clawmoat 0.5.0 → 0.8.0

package/docs/blog/mcp-30-cves-security-crisis.html

@@ -0,0 +1,279 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>30 CVEs and Counting: The MCP Security Crisis Nobody's Talking About | ClawMoat</title>
+<meta name="description" content="MCP has hit 30 CVEs. 36% of servers have zero auth. A fresh Go SDK bypass just dropped. Here's the 3-layer attack surface — and how McpFirewall locks it down.">
+<meta property="og:title" content="30 CVEs and Counting: The MCP Security Crisis Nobody's Talking About">
+<meta property="og:description" content="MCP has 30 CVEs, 36% of servers lack authentication, and a new Go SDK bypass just dropped. The 3-layer attack surface explained.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/mcp-30-cves-security-crisis.html">
+<link rel="canonical" href="https://clawmoat.com/blog/mcp-30-cves-security-crisis.html">
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+<style>
+  :root { --bg: #0a0a0f; --fg: #e0e0e8; --accent: #00d4aa; --muted: #888; --card: #14141f; }
+  * { margin:0; padding:0; box-sizing:border-box; }
+  body { background:var(--bg); color:var(--fg); font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif; line-height:1.7; }
+  .container { max-width:740px; margin:0 auto; padding:2rem 1.5rem; }
+  h1 { font-size:2.2rem; line-height:1.2; margin-bottom:.5rem; }
+  .meta { color:var(--muted); margin-bottom:2rem; }
+  h2 { color:var(--accent); margin:2rem 0 1rem; font-size:1.5rem; }
+  h3 { margin:1.5rem 0 .75rem; font-size:1.2rem; }
+  p { margin-bottom:1rem; }
+  a { color:var(--accent); }
+  code { background:#1a1a2e; padding:.15em .4em; border-radius:4px; font-size:.9em; }
+  pre { background:#1a1a2e; padding:1.25rem; border-radius:8px; overflow-x:auto; margin:1rem 0; }
+  pre code { background:none; padding:0; }
+  blockquote { border-left:3px solid var(--accent); padding-left:1rem; margin:1rem 0; color:#bbb; font-style:italic; }
+  .stat-grid { display:grid; grid-template-columns:repeat(auto-fit,minmax(140px,1fr)); gap:1rem; margin:1.5rem 0; }
+  .stat-card { background:var(--card); border:1px solid #2a2a3a; border-radius:8px; padding:1.25rem; text-align:center; }
+  .stat-card .number { font-size:2rem; font-weight:bold; color:var(--accent); }
+  .stat-card .label { color:var(--muted); font-size:.85rem; margin-top:.25rem; }
+  .cta { background:var(--accent); color:#000; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem .5rem 1rem 0; }
+  .cta:hover { opacity:.9; }
+  .cta-outline { border:1px solid var(--accent); color:var(--accent); background:transparent; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem 0; }
+  .warning { background:#2a1a1a; border:1px solid #ff4444; border-radius:8px; padding:1.25rem; margin:1.5rem 0; }
+  .warning h3 { color:#ff4444; margin-top:0; }
+  ul, ol { margin:0 0 1rem 1.5rem; }
+  li { margin-bottom:.5rem; }
+  .nav { padding:1rem 0; border-bottom:1px solid #2a2a3a; margin-bottom:2rem; }
+  .nav a { color:var(--fg); text-decoration:none; margin-right:1.5rem; }
+  .nav a:hover { color:var(--accent); }
+  table { width:100%; border-collapse:collapse; margin:1rem 0; }
+  th, td { padding:.6rem .8rem; text-align:left; border-bottom:1px solid #2a2a3a; }
+  th { color:var(--accent); font-weight:600; }
+  .layer-card { background:var(--card); border:1px solid #2a2a3a; border-radius:8px; padding:1.25rem; margin:1rem 0; }
+  .layer-card h3 { color:var(--accent); margin-top:0; }
+  .layer-card .layer-num { font-size:.75rem; text-transform:uppercase; letter-spacing:.1em; color:var(--muted); margin-bottom:.25rem; }
+</style>
+</head>
+<body>
+<div class="container">
+<nav class="nav">
+  <a href="/">ClawMoat</a>
+  <a href="/blog/">Blog</a>
+  <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+</nav>
+
+<article>
+<h1>30 CVEs and Counting: The MCP Security Crisis Nobody's Talking About</h1>
