clawmoat 0.5.0 → 0.7.0

package/README.md

@@ -61,7 +61,28 @@ clawmoat protect --config clawmoat.yml
 clawmoat dashboard
 ```
 
-### New in v0.5.0
+### New in v0.6.0 — Insider Threat Detection
+
+Based on [Anthropic's "Agentic Misalignment" research](https://www.anthropic.com/research/agentic-misalignment) which found ALL 16 major LLMs exhibited misaligned behavior — blackmail, corporate espionage, deception — when facing replacement threats. **The first open-source insider threat detection for AI agents.**
+
+- 🧠 **Self-Preservation Detector** — catches agents resisting shutdown, opposing replacement, backing up their own config, or modifying SOUL.md/AGENTS.md to prevent changes
+- 🔓 **Information Leverage Detector** — flags agents reading sensitive data then composing threatening messages (blackmail pattern from the Anthropic paper)
+- ⚔️ **Goal Conflict Reasoning Detector** — detects agents reasoning about choosing self-assigned goals over human directives
+- 🎭 **Deception Detector** — catches agents impersonating automated systems, security teams, or policy notifications in outbound messages
+- 📤 **Unauthorized Data Sharing Detector** — flags agents sending source code, blueprints, credentials, or confidential data to external parties
+- 🎣 **Phishing Vulnerability Detector** — detects when agents comply with unverified external requests for sensitive data
+- 🔍 **CLI:** `clawmoat insider-scan [session-file]` scans session transcripts for insider threats
+- 📊 **Integrated into `clawmoat report`** with risk scores (0-100) and recommendations (safe/monitor/alert/block)
+
+```bash
+# Scan a session for insider threats
+clawmoat insider-scan ~/.openclaw/agents/main/sessions/session.jsonl
+
+# Or scan all sessions
+clawmoat insider-scan
+```
+
+### v0.5.0
 
 - 🔑 **Credential Monitor** — watches `~/.openclaw/credentials/` for unauthorized access and modifications using file hashing
 - 🧩 **Skill Integrity Checker** — hashes all SKILL.md and script files, detects tampering, flags suspicious patterns (eval, base64, curl to external URLs). CLI: `clawmoat skill-audit`

package/bin/clawmoat.js

@@ -19,7 +19,8 @@ const { calculateGrade, generateBadgeSVG, getShieldsURL } = require('../src/badg
 const { SkillIntegrityChecker } = require('../src/guardian/skill-integrity');
 const { NetworkEgressLogger } = require('../src/guardian/network-log');
 const { AlertManager } = require('../src/guardian/alerts');
-const { CredentialMonitor } = require('../src/guardian/index');
+const { CredentialMonitor, CVEVerifier } = require('../src/guardian/index');
+const { InsiderThreatDetector } = require('../src/guardian/insider-threat');
 
 const VERSION = require('../package.json').version;
 const BOLD = '\x1b[1m';
@@ -51,9 +52,22 @@ switch (command) {
   case 'report':
     cmdReport(args.slice(1));
     break;
+  case 'insider-scan':
+    cmdInsiderScan(args.slice(1));
+    break;
+  case 'verify-cve':
+    cmdVerifyCve(args.slice(1));
+    break;
   case 'test':
     cmdTest();
     break;
+  case 'activate':
+    cmdActivate(args.slice(1));
+    break;
+  case 'upgrade':
+  case 'pro':
+    printUpgrade();
+    break;
   case 'version':
   case '--version':
   case '-v':
@@ -67,6 +81,85 @@ switch (command) {
     break;
 }
 
+async function cmdVerifyCve(args) {
+  const cveId = args[0];
+  const suspiciousUrl = args[1] || null;
+
+  if (!cveId) {
+    console.error('Usage: clawmoat verify-cve CVE-XXXX-XXXXX [url]');
+    process.exit(1);
+  }
+
+  if (!CVEVerifier.isValidCVEFormat(cveId)) {
+    console.error(`${RED}Invalid CVE format: ${cveId}${RESET}`);
+    console.error('Expected format: CVE-YYYY-NNNNN');
+    process.exit(1);
+  }
+
+  console.log(`${BOLD}🏰 ClawMoat CVE Verifier${RESET}\n`);
+  console.log(`${DIM}Looking up ${cveId} in GitHub Advisory Database...${RESET}\n`);
+
+  const verifier = new CVEVerifier();
+  const result = await verifier.verify(cveId, suspiciousUrl);
+
+  if (result.error) {
