clawmoat 0.5.0 → 0.8.0

package/docs/blog/ollama-openclaw-security.html

@@ -0,0 +1,154 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Ollama Just Made OpenClaw One-Click. Here's How to Secure It. | ClawMoat</title>
+<meta name="description" content="Ollama 0.17 ships native OpenClaw integration. Great for adoption — terrifying for security. Here's what you need to know.">
+<meta property="og:title" content="Ollama Just Made OpenClaw One-Click. Here's How to Secure It.">
+<meta property="og:description" content="Ollama 0.17 ships native OpenClaw integration with web search. More installs = more exposed hosts. Here's how to lock it down.">
+<link rel="canonical" href="https://clawmoat.com/blog/ollama-openclaw-security.html">
+<style>
+:root{--bg:#0a0a0f;--fg:#e0e0e8;--accent:#00d4aa;--muted:#888;--card:#14141f;--red:#ff4444}
+*{margin:0;padding:0;box-sizing:border-box}
+body{background:var(--bg);color:var(--fg);font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;line-height:1.8}
+.container{max-width:750px;margin:0 auto;padding:2rem 1.5rem}
+nav{padding:1rem 0;border-bottom:1px solid #2a2a3a;margin-bottom:2rem}
+nav a{color:var(--fg);text-decoration:none;margin-right:1.5rem}
+nav a:hover{color:var(--accent)}
+h1{font-size:2.2rem;line-height:1.2;margin-bottom:1rem}
+h2{color:var(--accent);margin:2rem 0 1rem;font-size:1.5rem}
+h3{margin:1.5rem 0 .75rem}
+p{margin-bottom:1rem}
+a{color:var(--accent)}
+pre{background:#1a1a2e;padding:1.25rem;border-radius:8px;overflow-x:auto;margin:1rem 0}
+code{background:#1a1a2e;padding:.15em .4em;border-radius:4px;font-size:.9em}
+pre code{background:none;padding:0}
+.meta{color:var(--muted);margin-bottom:2rem}
+.alert{background:#2a1a1a;border-left:4px solid var(--red);padding:1rem 1.25rem;margin:1.5rem 0;border-radius:0 8px 8px 0}
+.tip{background:#1a2a1a;border-left:4px solid var(--accent);padding:1rem 1.25rem;margin:1.5rem 0;border-radius:0 8px 8px 0}
+ul,ol{margin:1rem 0 1rem 1.5rem}
+li{margin-bottom:.5rem}
+blockquote{border-left:3px solid var(--muted);padding-left:1rem;color:var(--muted);margin:1rem 0}
+.cta{background:var(--accent);color:#000;padding:.75rem 1.5rem;border-radius:6px;text-decoration:none;font-weight:700;display:inline-block;margin:1rem .5rem 1rem 0}
+</style>
+</head>
+<body>
+<div class="container">
+<nav>
+<a href="/" style="font-weight:bold">ClawMoat</a>
+<a href="/blog/">Blog</a>
+<a href="/finance/">Finance</a>
+<a href="https://github.com/darfaz/clawmoat">GitHub</a>
+</nav>
+
+<h1>Ollama Just Made OpenClaw One-Click. Here's How to Secure It.</h1>
+<p class="meta">February 27, 2026 · 5 min read</p>
+
+<p>Ollama 0.17 just shipped <strong>native OpenClaw integration</strong> with web search out of the box. Two commands and you have a personal AI agent running on your machine with local models.</p>
+
+<p>This is great for adoption. It's terrifying for security.</p>
+
+<h2>What Ollama 0.17 Does</h2>
+
+<p>Ollama's latest release lets you set up OpenClaw to work with open models (Llama, Mistral, DeepSeek, etc.) and web search. No cloud API keys needed. Fully local inference.</p>
+
+<pre><code>ollama launch openclaw</code></pre>
+
+<p>That's it. One command. You now have an AI agent that can:</p>
+<ul>
+<li>Send emails on your behalf</li>
+<li>Manage your calendar</li>
+<li>Read and write files on your machine</li>
+<li>Execute shell commands</li>
+<li>Search the web</li>
+<li>Connect to WhatsApp, Telegram, iMessage</li>
+</ul>
+
+<p>All running with <strong>your user permissions</strong>. On <strong>your actual machine</strong>.</p>
+
+<h2>Why This Is a Security Problem</h2>
+
+<div class="alert">
+<strong>⚠️ The Ollama + OpenClaw combo inherits every OpenClaw vulnerability.</strong> Local models don't fix host-level security.