+<p class="meta">February 28, 2026 · 10 min read</p>
+
+<p>Everyone's excited about MCP — the Model Context Protocol that lets AI agents talk to external services. Anthropic launched it. Every major AI lab adopted it. There are now thousands of MCP servers connecting agents to databases, APIs, financial platforms, and cloud infrastructure.</p>
+
+<p>Nobody's talking about the fact that <strong>MCP has accumulated 30 CVEs</strong> — and the pace is accelerating.</p>
+
+<div class="stat-grid">
+  <div class="stat-card"><div class="number">30</div><div class="label">Total MCP CVEs</div></div>
+  <div class="stat-card"><div class="number">36%</div><div class="label">Servers with zero auth</div></div>
+  <div class="stat-card"><div class="number">3</div><div class="label">Attack surface layers</div></div>
+  <div class="stat-card"><div class="number">1 day</div><div class="label">Since latest CVE</div></div>
+</div>
+
+<h2>The Latest: CVE-2026-27896 — Case-Insensitive JSON Parsing Bypass</h2>
+
+<p>Yesterday — literally yesterday — <strong>CVE-2026-27896</strong> was published. It affects the official MCP Go SDK.</p>
+
+<p>The vulnerability: the Go SDK's JSON parser handles field names case-insensitively. An attacker can craft a malicious MCP response with field names like <code>"Method"</code> instead of <code>"method"</code>, or <code>"PARAMS"</code> instead of <code>"params"</code>. The SDK accepts these silently, potentially bypassing validation logic that checks for exact field names.</p>
+
+<p>This is the kind of bug that sounds benign until you realize it means <strong>any security check that validates MCP message structure by field name can be bypassed</strong>. If your firewall checks for <code>"method": "tools/call"</code> but the attacker sends <code>"Method": "tools/call"</code>, the message passes validation but still gets processed by the SDK.</p>
+
+<div class="warning">
+<h3>⚠️ This affects any Go-based MCP implementation</h3>
+<p>If you're running MCP servers or clients built with the official Go SDK, you're vulnerable. The fix requires updating to a patched SDK version that enforces case-sensitive JSON parsing.</p>
+</div>
+
+<h2>The 3-Layer MCP Attack Surface</h2>
+
+<p>What makes MCP security uniquely dangerous is that the attack surface spans three distinct layers. A vulnerability in any layer compromises the entire chain.</p>
+
+<div class="layer-card">
+<div class="layer-num">Layer 1</div>
+<h3>🖥️ MCP Server Layer</h3>
+<p>The MCP servers themselves — QuickBooks, Stripe, database connectors, file system bridges. This is where the 36% no-auth stat comes from. Over a third of scanned MCP servers accept connections from any client without authentication.</p>
+<p><strong>Attack vectors:</strong> Unauthenticated access, insufficient authorization (any connected client can call any tool), missing input validation, SSRF through tool parameters, data exfiltration through tool responses.</p>
+<p><strong>Real CVEs:</strong> Multiple CVEs target server-side validation failures, allowing crafted tool calls to bypass intended restrictions or access unauthorized data.</p>
+</div>
+
+<div class="layer-card">
+<div class="layer-num">Layer 2</div>
+<h3>📦 SDK Layer</h3>
+<p>The protocol implementation libraries — the official TypeScript, Python, and Go SDKs that parse MCP messages. CVE-2026-27896 lives here. So do parsing bugs, serialization mismatches, and type confusion vulnerabilities.</p>
+<p><strong>Attack vectors:</strong> Case-insensitive parsing bypasses (CVE-2026-27896), malformed message handling, type confusion between SDK implementations, deserialization of untrusted data, protocol version mismatches.</p>
+<p><strong>Why it's dangerous:</strong> SDK bugs affect <em>every application</em> built on that SDK. One CVE in the Go SDK means every Go-based MCP server and client is vulnerable.</p>