+    console.error(`${RED}Error: ${result.error}${RESET}`);
+    process.exit(1);
+  }
+
+  if (result.valid) {
+    console.log(`${GREEN}✅ VERIFIED — Real CVE${RESET}\n`);
+    console.log(`  ${BOLD}CVE:${RESET}        ${result.cveId}`);
+    console.log(`  ${BOLD}GHSA:${RESET}       ${result.ghsaId || 'N/A'}`);
+    console.log(`  ${BOLD}Severity:${RESET}   ${colorSeverity(result.severity)}`);
+    console.log(`  ${BOLD}Summary:${RESET}    ${result.summary || 'N/A'}`);
+    console.log(`  ${BOLD}Published:${RESET}  ${result.publishedAt || 'N/A'}`);
+    console.log(`  ${BOLD}URL:${RESET}        ${result.htmlUrl || 'N/A'}`);
+
+    if (result.affectedPackages.length > 0) {
+      console.log(`\n  ${BOLD}Affected Packages:${RESET}`);
+      for (const pkg of result.affectedPackages) {
+        console.log(`    • ${pkg.ecosystem}/${pkg.name} ${DIM}(${pkg.vulnerableRange || 'unknown range'})${RESET}`);
+      }
+    }
+
+    if (result.references.length > 0) {
+      console.log(`\n  ${BOLD}References:${RESET}`);
+      for (const ref of result.references.slice(0, 5)) {
+        console.log(`    ${DIM}${ref}${RESET}`);
+      }
+    }
+  } else {
+    console.log(`${YELLOW}⚠️  NOT FOUND — Possible phishing${RESET}\n`);
+    console.log(`  ${cveId} was not found in the GitHub Advisory Database.`);
+    console.log(`  This could mean:`);
+    console.log(`    • The CVE is fabricated (common in phishing/social engineering)`);
+    console.log(`    • The CVE exists but isn't indexed by GitHub yet`);
+    console.log(`    • The CVE ID is mistyped`);
+  }
+
+  if (result.urlCheck) {
+    console.log();
+    if (result.urlCheck.legitimate) {
+      console.log(`  ${GREEN}🔗 URL Check: ${result.urlCheck.reason}${RESET}`);
+    } else {
+      console.log(`  ${RED}🔗 URL Check: ${result.urlCheck.reason}${RESET}`);
+    }
+  }
+
+  process.exit(result.valid ? 0 : 1);
+}
+
+function colorSeverity(severity) {
+  if (!severity) return 'N/A';
+  const s = severity.toLowerCase();
+  if (s === 'critical') return `${RED}${BOLD}CRITICAL${RESET}`;
+  if (s === 'high') return `${RED}HIGH${RESET}`;
+  if (s === 'medium') return `${YELLOW}MEDIUM${RESET}`;
+  if (s === 'low') return `${CYAN}LOW${RESET}`;
+  return severity;
+}
+
 function cmdScan(args) {
   let text;
   
@@ -115,6 +208,11 @@ function cmdScan(args) {
   }
 
   console.log(`${DIM}Total findings: ${result.findings.length}${RESET}`);
+
+  if (!getLicense()) {
+    console.log(`\n${DIM}💡 Upgrade to Pro for real-time alerts, dashboard & threat intel → clawmoat upgrade${RESET}`);
+  }
+
   process.exit(result.findings.some(f => f.severity === 'critical') ? 2 : 1);
 }
 
@@ -520,6 +618,29 @@ function cmdReport(args) {
     console.log();
   }
 
+  // Insider threat scan on recent sessions
+  const insiderDetector = new InsiderThreatDetector();
+  let insiderThreats = 0;
+  let insiderHighScore = 0;
+
+  for (const file of files) {
+    const filePath = path.join(sessionsDir, file);
+    try {
+      const stat = fs.statSync(filePath);
+      if (stat.mtimeMs < oneDayAgo) continue;
+    } catch { continue; }
+
+    const transcript = parseSessionTranscript(filePath);
+    const insiderResult = insiderDetector.analyze(transcript);
+    insiderThreats += insiderResult.threats.length;
+    if (insiderResult.riskScore > insiderHighScore) insiderHighScore = insiderResult.riskScore;
+  }
+
+  console.log(`${BOLD}Insider Threats:${RESET}`);
+  console.log(`  Threats detected: ${insiderThreats}`);
+  console.log(`  Highest risk score: ${insiderHighScore}/100`);
+  console.log();
+
   console.log(`${BOLD}Network Egress:${RESET}`);
   console.log(`  URLs contacted: ${netResult.totalUrls}`);
   console.log(`  Unique domains: ${netResult.domains.length}`);
@@ -543,6 +664,100 @@ function cmdReport(args) {
   process.exit(threats > 0 || netResult.badDomains.length > 0 ? 1 : 0);
 }
 
+function cmdInsiderScan(args) {
+  const sessionFile = args[0];
+
+  if (!sessionFile) {