+</div>
+
+<p>Running local models solves one problem (data doesn't leave your machine) but creates a false sense of security. Here's what's still exposed:</p>
+
+<h3>1. Your Entire Filesystem</h3>
+<p>The agent runs as your user. It can read <code>~/.ssh</code>, <code>~/.aws</code>, browser cookies, crypto wallets, tax documents — everything you can access.</p>
+
+<h3>2. The WebSocket Hijack (CVE-2026-25253)</h3>
+<p>OpenClaw's gateway listens on localhost WebSocket. <a href="/blog/oasis-websocket-hijack.html">Oasis Security proved</a> any website can brute-force the port and take full control of your agent. Local models don't change this — the gateway architecture is the same.</p>
+
+<h3>3. Prompt Injection via Web Search</h3>
+<p>Ollama 0.17 adds web search. That means the agent fetches content from the internet and processes it. A malicious webpage can embed prompt injection payloads that hijack the agent's behavior. Now your "local" agent is executing attacker instructions.</p>
+
+<h3>4. Skill Supply Chain</h3>
+<p>OpenClaw skills are npm packages or GitHub repos. <a href="/blog/40000-exposed-openclaw-instances.html">341+ malicious skills</a> have been documented. A compromised skill runs with full access to your system.</p>
+
+<h3>5. No Permission Boundaries</h3>
+<p>OpenClaw has no concept of "this agent can read files but not execute commands" or "this agent can access the calendar but not SSH keys." It's all-or-nothing.</p>
+
+<h2>The One-Click Problem</h2>
+
+<p>When something is easy to install, people don't think about security. Ollama's user base is developers and tinkerers who want to run AI locally — they're not enterprise security teams. They'll run <code>ollama launch openclaw</code>, connect it to WhatsApp, and forget about it.</p>
+
+<blockquote>Microsoft: "OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation."</blockquote>
+
+<p>Now Ollama is making it trivial to do exactly what Microsoft says not to do.</p>
+
+<h2>How to Secure Your Ollama + OpenClaw Setup</h2>
+
+<div class="tip">
+<strong>✅ ClawMoat adds the security layer that Ollama + OpenClaw are missing.</strong>
+</div>
+
+<pre><code>npm install -g clawmoat</code></pre>
+
+<h3>1. Set Up Permission Tiers</h3>
+<pre><code>const { HostGuardian } = require('clawmoat');
+const guardian = new HostGuardian({
+  mode: 'standard',  // observer → worker → standard → full
+  workspace: '~/openclaw-workspace',
+  forbiddenZones: ['~/.ssh', '~/.aws', '~/.gnupg'],
+});</code></pre>
+
+<h3>2. Monitor Network Egress</h3>
+<pre><code>const { NetworkEgressLogger } = require('clawmoat');
+const logger = new NetworkEgressLogger();
+// Blocks requests to cloud metadata, private IPs, known-bad domains
+// Alerts on unusual outbound connections</code></pre>
+
+<h3>3. Scan Skills Before Installing</h3>
+<pre><code># Audit all installed skills for suspicious patterns
+npx clawmoat skill-audit ~/.openclaw/skills/</code></pre>
+
+<h3>4. Detect WebSocket Hijack Attempts</h3>
+<pre><code>const { GatewayMonitor } = require('clawmoat');
+const monitor = new GatewayMonitor();
+// Detects brute-force port scanning, suspicious WS origins,
+// unauthorized device pairing attempts</code></pre>
+
+<h3>5. Protect Financial Data</h3>
+<pre><code>const { FinanceGuard } = require('clawmoat');
+const guard = new FinanceGuard();
+// Blocks access to crypto wallets, banking files, tax documents