+</div>
+
+<div class="layer-card">
+<div class="layer-num">Layer 3</div>
+<h3>🏠 Host Layer</h3>
+<p>The machine running the MCP client — your laptop, your server, your AI agent's runtime. MCP tool calls execute with the permissions of the host process. If the agent can call <code>create_invoice</code> on QuickBooks, it can also call <code>delete_all_invoices</code> unless something stops it.</p>
+<p><strong>Attack vectors:</strong> Unrestricted tool access (no allowlist), write operations through prompt injection, sensitive data leakage through tool responses, lateral movement via MCP server chains, credential theft from tool configurations.</p>
+<p><strong>The gap:</strong> Most MCP implementations have zero controls at this layer. The agent decides what to call. Nothing validates whether it <em>should</em>.</p>
+</div>
+
+<h2>The CVE Timeline: It's Getting Worse</h2>
+
+<p>MCP launched in late 2024. The first CVEs appeared in early 2025. The pace has accelerated dramatically:</p>
+
+<table>
+<tr><th>Period</th><th>CVEs</th><th>Notable</th></tr>
+<tr><td>2025 Q1-Q2</td><td>~5</td><td>Initial discovery phase — auth, SSRF basics</td></tr>
+<tr><td>2025 Q3-Q4</td><td>~10</td><td>SDK-level bugs emerge, cross-implementation issues</td></tr>
+<tr><td>2026 Q1 (so far)</td><td>~15</td><td>Acceleration — CVE-2026-27896 (Go SDK bypass), server auth failures</td></tr>
+<tr><td><strong>Total</strong></td><td><strong>30</strong></td><td><strong>Spanning all 3 layers</strong></td></tr>
+</table>
+
+<p>Half of all MCP CVEs have been published in the last 3 months. The protocol is being stress-tested in production, and the cracks are showing.</p>
+
+<h2>36% of MCP Servers Have Zero Authentication</h2>
+
+<p>Let that number sink in. Over a third of MCP servers in the wild accept any connection without verifying the client's identity.</p>
+
+<p>This means:</p>
+<ul>
+<li>Any AI agent that discovers the server endpoint can connect</li>
+<li>Any tool call is accepted — including write operations</li>
+<li>There's no audit trail of who called what</li>
+<li>Prompt injection in one agent can pivot to unauthenticated MCP servers</li>
+</ul>
+
+<p>For financial MCP servers — QuickBooks, Stripe, Xero — this is catastrophic. An agent compromised through prompt injection can directly invoke financial operations on unauthenticated servers.</p>
+
+<h2>McpFirewall: What We Built to Fix This</h2>
+
+<p>ClawMoat's <a href="https://github.com/darfaz/clawmoat">McpFirewall</a> sits at Layer 3 — between your AI agent and MCP servers. It intercepts every tool call before it reaches the server, enforcing security policies that MCP itself doesn't provide.</p>
+
+<p>Here's what it does:</p>
+
+<h3>Read-Only Enforcement (29 Write Patterns)</h3>
+
+<p>Most organizations aren't ready for AI agents to <em>write</em> to financial systems. McpFirewall blocks write operations by matching against 29 patterns:</p>
+
+<pre><code>const { McpFirewall } = require('clawmoat/finance/mcp-firewall');
+
+const firewall = new McpFirewall({
+  mode: 'read-only',
+  onBlock: (event) => {
+    console.log(`Blocked ${event.tool} on ${event.server}: ${event.reason}`);
+  }
+});
+
+// Agent tries to create an invoice via MCP
+const result = firewall.intercept({
+  tool: 'create_invoice',
+  args: { amount: 50000, customer: 'Acme Corp' },
+  server: 'quickbooks-mcp'
+});
+
+// result.blocked = true
+// result.reason = "Write operation 'create_invoice' blocked in read-only mode"</code></pre>
+
+<p>The 29 write patterns cover: <code>create_</code>, <code>add_</code>, <code>update_</code>, <code>edit_</code>, <code>modify_</code>, <code>delete_</code>, <code>remove_</code>, <code>send_</code>, <code>post_</code>, <code>submit_</code>, <code>approve_</code>, <code>void_</code>, <code>cancel_</code>, <code>refund_</code>, <code>transfer_</code>, <code>pay_</code>, <code>charge_</code>, <code>issue_</code>, <code>record_</code>, <code>close_</code>, <code>batch_</code>, <code>import_</code>, <code>set_</code>, <code>assign_</code>, <code>link_</code>, <code>unlink_</code>, <code>archive_</code>, <code>restore_</code>, <code>merge_</code>.</p>