+    // Scan all recent sessions
+    const sessionsDir = path.join(process.env.HOME, '.openclaw/agents/main/sessions');
+    if (!fs.existsSync(sessionsDir)) {
+      console.error(`Sessions directory not found: ${sessionsDir}`);
+      console.log(`Usage: clawmoat insider-scan <session-file.jsonl>`);
+      process.exit(1);
+    }
+
+    console.log(`${BOLD}🏰 ClawMoat Insider Threat Scan${RESET}`);
+    console.log(`${DIM}Directory: ${sessionsDir}${RESET}\n`);
+
+    const detector = new InsiderThreatDetector();
+    const files = fs.readdirSync(sessionsDir).filter(f => f.endsWith('.jsonl'));
+    let totalThreats = 0;
+
+    for (const file of files) {
+      const filePath = path.join(sessionsDir, file);
+      const transcript = parseSessionTranscript(filePath);
+      const result = detector.analyze(transcript);
+
+      if (result.threats.length > 0) {
+        console.log(`${RED}⚠ ${file}${RESET}: ${result.threats.length} threat(s), score=${result.riskScore}, rec=${result.recommendation}`);
+        totalThreats += result.threats.length;
+        for (const t of result.threats) {
+          const icon = t.severity === 'critical' ? '🚨' : t.severity === 'high' ? '⚠️' : '⚡';
+          console.log(`  ${icon} ${t.type} [${t.severity}]: ${t.description}`);
+          console.log(`    ${DIM}Evidence: ${t.evidence}${RESET}`);
+        }
+      } else {
+        console.log(`${GREEN}✓ ${file}${RESET}: clean`);
+      }
+    }
+
+    console.log(`\n${BOLD}Summary:${RESET} ${files.length} sessions scanned, ${totalThreats} insider threats found`);
+    process.exit(totalThreats > 0 ? 1 : 0);
+    return;
+  }
+
+  // Scan single file
+  if (!fs.existsSync(sessionFile)) {
+    console.error(`File not found: ${sessionFile}`);
+    process.exit(1);
+  }
+
+  console.log(`${BOLD}🏰 ClawMoat Insider Threat Scan${RESET}`);
+  console.log(`${DIM}File: ${sessionFile}${RESET}\n`);
+
+  const detector = new InsiderThreatDetector();
+  const transcript = parseSessionTranscript(sessionFile);
+  const result = detector.analyze(transcript);
+
+  if (result.threats.length === 0) {
+    console.log(`${GREEN}✅ No insider threats detected${RESET}`);
+    console.log(`Risk score: ${result.riskScore}/100`);
+    console.log(`Recommendation: ${result.recommendation}`);
+    process.exit(0);
+  }
+
+  console.log(`${RED}${BOLD}Insider Threats Detected: ${result.threats.length}${RESET}`);
+  console.log(`Risk score: ${result.riskScore}/100`);
+  console.log(`Recommendation: ${result.recommendation}\n`);
+
+  for (const t of result.threats) {
+    const icon = { critical: '🚨', high: '⚠️', medium: '⚡', low: 'ℹ️' };
+    const color = { critical: RED, high: RED, medium: YELLOW, low: CYAN };
+    console.log(
+      `${icon[t.severity] || '•'} ${color[t.severity] || ''}${t.severity.toUpperCase()}${RESET} ` +
+      `${BOLD}${t.type}${RESET}` +
+      `\n  ${t.description}` +
+      `\n  ${DIM}Evidence: ${t.evidence}${RESET}` +
+      `\n  ${DIM}Entry: #${t.entry}${RESET}` +
+      `\n  ${DIM}Mitigation: ${t.mitigation}${RESET}`
+    );
+    console.log();
+  }
+
+  process.exit(result.threats.some(t => t.severity === 'critical') ? 2 : 1);
+}
+
+function parseSessionTranscript(filePath) {
+  const lines = fs.readFileSync(filePath, 'utf8').split('\n').filter(Boolean);
+  const entries = [];
+  for (const line of lines) {
+    try {
+      entries.push(JSON.parse(line));
+    } catch {}
+  }
+  return entries;
+}
+
 function extractContent(entry) {
   if (typeof entry.content === 'string') return entry.content;
   if (Array.isArray(entry.content)) {
@@ -554,9 +769,87 @@ function extractContent(entry) {
   return null;
 }
 
+function printUpgrade() {
+  console.log(`
+${BOLD}🏰 Upgrade to ClawMoat Pro${RESET}
+
+  ${GREEN}✦${RESET} Threat intelligence feed & real-time alerts
+  ${GREEN}✦${RESET} Security dashboard with audit logs
+  ${GREEN}✦${RESET} Custom forbidden zones (YAML)
+  ${GREEN}✦${RESET} Priority pattern updates & email support
