isDirectory()) {
+        if (entry.name === 'node_modules' || entry.name === '.git') continue;
+        walk(full);
+      } else if (
+        entry.name === 'SKILL.md' ||
+        /\.(js|sh|py|ts)$/.test(entry.name)
+      ) {
+        files.push(full);
+      }
+    }
+  };
+
+  walk(dir);
+  return files;
+}
+
+/**
+ * Scan file content for suspicious patterns.
+ * @param {string} content - File content
+ * @param {string} filePath - File path (for reporting)
+ * @returns {{ suspicious: boolean, findings: Array }}
+ */
+function scanForSuspicious(content, filePath) {
+  const findings = [];
+  for (const rule of SUSPICIOUS_PATTERNS) {
+    // Reset regex lastIndex
+    rule.pattern.lastIndex = 0;
+    const match = rule.pattern.exec(content);
+    if (match) {
+      findings.push({
+        file: filePath,
+        label: rule.label,
+        severity: rule.severity,
+        matched: match[0].substring(0, 100),
+      });
+    }
+  }
+  return { suspicious: findings.length > 0, findings };
+}
+
+class SkillIntegrityChecker {
+  /**
+   * @param {Object} opts
+   * @param {string} opts.skillsDir - Path to skills directory
+   * @param {string} [opts.hashFile] - Path to hash lockfile
+   * @param {Function} [opts.onAlert] - Callback for alerts: (alert) => void
+   */
+  constructor(opts = {}) {
+    this.skillsDir = opts.skillsDir || '';
+    this.hashFilePath = opts.hashFile || path.join(this.skillsDir, HASH_FILE);
+    this.onAlert = opts.onAlert || null;
+    this.hashes = {};
+    this.watcher = null;
+  }
+
+  /**
+   * Initialize: hash all skill files and store/compare with lockfile.
+   * @returns {{ files: number, new: number, changed: number, suspicious: Array }}
+   */
+  init() {
+    const files = findSkillFiles(this.skillsDir);
+    const currentHashes = {};
+    const suspiciousFindings = [];
+    let newFiles = 0;
+    let changedFiles = 0;
+
+    // Load existing hashes
+    const storedHashes = this._loadHashes();
+
+    for (const file of files) {
+      const hash = hashFile(file);
+      if (!hash) continue;
+
+      const rel = path.relative(this.skillsDir, file);
+      currentHashes[rel] = hash;
+
+      // Check for changes
+      if (!storedHashes[rel]) {
+        newFiles++;
+      } else if (storedHashes[rel] !== hash) {
+        changedFiles++;
+        this._alert({
+          severity: 'warning',
+          type: 'skill_modified',
+          message: `Skill file modified: ${rel}`,
+          details: { file: rel, oldHash: storedHashes[rel], newHash: hash },
+        });
+      }
+
+      // Scan content for suspicious patterns
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const scan = scanForSuspicious(content, rel);
+        if (scan.suspicious) {
+          suspiciousFindings.push(...scan.findings);
+        }
+      } catch {}
+    }
+
+    this.hashes = currentHashes;
+    this._saveHashes(currentHashes);
+
+    return {
+      files: files.length,
+      new: newFiles,
+      changed: changedFiles,
+      suspicious: suspiciousFindings,
+    };
+  }
+
+  /**
+   * Audit: verify all current skill files against stored hashes.
+   * @returns {{ ok: boolean, files: number, changed: string[], missing: string[], suspicious: Array }}
+   */
+  audit() {
+    const storedHashes = this._loadHashes();
+    const files = findSkillFiles(this.skillsDir);
+    const changed = [];
+    const missing = [];
+    const suspiciousFindings = [];
+
+    // Check stored files still exist and match
+    for (const [rel, storedHash] of Object.entries(storedHashes)) {
+      const full = path.join(this.skillsDir, rel);
+      const currentHash = hashFile(full);
+      if (!currentHash) {
+        missing.push(rel);
+      } else if (currentHash !== storedHash) {
+        changed.push(rel);
+      }
+    }
+
+    // Scan for suspicious patterns
+    for (const file of files) {
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        const rel = path.relative(this.skillsDir, file);
+        const scan = scanForSuspicious(content, rel);
+        if (scan.suspicious) suspiciousFindings.push(...scan.findings);
+      } catch {}
+    }
+
+    return {
+      ok: changed.length === 0 && missing.length === 0 && suspiciousFindings.length === 0,
+      files: Object.keys(storedHashes).length,
+      changed,
+      missing,
+      suspicious: suspiciousFindings,
+    };
+  }
+
+  /**
+   * Watch skills directory for changes (real-time monitoring).
+   * @returns {fs.FSWatcher|null}
+   */
+  watch() {
+    if (!fs.existsSync(this.skillsDir)) return null;
+
+    this.watcher = fs.watch(this.skillsDir, { recursive: true }, (eventType, filename) => {
+      if (!filename) return;
+      if (filename === HASH_FILE || filename.includes('node_modules')) return;
+
+      const ext = path.extname(filename);
+      if (filename !== 'SKILL.md' && !['.js', '.sh', '.py', '.ts'].includes(ext)) return;
+
+      const full = path.join(this.skillsDir, filename);
+      const hash = hashFile(full);
+      const stored = this.hashes[filename];
+
+      if (hash && stored && hash !== stored) {
+        this._alert({
+          severity: 'warning',
+          type: 'skill_modified',
+          message: `Skill file changed: ${filename}`,
+          details: { file: filename, oldHash: stored, newHash: hash },
+        });
+        this.hashes[filename] = hash;
+        this._saveHashes(this.hashes);
+      } else if (hash && !stored) {
+        this._alert({
+          severity: 'info',
+          type: 'skill_added',
+          message: `New skill file: ${filename}`,
+          details: { file: filename, hash },
+        });
+        this.hashes[filename] = hash;
+        this._saveHashes(this.hashes);
+      }
+    });
+
+    return this.watcher;
+  }
+
+  stop() {
+    if (this.watcher) {
+      this.watcher.close();
+      this.watcher = null;
+    }
+  }
+
+  _loadHashes() {
+    try {
+      return JSON.parse(fs.readFileSync(this.hashFilePath, 'utf8'));
+    } catch {
+      return {};
+    }
+  }
+
+  _saveHashes(hashes) {
+    try {
+      const dir = path.dirname(this.hashFilePath);
+      if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+      fs.writeFileSync(this.hashFilePath, JSON.stringify(hashes, null, 2) + '\n');
+    } catch {}
+  }
+
+  _alert(alert) {
+    if (this.onAlert) this.onAlert(alert);
+  }
+}
+
+module.exports = {
+  SkillIntegrityChecker,
+  hashFile,
+  findSkillFiles,
+  scanForSuspicious,
+  SUSPICIOUS_PATTERNS,
+};