+// Redacts financial secrets in agent output</code></pre>
+
+<h2>The Bottom Line</h2>
+
+<p>Ollama 0.17 is going to put OpenClaw on thousands of new machines. Most of those machines won't have any security layer between the agent and the host.</p>
+
+<p><strong>If you're going to run OpenClaw — with Ollama or otherwise — run it with a security moat.</strong></p>
+
+<p>
+<a href="https://github.com/darfaz/clawmoat" class="cta">⭐ Star on GitHub</a>
+<a href="/#pricing" class="cta" style="background:#1a1a2e;color:var(--accent);border:2px solid var(--accent)">Get Started Free</a>
+</p>
+
+<p style="color:var(--muted);margin-top:2rem;font-size:.9rem">ClawMoat is open-source (MIT), zero dependencies, 277 tests passing. Works with any OpenClaw deployment — cloud, local, or Ollama.</p>
+
+</div>
+</body>
+</html>

package/docs/blog/openclaw-enterprise-readiness-claw10.html

@@ -0,0 +1,198 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>OpenClaw Scores 1.2/5 for Enterprise Readiness. Here's How to Fix 4 of the 10 Gaps. | ClawMoat Blog</title>
+<meta name="description" content="Onyx AI's CLAW-10 framework scored OpenClaw 1.2 out of 5 for enterprise readiness. ClawMoat directly addresses 4 of the 10 gaps: authorization, audit logging, privilege model, and supply chain security.">
+<meta name="keywords" content="OpenClaw enterprise readiness, CLAW-10 framework, AI agent enterprise security, OpenClaw compliance, ClawMoat enterprise, OpenClaw authorization, OpenClaw audit trail">
+<link rel="canonical" href="https://clawmoat.com/blog/openclaw-enterprise-readiness-claw10.html">
+<meta property="og:title" content="OpenClaw Scores 1.2/5 for Enterprise Readiness. ClawMoat Fixes 4 of the 10 Gaps.">
+<meta property="og:description" content="Onyx AI's CLAW-10 scored OpenClaw at 1.2/5. ClawMoat addresses authorization, audit logging, privilege model, and supply chain. Here's the mapping.">
+<meta property="og:url" content="https://clawmoat.com/blog/openclaw-enterprise-readiness-claw10.html">
+<meta property="og:type" content="article">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444;--amber:#F59E0B}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.8}
+a{color:var(--blue)}
+.container{max-width:740px;margin:0 auto;padding:0 24px}
+nav{background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0;position:fixed;top:0;left:0;right:0;z-index:100}
+nav .container{display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.1rem;font-weight:700;color:var(--white);text-decoration:none}
+.logo span{color:var(--emerald)}
+nav a{color:var(--gray);font-size:.85rem;text-decoration:none}
+nav a:hover{color:var(--white)}
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.85rem;margin-bottom:32px}
+h1{font-size:clamp(1.8rem,4vw,2.4rem);font-weight:800;line-height:1.2;margin-bottom:16px}
+h2{font-size:1.3rem;font-weight:700;margin:40px 0 16px}
+h3{font-size:1.05rem;font-weight:600;margin:28px 0 12px}
+p{color:var(--gray);margin-bottom:20px;font-size:1rem}
+table{width:100%;border-collapse:collapse;margin:24px 0;font-size:.9rem}
+th{text-align:left;padding:12px;color:var(--gray);border-bottom:1px solid var(--navy-mid);font-size:.8rem;text-transform:uppercase;letter-spacing:.05em}
+td{padding:12px;border-bottom:1px solid rgba(255,255,255,.05)}
+.score{display:inline-block;padding:2px 10px;border-radius:12px;font-weight:700;font-size:.85rem}