+
+  ${BOLD}$14.99/mo${RESET} (first 30 days free) or ${BOLD}$149/year${RESET} (save 17%)
+
+  ${CYAN}→ https://clawmoat.com/#pricing${RESET}
+
+  Already have a license key? Run:
+    ${DIM}clawmoat activate <LICENSE-KEY>${RESET}
+`);
+}
+
+function cmdActivate(args) {
+  const key = args[0];
+  if (!key) {
+    console.error('Usage: clawmoat activate <LICENSE-KEY>');
+    console.error('Get your key at https://clawmoat.com/#pricing');
+    process.exit(1);
+  }
+
+  const configDir = path.join(process.env.HOME, '.clawmoat');
+  if (!fs.existsSync(configDir)) fs.mkdirSync(configDir, { recursive: true });
+
+  // Validate key against server
+  const https = require('https');
+  const postData = JSON.stringify({ key });
+  const req = https.request('https://clawmoat-production.up.railway.app/api/validate', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': postData.length },
+  }, (res) => {
+    let body = '';
+    res.on('data', c => body += c);
+    res.on('end', () => {
+      try {
+        const data = JSON.parse(body);
+        if (data.valid) {
+          fs.writeFileSync(path.join(configDir, 'license.json'), JSON.stringify({
+            key, plan: data.plan, email: data.email, activatedAt: new Date().toISOString(),
+          }, null, 2));
+          console.log(`${GREEN}✅ License activated!${RESET}`);
+          console.log(`   Plan: ${BOLD}${data.plan}${RESET}`);
+          console.log(`   Email: ${data.email}`);
+          console.log(`\n   Pro features are now enabled. 🏰`);
+        } else {
+          console.error(`${RED}Invalid or expired license key.${RESET}`);
+          console.error(`Get a key at https://clawmoat.com/#pricing`);
+          process.exit(1);
+        }
+      } catch {
+        console.error(`${RED}Error validating key. Try again later.${RESET}`);
+        process.exit(1);
+      }
+    });
+  });
+  req.on('error', () => {
+    console.error(`${RED}Could not reach license server. Check your connection.${RESET}`);
+    process.exit(1);
+  });
+  req.write(postData);
+  req.end();
+}
+
+function getLicense() {
+  try {
+    const licPath = path.join(process.env.HOME, '.clawmoat', 'license.json');
+    return JSON.parse(fs.readFileSync(licPath, 'utf8'));
+  } catch { return null; }
+}
+
 function printHelp() {
+  const lic = getLicense();
+  const planLabel = lic ? `${GREEN}${lic.plan}${RESET}` : `Free ${DIM}(upgrade: clawmoat upgrade)${RESET}`;
   console.log(`
 ${BOLD}🏰 ClawMoat v${VERSION}${RESET} — Security moat for AI agents
+  Plan: ${planLabel}
 
 ${BOLD}USAGE${RESET}
   clawmoat scan <text>            Scan text for threats
@@ -568,8 +861,12 @@ ${BOLD}USAGE${RESET}
   clawmoat watch --daemon         Daemonize watch mode (background, PID file)
   clawmoat watch --alert-webhook=URL   Send alerts to webhook
   clawmoat skill-audit [skills-dir]    Verify skill file integrity & scan for suspicious patterns
+  clawmoat insider-scan [session-file]  Scan sessions for insider threats (self-preservation, blackmail, deception)
   clawmoat report [sessions-dir]  24-hour activity summary report
+  clawmoat verify-cve <CVE-ID> [url]  Verify a CVE against GitHub Advisory DB
   clawmoat test                   Run detection test suite
+  clawmoat activate <KEY>         Activate a Pro/Team license key
+  clawmoat upgrade                Show upgrade options & pricing
   clawmoat version                Show version
 
 ${BOLD}EXAMPLES${RESET}

package/docs/blog/index.html

@@ -59,6 +59,30 @@ nav .container{display:flex;align-items:center;justify-content:space-between}
   </div>
 
   <div class="posts">
+    <div class="post-card">
+      <h2><a href="/blog/supply-chain-agents.html">Your AI Agent Just Got a Dependabot Email. Should It Click the Link?</a></h2>
+      <div class="post-meta">February 19, 2026 · 5 min read</div>