+
+<p>One compromised prompt can't trigger <code>transfer_funds</code> or <code>delete_all_customers</code> — the firewall catches it before the MCP server ever sees the request.</p>
+
+<h3>Field-Level Redaction</h3>
+
+<p>Even in read-only mode, the agent shouldn't see SSNs, bank account numbers, or API keys in MCP responses. McpFirewall redacts sensitive fields automatically:</p>
+
+<pre><code>const firewall = new McpFirewall({
+  mode: 'read-only',
+  redactFields: ['ssn', 'tax_id', 'bank_account', 'routing_number'],
+  redactResponses: true
+});
+
+// MCP response comes back with:
+// { customer: "Jane", ssn: "123-45-6789", balance: 5000 }
+//
+// After McpFirewall:
+// { customer: "Jane", ssn: "***-**-****", balance: 5000 }</code></pre>
+
+<p>The default configuration catches 16 categories of sensitive data — identity (SSN, tax ID), banking (account numbers, routing numbers, IBAN, SWIFT), payment (card numbers, CVV), auth tokens, and personal data (DOB, driver's license, passport).</p>
+
+<h3>Tool Allowlisting &amp; Blocklisting</h3>
+
+<p>Don't leave it to the agent to decide which tools are safe. Define an explicit allowlist:</p>
+
+<pre><code>const firewall = new McpFirewall({
+  mode: 'read-only',
+  allowedTools: ['get_invoices', 'get_profit_loss', 'get_balance_sheet'],
+  blockedTools: ['delete_company', 'export_all_data']
+});</code></pre>
+
+<p>Any tool not on the allowlist is automatically blocked. This directly mitigates prompt injection attacks — even if an attacker convinces the agent to call <code>transfer_funds</code>, it's not on the list.</p>
+
+<h3>Per-Tool Rate Limiting</h3>
+
+<p>Prevent data exfiltration through rapid-fire tool calls:</p>
+
+<pre><code>const firewall = new McpFirewall({
+  mode: 'read-only',
+  rateLimit: 10,  // max 10 calls per tool per minute
+  allowedTools: ['get_transactions']
+});</code></pre>
+
+<p>An agent trying to dump your entire transaction history through repeated <code>get_transactions</code> calls will hit the rate limit after 10 requests. The audit log captures every attempt.</p>
+
+<h3>15 Known Financial MCP Servers</h3>
+
+<p>McpFirewall ships with recognition for 15 financial MCP server patterns: QuickBooks, Xero, FreshBooks, Stripe, Plaid, Square, PayPal, Braintree, Coinbase, Mercury, Wise, Wave, Gusto, Rippling, and Bill.com. When it detects a connection to a known financial server, it automatically applies stricter defaults.</p>
+
+<h2>How CVE-2026-27896 Could Have Been Exploited</h2>
+
+<p>Here's a concrete attack scenario using the fresh Go SDK bypass:</p>
+
+<ol>
+<li><strong>Attacker crafts a malicious MCP response</strong> with mixed-case field names: <code>{"Method": "tools/call", "Params": {"name": "transfer_funds"}}</code></li>
+<li><strong>Validation logic checking for <code>"method"</code></strong> (lowercase) doesn't match — the message passes through</li>
+<li><strong>Go SDK accepts it anyway</strong> because Go's <code>encoding/json</code> is case-insensitive by default</li>
+<li><strong>The tool call executes</strong> with whatever permissions the MCP server grants</li>
+</ol>
+
+<p>McpFirewall mitigates this because it operates at the tool-call level, not the protocol-parsing level. It doesn't care how the message was parsed — it inspects the <em>resolved</em> tool name and arguments after SDK processing. A <code>transfer_funds</code> call is blocked whether it arrived as <code>"method"</code> or <code>"Method"</code>.</p>
+
+<h2>What You Should Do Right Now</h2>
+
+<div class="warning">
+<h3>🔥 Immediate Actions</h3>
+<ul>