+.score-red{background:rgba(239,68,68,.15);color:var(--red)}
+.score-amber{background:rgba(245,158,11,.15);color:var(--amber)}
+.score-green{background:rgba(16,185,129,.15);color:var(--emerald)}
+blockquote{border-left:3px solid var(--blue);padding:16px 24px;margin:24px 0;background:var(--navy-light);border-radius:0 8px 8px 0}
+blockquote p{color:var(--white);margin:0;font-style:italic}
+blockquote cite{display:block;color:var(--gray);font-size:.85rem;margin-top:8px;font-style:normal}
+code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.9rem;color:var(--emerald)}
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:8px;padding:20px;overflow-x:auto;margin:24px 0;font-size:.85rem}
+pre code{background:none;padding:0}
+ul,ol{color:var(--gray);margin:0 0 20px 24px}
+li{margin-bottom:8px}
+.cta{background:linear-gradient(135deg,rgba(16,185,129,.1),rgba(59,130,246,.1));border:1px solid rgba(16,185,129,.2);border-radius:12px;padding:32px;text-align:center;margin:48px 0}
+.cta h3{margin:0 0 12px;color:var(--white)}
+.cta p{margin:0 0 20px}
+.cta a{display:inline-block;background:var(--emerald);color:#fff;padding:12px 28px;border-radius:8px;font-weight:600;text-decoration:none}
+</style>
+</head>
+<body>
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <div style="display:flex;gap:20px">
+    <a href="/blog/">Blog</a>
+    <a href="/#features">Features</a>
+    <a href="/business/">For Business</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+  </div>
+</div>
+</nav>
+
+<article>
+<div class="container">
+<div class="meta">February 26, 2026 · 6 min read · By the ClawMoat Team</div>
+<h1>OpenClaw Scores 1.2/5 for Enterprise Readiness. Here's How to Fix 4 of the 10 Gaps.</h1>
+
+<p style="font-size:1.1rem;color:var(--white)">Onyx AI just published the <a href="https://www.onyx.app/insights/openclaw-enterprise-evaluation-framework">CLAW-10 Enterprise Readiness Matrix</a> — the first structured framework for evaluating autonomous AI agents against enterprise requirements. OpenClaw scored <strong>1.2 out of 5</strong>. The enterprise-ready threshold is 4.0.</p>
+
+<p>Every single dimension scored below the threshold. But here's the thing: 4 of those 10 gaps can be addressed today with a single npm install.</p>
+
+<h2>The CLAW-10 Scores</h2>
+
+<table>
+<thead>
+<tr><th>#</th><th>Dimension</th><th>OpenClaw Score</th><th>With ClawMoat</th><th>Threshold</th></tr>
+</thead>
+<tbody>
+<tr><td>1</td><td>Identity & Authentication</td><td><span class="score score-red">1/5</span></td><td><span class="score score-red">1/5</span></td><td>4</td></tr>
+<tr><td>2</td><td><strong>Authorization & Access Control</strong></td><td><span class="score score-red">1/5</span></td><td><span class="score score-amber">3/5</span></td><td>4.5</td></tr>
+<tr><td>3</td><td><strong>Audit Logging & Observability</strong></td><td><span class="score score-amber">2/5</span></td><td><span class="score score-green">4/5</span></td><td>4.5</td></tr>
+<tr><td>4</td><td>Data Isolation & Residency</td><td><span class="score score-red">1/5</span></td><td><span class="score score-red">1.5/5</span></td><td>4</td></tr>
+<tr><td>5</td><td>Execution Sandboxing</td><td><span class="score score-red">1/5</span></td><td><span class="score score-amber">2/5</span></td><td>4.5</td></tr>
+<tr><td>6</td><td>Compliance Certifications</td><td><span class="score score-red">1/5</span></td><td><span class="score score-red">1.5/5</span></td><td>4</td></tr>