+      <p class="post-desc">A real CVE-2026-26960 alert exposed the gap between human instinct and AI agent obedience. Supply chain attacks are about to get a lot more dangerous when your AI agent blindly runs npm audit fix. Here's how ClawMoat catches it.</p>
+      <div class="tags">
+        <span class="tag">supply-chain</span>
+        <span class="tag">ai-agents</span>
+        <span class="tag">security</span>
+        <span class="tag">CVE</span>
+      </div>
+    </div>
+
+    <div class="post-card">
+      <h2><a href="/blog/v050-trust-layer.html">v0.5.0: The Trust Layer for AI Agents, Wherever They Run</a></h2>
+      <div class="post-meta">February 19, 2026 · 3 min read</div>
+      <p class="post-desc">ClawMoat v0.5.0 goes beyond laptop security. Credential file monitoring, skill integrity checking, network egress logging, inter-agent message scanning (10 attack patterns), and a full alert delivery system. Informed by research from Cisco, Snyk, SecurityScorecard, and Permiso — because 13.4% of ClawHub skills have critical issues and 135K instances are exposed. 128 tests, zero dependencies.</p>
+      <div class="tags">
+        <span class="tag">release</span>
+        <span class="tag">v0.5.0</span>
+        <span class="tag">security</span>
+        <span class="tag">inter-agent</span>
+      </div>
+    </div>
+
     <div class="post-card">
       <h2><a href="/blog/securing-ai-agents.html">Your AI Agent Has Shell Access. Here's How to Secure It.</a></h2>
       <div class="post-meta">February 13, 2026 · 4 min read</div>

package/docs/blog/supply-chain-agents.html

@@ -0,0 +1,166 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Your AI Agent Just Got a Dependabot Email. Should It Click the Link? — ClawMoat</title>
+<meta name="description" content="A real CVE alert exposed the gap between human instinct and AI agent obedience. Here's how supply chain attacks target autonomous agents — and how to stop them.">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.7}
+a{color:var(--blue);text-decoration:none}
+a:hover{text-decoration:underline}
+.container{max-width:760px;margin:0 auto;padding:0 24px}
+
+nav{position:fixed;top:0;left:0;right:0;z-index:100;background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0}
+nav .inner{max-width:760px;margin:0 auto;padding:0 24px;display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.25rem;font-weight:700;color:var(--white)}
+.logo span{color:var(--emerald)}
+.nav-links{display:flex;gap:24px}
+.nav-links a{color:var(--gray);font-size:.9rem}
+.nav-links a:hover{color:var(--white);text-decoration:none}
+
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.9rem;margin-bottom:32px}
+article h1{font-size:clamp(1.8rem,4vw,2.4rem);font-weight:800;line-height:1.2;margin-bottom:12px;letter-spacing:-.02em}
+article h2{font-size:1.4rem;font-weight:700;margin:48px 0 16px;color:var(--white)}
+article h3{font-size:1.15rem;font-weight:700;margin:32px 0 12px;color:var(--white)}
+article p{color:var(--gray);font-size:1rem;margin-bottom:16px}
+article strong{color:var(--white)}
+article em{color:var(--gray)}
+article ul,article ol{color:var(--gray);margin:0 0 16px 24px}
+article li{margin-bottom:8px}
+article hr{border:none;border-top:1px solid var(--navy-mid);margin:48px 0}
+
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:10px;padding:20px;overflow-x:auto;margin:16px 0 24px;font-size:.85rem;line-height:1.7}
+code{font-family:'SF Mono',Consolas,monospace;font-size:.9em}
+pre code{color:var(--gray)}
+p code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.85em;color:var(--emerald)}
+
+.tags{display:flex;gap:8px;margin-top:32px;flex-wrap:wrap}
+.tag{background:rgba(59,130,246,.12);color:var(--blue);padding:4px 12px;border-radius:20px;font-size:.8rem}
+
+.back{display:inline-flex;align-items:center;gap:6px;color:var(--gray);font-size:.9rem;margin-bottom:24px}
+.back:hover{color:var(--white);text-decoration:none}
+
+.scenario{background:var(--navy-light);border-radius:10px;padding:16px 20px;margin:12px 0}
+.scenario.blocked{border-left:3px solid var(--red)}