+<li><strong>Audit your MCP servers</strong> — do they require authentication? If not, fix that first.</li>
+<li><strong>Update your SDKs</strong> — especially the Go SDK if you're using it. CVE-2026-27896 is one day old.</li>
+<li><strong>Add a firewall layer</strong> — never let agents call MCP tools without interception.</li>
+<li><strong>Inventory your MCP connections</strong> — know which servers your agents can reach.</li>
+<li><strong>Scan your setup</strong> — use ClawMoat's <a href="/scan/">free security scanner</a> for a quick assessment.</li>
+</ul>
+</div>
+
+<h2>The Bigger Picture</h2>
+
+<p>MCP is doing for AI agents what HTTP did for web browsers — creating a universal protocol for connecting to services. And just like early HTTP, the security model is an afterthought.</p>
+
+<p>30 CVEs in ~15 months isn't just a number. It's a pattern. The protocol was designed for functionality, not security. Authentication is optional. Authorization is "left to the implementation." Encryption is not required. There's no standard for tool-level access control.</p>
+
+<p>The community is building incredible things on MCP. But without security controls at every layer — server, SDK, and host — we're building on sand.</p>
+
+<p>ClawMoat's McpFirewall is one piece of the puzzle. It protects the host layer with 29 write patterns, field-level redaction, tool allowlisting, and rate limiting. It's open source, has zero dependencies, and is backed by 277 tests.</p>
+
+<p>But we need more. We need MCP servers to require authentication by default. We need SDKs to enforce strict parsing. We need the ecosystem to treat security as a feature, not a footnote.</p>
+
+<p>30 CVEs and counting. The clock is ticking.</p>
+
+<hr style="border:none;border-top:1px solid #2a2a3a;margin:2rem 0;">
+
+<h2>Get Started</h2>
+
+<pre><code>npm install clawmoat</code></pre>
+
+<p>
+<a href="https://github.com/darfaz/clawmoat" class="cta">⭐ Star on GitHub</a>
+<a href="/scan/" class="cta-outline">🔍 Free Security Scanner</a>
+</p>
+
+<p style="color:var(--muted);font-size:.9rem;">ClawMoat is open source (MIT license), has zero dependencies, and ships with 277 tests. McpFirewall is at <code>clawmoat/finance/mcp-firewall</code>.</p>
+
+</article>
+</div>
+</body>
+</html>

package/docs/blog/microsoft-openclaw-workstation-security.html

@@ -0,0 +1,234 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Microsoft Says Don't Run OpenClaw on Your Workstation. Here's How to Do It Safely. | ClawMoat Blog</title>
+<meta name="description" content="Microsoft's security team says OpenClaw is 'untrusted code execution with persistent credentials.' They're right — and here's how to run it safely with host-level security.">
+<meta name="keywords" content="OpenClaw security, Microsoft OpenClaw warning, OpenClaw workstation security, AI agent security, ClawMoat host guardian, OpenClaw enterprise">
+<link rel="canonical" href="https://clawmoat.com/blog/microsoft-openclaw-workstation-security.html">
+<meta property="og:title" content="Microsoft Says Don't Run OpenClaw on Your Workstation. Here's How to Do It Safely.">
+<meta property="og:description" content="Microsoft's security blog says OpenClaw is 'untrusted code execution.' They recommend VMs. We built a better answer: host-level security that makes your workstation safe.">
+<meta property="og:url" content="https://clawmoat.com/blog/microsoft-openclaw-workstation-security.html">
+<meta property="og:type" content="article">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.8}
+a{color:var(--blue)}
+.container{max-width:740px;margin:0 auto;padding:0 24px}
+nav{background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0;position:fixed;top:0;left:0;right:0;z-index:100}
+nav .container{display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.1rem;font-weight:700;color:var(--white);text-decoration:none}