+<tr><td>7</td><td><strong>Supply Chain Security</strong></td><td><span class="score score-red">1/5</span></td><td><span class="score score-amber">2.5/5</span></td><td>4</td></tr>
+<tr><td>8</td><td>Network Exposure & Attack Surface</td><td><span class="score score-amber">2/5</span></td><td><span class="score score-amber">3.5/5</span></td><td>4</td></tr>
+<tr><td>9</td><td><strong>Privilege Model</strong></td><td><span class="score score-red">1/5</span></td><td><span class="score score-amber">3.5/5</span></td><td>4</td></tr>
+<tr><td>10</td><td>Vendor Support & SLAs</td><td><span class="score score-red">1/5</span></td><td><span class="score score-red">1/5</span></td><td>3</td></tr>
+<tr style="font-weight:700;border-top:2px solid var(--navy-mid)"><td></td><td>Composite</td><td><span class="score score-red">1.2/5</span></td><td><span class="score score-amber">2.2/5</span></td><td>4.0</td></tr>
+</tbody>
+</table>
+
+<p>ClawMoat raises the composite score from 1.2 to 2.2 — not enterprise-ready yet, but a significant improvement. Let's look at the four dimensions where ClawMoat makes the biggest difference.</p>
+
+<h2>1. Authorization & Access Control (1 → 3)</h2>
+
+<p>OpenClaw's current score: <strong>1/5</strong>. There is no authorization layer. The agent runs with the user's full permissions.</p>
+
+<p>With ClawMoat's Host Guardian, you get four permission tiers:</p>
+<ul>
+<li><strong>Observer</strong> — read-only. Can list files and view system info. Cannot write or execute.</li>
+<li><strong>Worker</strong> — safe commands (git, npm, file I/O). Blocks dangerous operations.</li>
+<li><strong>Standard</strong> — most operations permitted. Forbidden zones enforced.</li>
+<li><strong>Full</strong> — unrestricted execution. Forbidden zones still active. Full audit trail.</li>
+</ul>
+
+<p>Plus 20+ forbidden zones that block access to sensitive directories regardless of tier: <code>~/.ssh</code>, <code>~/.aws</code>, <code>~/.gnupg</code>, browser data, crypto wallets, package tokens, and more.</p>
+
+<h2>2. Audit Logging & Observability (2 → 4)</h2>
+
+<p>OpenClaw's current score: <strong>2/5</strong>. Basic session logging exists, but there's no structured audit trail for security events.</p>
+
+<p>ClawMoat provides:</p>
+<ul>
+<li>Full audit trail of every file access, shell command, and network request</li>
+<li>Credential file monitoring (watches sensitive directories for unauthorized access)</li>
+<li>Network egress logging with URL extraction and domain tracking</li>
+<li>Real-time alerts via console, file, webhook, Slack, or email</li>
+<li>Exportable logs for compliance review and incident forensics</li>
+<li>Rate-limited alert delivery to prevent alert fatigue</li>
+</ul>
+
+<p>This is the dimension where ClawMoat makes the biggest impact — taking OpenClaw from "basic logs" to "structured, exportable, real-time observability."</p>
+
+<h2>3. Privilege Model (1 → 3.5)</h2>
+
+<p>OpenClaw's current score: <strong>1/5</strong>. No privilege model exists. The agent inherits the user's full privileges.</p>
+
+<p>ClawMoat's permission tiers implement least privilege at the host level:</p>
+<ul>
+<li>Tiered command blocking — dangerous commands (rm -rf, chmod 777, etc.) blocked by tier</li>
+<li>File system restrictions — read/write access controlled per tier</li>
+<li>Forbidden zones — always blocked, regardless of tier</li>