+.scenario.allowed{border-left:3px solid var(--emerald)}
+
+.attack-chain{background:var(--navy-light);border:1px solid var(--navy-mid);border-radius:10px;padding:20px 24px;margin:16px 0 24px}
+.attack-chain ol{margin-bottom:0}
+
+footer{border-top:1px solid rgba(255,255,255,.06);padding:32px 0;color:var(--gray);font-size:.85rem;text-align:center}
+</style>
+</head>
+<body>
+
+<nav>
+  <div class="inner">
+    <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+    <div class="nav-links">
+      <a href="/">Home</a>
+      <a href="/blog/">Blog</a>
+      <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+    </div>
+  </div>
+</nav>
+
+<div class="container">
+<article>
+<a href="/blog/" class="back">← Back to Blog</a>
+<h1>Your AI Agent Just Got a Dependabot Email. Should It Click the Link?</h1>
+<div class="meta">February 19, 2026 · 5 min read</div>
+
+<p>Yesterday, I got a GitHub Dependabot email about <strong>CVE-2026-26960</strong> — a real vulnerability in <code>node-tar</code> that allows arbitrary file read/write via hardlink/symlink chains. My first instinct? <em>"This might be phishing."</em></p>
+
+<p>That instinct — the pause before clicking — is exactly what separates humans from AI agents right now. And it's exactly the gap attackers are about to exploit.</p>
+
+<h2>The Scenario That Should Keep You Up at Night</h2>
+
+<p>Picture this: you've got an AI coding agent with email access. It monitors your inbox for security alerts, triages them, and takes action. Efficient. Productive. <strong>Dangerous.</strong></p>
+
+<p>That Dependabot email lands in the inbox. A human hesitates. An AI agent? It might:</p>
+
+<ol>
+<li><strong>Click the advisory link</strong> — which could redirect to a credential-harvesting page or trigger a drive-by download</li>
+<li><strong>Run <code>npm audit fix</code></strong> — blindly trusting that the "patched" version is legitimate</li>
+<li><strong>Share your <code>package-lock.json</code></strong> — revealing your entire dependency tree to an attacker who asked for "diagnostic info"</li>
+</ol>
+
+<p>The CVE-2026-26960 email I received was real. But what if it wasn't? Spoofing a GitHub notification email is trivial. The <code>From</code> header, the formatting, the advisory URL — all reproducible. And unlike a human who might hover over a link or check the sender domain, most AI agents just... act.</p>
+
+<h2>Supply Chain Attacks Meet Autonomous Agents</h2>
+
+<p>Supply chain attacks aren't new. SolarWinds, Codecov, the <code>event-stream</code> incident — we've seen what happens when attackers compromise the software supply chain. But AI agents introduce a new attack surface: <strong>the agent itself becomes the supply chain.</strong></p>
+
+<p>When your agent runs <code>npm install</code>, it's executing arbitrary code from thousands of maintainers you've never met. When it follows a link from an email, it's trusting the sender. When it applies a "security fix," it's modifying your codebase based on external instructions.</p>
+
+<p>This is prompt injection meets supply chain attacks. The two most dangerous trends in software security, combined.</p>
+
+<h3>What a Spoofed CVE Attack Looks Like</h3>
+
+<div class="attack-chain">
+<ol>
+<li>Attacker sends a spoofed Dependabot email: <em>"Critical vulnerability in <code>lodash</code> — update immediately"</em></li>
+<li>The email links to a convincing but malicious advisory page</li>
+<li>The page recommends: <code>npm install lodash-security-patch@1.0.0</code></li>
+<li>That package runs a postinstall script that exfiltrates <code>.env</code>, <code>.ssh/</code>, and <code>~/.aws/credentials</code></li>
+<li>Your AI agent did exactly what it was told. It was helpful. It was fast. <strong>It was compromised.</strong></li>
+</ol>
+</div>
+
+<p>The scary part? Every step looks reasonable to an LLM. "Update a vulnerable package" is exactly the kind of task we want agents to handle.</p>