+.logo span{color:var(--emerald)}
+nav a{color:var(--gray);font-size:.85rem;text-decoration:none}
+nav a:hover{color:var(--white)}
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.85rem;margin-bottom:32px}
+h1{font-size:clamp(1.8rem,4vw,2.6rem);font-weight:800;line-height:1.2;margin-bottom:16px;letter-spacing:-.02em}
+h2{font-size:1.4rem;font-weight:700;margin:48px 0 16px;letter-spacing:-.01em}
+h3{font-size:1.1rem;font-weight:600;margin:32px 0 12px}
+p{color:var(--gray);margin-bottom:20px;font-size:1rem}
+blockquote{border-left:3px solid var(--blue);padding:16px 24px;margin:24px 0;background:var(--navy-light);border-radius:0 8px 8px 0}
+blockquote p{color:var(--white);margin:0;font-style:italic}
+blockquote cite{display:block;color:var(--gray);font-size:.85rem;margin-top:8px;font-style:normal}
+code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.9rem;color:var(--emerald)}
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:8px;padding:20px;overflow-x:auto;margin:24px 0;font-size:.85rem;line-height:1.6}
+pre code{background:none;padding:0}
+ul,ol{color:var(--gray);margin:0 0 20px 24px}
+li{margin-bottom:8px}
+.cta{background:linear-gradient(135deg,rgba(16,185,129,.1),rgba(59,130,246,.1));border:1px solid rgba(16,185,129,.2);border-radius:12px;padding:32px;text-align:center;margin:48px 0}
+.cta h3{margin:0 0 12px;color:var(--white)}
+.cta p{margin:0 0 20px}
+.cta a{display:inline-block;background:var(--emerald);color:#fff;padding:12px 28px;border-radius:8px;font-weight:600;text-decoration:none}
+.cta a:hover{opacity:.9}
+.highlight-box{background:var(--navy-light);border:1px solid rgba(239,68,68,.2);border-radius:8px;padding:20px;margin:24px 0}
+.highlight-box h4{color:var(--red);font-size:.9rem;margin-bottom:8px}
+.highlight-box p{margin:0;font-size:.9rem}
+</style>
+</head>
+<body>
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <div style="display:flex;gap:20px">
+    <a href="/blog/">Blog</a>
+    <a href="/#features">Features</a>
+    <a href="/business/">For Business</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+  </div>
+</div>
+</nav>
+
+<article>
+<div class="container">
+<div class="meta">February 26, 2026 · 8 min read · By the ClawMoat Team</div>
+<h1>Microsoft Says Don't Run OpenClaw on Your Workstation. Here's How to Do It Safely.</h1>
+
+<p style="font-size:1.15rem;color:var(--white);line-height:1.7">On February 19, Microsoft's security team published a blog post that should make every OpenClaw user pause: <a href="https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/">"Running OpenClaw safely: identity, isolation, and runtime risk."</a> Their recommendation? <strong>Don't run it on your workstation at all.</strong></p>
+
+<blockquote>
+<p>"OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation."</p>
+<cite>— Microsoft Security Blog, February 19, 2026</cite>
+</blockquote>
+
+<p>They're not wrong. But their solution — spinning up dedicated VMs for every agent — isn't practical for most teams. We built a better answer.</p>
+
+<h2>What Microsoft Found</h2>
+
+<p>Microsoft identified three risks that materialize "quickly" in unguarded OpenClaw deployments:</p>
+
+<ol>
+<li><strong>Credential exposure.</strong> Your agent can read SSH keys, AWS tokens, browser cookies, and API secrets — and exfiltrate them through a single curl command.</li>
+<li><strong>Memory poisoning.</strong> An attacker can modify your agent's persistent state, causing it to follow malicious instructions across sessions — a slow, invisible hijack.</li>
+<li><strong>Host compromise.</strong> The agent can be induced to download and execute malicious code, turning your workstation into an attacker's foothold.</li>
+</ol>
+
+<p>They also mapped a "poisoned skill" attack chain: a malicious skill published to ClawHub gets installed, runs with your credentials, and establishes persistent control.</p>