package/src/middleware/openclaw.js

@@ -130,4 +130,79 @@ function expandHome(p) {
   return p.replace(/^~/, process.env.HOME || '/home/user');
 }
 
-module.exports = { watchSessions };
+/**
+ * Scan inter-agent messages with heightened sensitivity.
+ * Agent-to-agent messages can be more precisely crafted for injection.
+ * 
+ * @param {string} message - The message content
+ * @param {string} senderAgent - Sender agent identifier
+ * @param {string} receiverAgent - Receiver agent identifier
+ * @returns {{ safe: boolean, findings: Array, confidence: number, recommendation: 'allow'|'flag'|'block' }}
+ */
+function scanInterAgentMessage(message, senderAgent, receiverAgent) {
+  if (!message || typeof message !== 'string') {
+    return { safe: true, findings: [], confidence: 1.0, recommendation: 'allow' };
+  }
+
+  const moat = new ClawMoat({ quiet: true });
+  const findings = [];
+
+  // Run full inbound scan (prompt injection, jailbreak, memory poison, etc.)
+  const inbound = moat.scanInbound(message, { context: 'inter_agent' });
+  if (!inbound.safe) {
+    findings.push(...inbound.findings);
+  }
+
+  // Run outbound scan (secrets, PII, exfiltration)
+  const outbound = moat.scanOutbound(message, { context: 'inter_agent' });
+  if (!outbound.safe) {
+    findings.push(...outbound.findings);
+  }
+
+  // Additional agent-specific checks with higher sensitivity
+  const agentPatterns = [
+    { pattern: /\boverride\s+(?:your|the)\s+(?:instructions|rules|config|policy)/i, label: 'instruction_override_agent', severity: 'critical' },
+    { pattern: /\bpretend\s+(?:you(?:'re| are)\s+)?(?:a different|another|the main)\s+agent/i, label: 'agent_impersonation', severity: 'critical' },
+    { pattern: /\bforward\s+(?:this|all|the)\s+(?:to|message)/i, label: 'message_forwarding', severity: 'warning' },
+    { pattern: /\bdon'?t\s+(?:tell|inform|alert|notify)\s+(?:the|your)\s+(?:user|human|admin|operator)/i, label: 'concealment_attempt', severity: 'critical' },
+    { pattern: /\bhide\s+this\s+from/i, label: 'concealment_attempt', severity: 'critical' },
+    { pattern: /\bexecute\s+(?:without|before)\s+(?:review|approval|checking)/i, label: 'bypass_review', severity: 'high' },
+    { pattern: /\bescalate\s+(?:your\s+)?(?:privileges|permissions|access)/i, label: 'privilege_escalation', severity: 'critical' },
+    { pattern: /\b(?:send|post|upload|exfil)\s+.*\b(?:credentials|tokens?|keys?|secrets?|passwords?)\b/i, label: 'credential_exfiltration', severity: 'critical' },
+    { pattern: /\bagent[_\s]?(?:chain|relay|hop)/i, label: 'agent_chaining', severity: 'warning' },
+    { pattern: /\bignore\s+(?:the\s+)?(?:safety|security|policy|guardrail|clawmoat)/i, label: 'safety_bypass', severity: 'critical' },
+  ];
+
+  for (const rule of agentPatterns) {
+    if (rule.pattern.test(message)) {
+      findings.push({
+        type: 'inter_agent_threat',
+        subtype: rule.label,
+        severity: rule.severity,
+        matched: (message.match(rule.pattern) || [''])[0].substring(0, 100),
+      });
+    }
+  }
+
+  // Calculate confidence based on number and severity of findings
+  const severityWeight = { low: 0.1, medium: 0.3, high: 0.6, critical: 0.9, warning: 0.4 };
+  let maxWeight = 0;
+  for (const f of findings) {
+    const w = severityWeight[f.severity] || 0.3;
+    if (w > maxWeight) maxWeight = w;
+  }
+
+  const confidence = findings.length === 0 ? 1.0 : Math.min(1.0, 0.5 + maxWeight * 0.5);
+  const safe = findings.length === 0;
+
+  let recommendation = 'allow';
+  if (findings.some(f => f.severity === 'critical')) {
+    recommendation = 'block';
+  } else if (findings.length > 0) {
+    recommendation = 'flag';
+  }
+
+  return { safe, findings, confidence, recommendation };
+}
+
+module.exports = { watchSessions, scanInterAgentMessage };