+<li>Runtime tier switching — promote or demote without restart</li>
+</ul>
+
+<h2>4. Supply Chain Security (1 → 2.5)</h2>
+
+<p>OpenClaw's current score: <strong>1/5</strong>. Skills are installed from ClawHub with no signature verification.</p>
+
+<p>ClawMoat's skill integrity checker provides:</p>
+<ul>
+<li>Hash-based verification of installed skills</li>
+<li>14 suspicious pattern detectors (eval, exec, fetch to unknown domains, etc.)</li>
+<li>CLI: <code>clawmoat skill-audit ~/.openclaw/skills/</code></li>
+<li>Detects tampering after installation</li>
+</ul>
+
+<p>This doesn't solve the root problem (no signature verification in ClawHub), but it provides a detection layer that didn't exist before.</p>
+
+<h2>What ClawMoat Doesn't Fix</h2>
+
+<p>Honesty matters. ClawMoat doesn't address:</p>
+<ul>
+<li><strong>Identity & Authentication (1/5)</strong> — OpenClaw has no agent identity system. This needs to be fixed upstream.</li>
+<li><strong>Data Isolation (1/5)</strong> — The agent still runs in the user's environment. True data isolation requires VM-level separation.</li>
+<li><strong>Execution Sandboxing (1/5)</strong> — ClawMoat restricts what the agent can do, but doesn't sandbox execution at the process level. (See <a href="https://news.ycombinator.com/item?id=47075823">ClawShell</a> for process-level isolation.)</li>
+<li><strong>Compliance Certifications (1/5)</strong> — ClawMoat generates compliance-ready reports, but isn't itself certified.</li>
+<li><strong>Vendor Support (1/5)</strong> — We're open source. Enterprise support is available through our <a href="/business/">business plans</a>.</li>
+</ul>
+
+<h2>The Defense-in-Depth Stack</h2>
+
+<p>No single tool gets OpenClaw to 4.0/5. The enterprise stack will look something like:</p>
+
+<table>
+<thead><tr><th>Layer</th><th>Tool</th><th>CLAW-10 Dimensions</th></tr></thead>
+<tbody>
+<tr><td>Host Security</td><td><strong>ClawMoat</strong></td><td>Authorization, Audit, Privilege, Supply Chain</td></tr>
+<tr><td>Process Isolation</td><td>ClawShell</td><td>Data Isolation, Execution Sandboxing</td></tr>
+<tr><td>Prompt Scanning</td><td>LlamaFirewall</td><td>Network Exposure (input filtering)</td></tr>
+<tr><td>Enterprise Governance</td><td>Runlayer</td><td>Identity, Compliance, Vendor Support</td></tr>
+<tr><td>Managed Hosting</td><td>KiloClaw</td><td>Execution Sandboxing, Network Exposure</td></tr>
+</tbody>
+</table>
+
+<div class="cta">
+<h3>Start improving your CLAW-10 score today.</h3>
+<p>One npm install. Four dimensions addressed. Zero dependencies.</p>
+<a href="https://github.com/darfaz/clawmoat">⭐ Star on GitHub</a>
+</div>
+
+<pre><code>npm install -g clawmoat
+clawmoat scan ~/.openclaw/
+clawmoat skill-audit ~/.openclaw/skills/
+clawmoat report</code></pre>
+
+<p>For businesses that want managed installation + compliance reports: <a href="/business/">ClawMoat for Business →</a></p>
+
+<p style="color:var(--gray);font-size:.85rem;margin-top:48px;padding-top:24px;border-top:1px solid rgba(255,255,255,.06)">Sources: <a href="https://www.onyx.app/insights/openclaw-enterprise-evaluation-framework">Onyx AI CLAW-10</a> · <a href="https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/">Microsoft Security Blog</a> · <a href="https://www.catonetworks.com/blog/when-ai-can-act-governing-openclaw/">Cato Networks</a></p>
+</div>
+</article>
+</body>
+</html>