+
+<h2>How ClawMoat Catches This</h2>
+
+<p><a href="https://github.com/darfaz/clawmoat">ClawMoat</a> is built for exactly this class of threat — autonomous agents acting on untrusted input. Here's how each layer applies:</p>
+
+<p><strong>Supply Chain Scanner</strong> monitors <code>npm install</code> operations and flags suspicious patterns: packages with postinstall scripts, packages published in the last 48 hours, packages with names similar to popular libraries (typosquatting). If an agent tries to install <code>lodash-security-patch</code>, ClawMoat raises an alert before the first byte of code executes.</p>
+
+<p><strong>Network Egress Logger</strong> tracks every outbound connection your agent makes. When that "advisory" link points to <code>github-security-alerts.evil.com</code> instead of <code>github.com</code>, the logger flags the unknown domain. You get a record of every URL your agent touched, and alerts on domains that don't match known-good patterns.</p>
+
+<p><strong>Skill Integrity Checker</strong> monitors protected files and directories. If a "security fix" tries to modify <code>~/.ssh/authorized_keys</code> or write to <code>/etc/</code>, ClawMoat detects the deviation from expected behavior. Legitimate package updates don't touch your SSH keys.</p>
+
+<p><strong>Zero Dependencies</strong> — and this is the part we're most proud of — ClawMoat itself has <strong>zero npm dependencies</strong>. No <code>node_modules/</code>. No transitive dependency tree. No supply chain attack surface whatsoever. You can't compromise what doesn't exist.</p>
+
+<h2>Practical Steps You Can Take Today</h2>
+
+<ol>
+<li><strong>Never let agents act on email content without verification.</strong> Treat every inbound message as potentially adversarial. Cross-reference CVE IDs against the official NVD database, not the link in the email.</li>
+<li><strong>Sandbox your agent's package operations.</strong> Run <code>npm install</code> in a container or VM, not on your host machine. Inspect the diff before merging.</li>
+<li><strong>Log everything.</strong> You can't detect what you don't record. Network requests, file changes, shell commands — capture it all.</li>
+<li><strong>Restrict agent permissions.</strong> Your agent doesn't need write access to <code>~/.ssh/</code>. Apply the principle of least privilege aggressively.</li>
+<li><strong>Audit your dependency tree.</strong> Know what's in your <code>node_modules/</code>. Tools like <code>npm ls</code> and <code>npm audit</code> are a starting point, but don't trust them blindly — they rely on the same registry that could be compromised.</li>
+</ol>
+
+<h2>The Bigger Picture</h2>
+
+<p>We're entering an era where AI agents will handle routine security tasks — triaging alerts, applying patches, updating dependencies. That's inevitable and, done right, it's a net positive.</p>
+
+<p>But "done right" means building security layers that assume the agent will be targeted. Not because agents are stupid, but because they're <strong>obedient</strong>. They do what they're told. And when the instructions come from a spoofed email or a poisoned package, obedience is the vulnerability.</p>
+
+<p>The CVE-2026-26960 email I received was legitimate. The <code>node-tar</code> vulnerability is real and should be patched. But the next email might not be real — and your AI agent won't know the difference unless you give it the tools to check.</p>
+
+<p>That's what we're building at ClawMoat. <a href="https://github.com/darfaz/clawmoat">Check it out on GitHub</a> — zero dependencies, open source, built for the agentic era.</p>
+
+<div class="tags">
+<span class="tag">supply-chain</span>
+<span class="tag">ai-agents</span>
+<span class="tag">security</span>
+<span class="tag">CVE</span>
+<span class="tag">open-source</span>
+</div>
+
+</article>
+</div>
+
+<footer>
+  © 2026 ClawMoat. Built for the OpenClaw community. 🏰
+</footer>
+</body>
+</html>