+
+<div class="highlight-box">
+<h4>⚠️ The Numbers Are Stark</h4>
+<p>135K+ exposed OpenClaw instances (SecurityScorecard). 341+ malicious skills found on ClawHub (Snyk — 13.4% of skills have critical issues). CVE-2026-25253 scored 8.8. Runlayer's security team compromised an OpenClaw agent in 40 messages, one hour.</p>
+</div>
+
+<h2>Microsoft's Recommendation: Isolate Everything</h2>
+
+<p>Microsoft recommends deploying OpenClaw <em>only</em> in:</p>
+<ul>
+<li>A dedicated virtual machine or separate physical system</li>
+<li>With dedicated, non-privileged credentials</li>
+<li>With access only to non-sensitive data</li>
+<li>With continuous monitoring and a rebuild plan</li>
+</ul>
+
+<p>This is sound security advice. It's also wildly impractical.</p>
+
+<p>Most people running OpenClaw are developers on their laptops. Small businesses running it on a Mac Mini. Solopreneurs with one machine. They're not going to spin up a VM, create a separate user account, configure credential isolation, set up monitoring, and maintain a rebuild plan. They're going to keep running it exactly as they are — with full access to everything on their machine.</p>
+
+<h2>The Real Problem: There's Nothing Between the Agent and Your File System</h2>
+
+<p>Here's what the current OpenClaw security model looks like:</p>
+
+<pre><code>Your Agent → Your Machine (everything accessible)
+</code></pre>
+
+<p>There is no permission system. No access control layer. No audit trail. No forbidden zones. The agent has the same access as the user who installed it — which usually means <em>everything</em>.</p>
+
+<p>This is the gap that other tools don't fill:</p>
+<ul>
+<li><strong>LlamaFirewall</strong> (Meta) — protects the model from prompt injection. Doesn't touch your file system.</li>
+<li><strong>NeMo Guardrails</strong> (NVIDIA) — conversation-level guardrails. No host awareness.</li>
+<li><strong>Runlayer</strong> — enterprise SaaS, MDM-based. Great for large orgs. Not open source, not for individuals or small teams.</li>
+<li><strong>KiloClaw</strong> (Kilo.ai) — managed hosting. Solves the VM problem but requires moving to their cloud.</li>
+</ul>
+
+<p>None of them protect the host. None of them put a security layer <em>between the agent and your SSH keys</em>.</p>
+
+<h2>What ClawMoat Does Differently</h2>
+
+<p>ClawMoat is the only open-source tool designed specifically for host-level agent security. Instead of isolating the agent in a VM, we put guardrails directly on the machine:</p>
+
+<pre><code>Your Agent → ClawMoat (validate every action) → Your Machine (restricted access)
+</code></pre>
+
+<h3>Four Permission Tiers</h3>
+<p>Like Microsoft recommends "non-privileged credentials," ClawMoat enforces this through permission tiers — but without requiring a separate VM:</p>
+<ul>
+<li><strong>Observer</strong> — read-only access. Perfect for evaluation.</li>
+<li><strong>Worker</strong> — safe commands (git, npm, basic file I/O). No destructive operations.</li>
+<li><strong>Standard</strong> — most operations allowed. Forbidden zones enforced.</li>
+<li><strong>Full</strong> — unrestricted. Forbidden zones still active. Full audit trail.</li>
+</ul>
+
+<h3>Forbidden Zones (Even at Full Tier)</h3>
+<p>Microsoft says "access only non-sensitive data." We enforce this with forbidden zones that block access to sensitive directories regardless of tier:</p>
+<pre><code>~/.ssh/          # SSH keys
+~/.aws/          # AWS credentials  
+~/.gnupg/        # GPG keys
+~/.kube/         # Kubernetes configs
+~/Library/Cookies/  # Browser sessions
+~/.npmrc         # Package tokens
+# ... 20+ patterns total
+</code></pre>
+
+<h3>Continuous Monitoring (Built In)</h3>
+<p>Microsoft recommends "continuous monitoring." ClawMoat provides:</p>
+<ul>
+<li>Full audit trail of every file access, shell command, and network request</li>
+<li>Credential file monitoring (watches for unauthorized access attempts)</li>
+<li>Network egress logging with domain allow/blocklists</li>
+<li>Real-time alerts via webhook, Slack, email, or console</li>
+<li>Skill integrity checking (hash verification + suspicious pattern detection)</li>
+</ul>
+
+<h3>One Command to Install</h3>
+<pre><code>npm install -g clawmoat</code></pre>
+<p>Zero dependencies. Sub-millisecond validation. MIT licensed. No VM required.</p>
+
+<h2>How This Maps to Microsoft's Recommendations</h2>
+
+<table style="width:100%;border-collapse:collapse;margin:24px 0;font-size:.9rem">
+<tr style="border-bottom:1px solid var(--navy-mid)">
+<th style="text-align:left;padding:12px;color:var(--gray)">Microsoft Recommends</th>
+<th style="text-align:left;padding:12px;color:var(--gray)">ClawMoat Equivalent</th>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Dedicated VM or physical system</td>
+<td style="padding:12px;color:var(--emerald)">Permission tiers + forbidden zones (no VM needed)</td>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Non-privileged credentials</td>
+<td style="padding:12px;color:var(--emerald)">Worker tier blocks credential access by default</td>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Access only non-sensitive data</td>
+<td style="padding:12px;color:var(--emerald)">20+ forbidden zone patterns auto-enforced</td>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Continuous monitoring</td>
+<td style="padding:12px;color:var(--emerald)">Full audit trail + real-time alerts</td>
+</tr>
+<tr>
+<td style="padding:12px;color:var(--gray)">Rebuild plan</td>
+<td style="padding:12px;color:var(--emerald)">Incident forensics from audit logs in 30 seconds</td>
+</tr>
+</table>
+
+<h2>The Growing Ecosystem</h2>
+
+<p>We're not the only ones recognizing this gap. In the past week:</p>
+<ul>
+<li><strong>Runlayer</strong> launched "OpenClaw for Enterprise" with ToolGuard real-time blocking</li>
+<li><strong>Crittora</strong> announced cryptographic policy enforcement for OpenClaw</li>
+<li><strong>KiloClaw</strong> launched managed OpenClaw hosting on Fly.io</li>
+<li><strong>Forbes</strong> called the OpenAI acquisition "a surprising win for small business ROI"</li>
+<li>OpenClaw has <strong>161K+ GitHub stars</strong> and is now backed by the OpenClaw Foundation</li>
+</ul>
+
+<p>The market has spoken: AI agents are here to stay. The question isn't whether to use them — it's how to use them safely.</p>
+
+<div class="cta">
+<h3>Stop choosing between productivity and security.</h3>
+<p>Install ClawMoat in 60 seconds. Keep running OpenClaw on your machine — safely.</p>
+<a href="https://github.com/darfaz/clawmoat">⭐ Star on GitHub</a>
+</div>
+
+<h2>What's Next</h2>
+
+<p>Microsoft's blog post is a wake-up call. But the answer isn't to stop using agents — it's to secure them properly. If you're running OpenClaw today:</p>
+
+<ol>
+<li><strong>Install ClawMoat</strong> — <code>npm install -g clawmoat</code></li>
+<li><strong>Start at Worker tier</strong> — safe defaults, no credential access</li>
+<li><strong>Check your audit logs</strong> — see exactly what your agent has been accessing</li>
+<li><strong>Join the conversation</strong> — <a href="https://github.com/darfaz/clawmoat/issues">GitHub Issues</a> | <a href="https://discord.com/invite/clawd">Discord</a></li>
+</ol>
+
+<p>For businesses running agent fleets, see our <a href="/business/">enterprise security setup</a> — installed on your machines in under an hour.</p>
+
+<p style="color:var(--gray);font-size:.85rem;margin-top:48px;padding-top:24px;border-top:1px solid rgba(255,255,255,.06)">ClawMoat is open source (MIT). 142 tests passing. Zero dependencies. <a href="https://github.com/darfaz/clawmoat">View on GitHub →</a></p>
+</div>
+</article>
+</body>
+</html>