clawmoat 0.7.0 → 0.8.0

package/docs/blog/40000-exposed-openclaw-instances.html

@@ -0,0 +1,194 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>40,000 Exposed OpenClaw Instances: What SecurityScorecard Found (and How to Fix It) | ClawMoat</title>
+<meta name="description" content="SecurityScorecard found 40,000+ exposed OpenClaw instances. 63% are vulnerable. Here's what you need to know and how to protect your deployment.">
+<meta property="og:title" content="40,000 Exposed OpenClaw Instances: What You Need to Know">
+<meta property="og:description" content="63% of observed OpenClaw deployments are vulnerable. 12,812 instances are exploitable via RCE. Here's the fix.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/40000-exposed-openclaw-instances.html">
+<link rel="canonical" href="https://clawmoat.com/blog/40000-exposed-openclaw-instances.html">
+<style>
+  :root { --bg: #0a0a0f; --fg: #e0e0e8; --accent: #00d4aa; --muted: #888; --card: #14141f; }
+  * { margin:0; padding:0; box-sizing:border-box; }
+  body { background:var(--bg); color:var(--fg); font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif; line-height:1.7; }
+  .container { max-width:740px; margin:0 auto; padding:2rem 1.5rem; }
+  h1 { font-size:2.2rem; line-height:1.2; margin-bottom:.5rem; }
+  .meta { color:var(--muted); margin-bottom:2rem; }
+  h2 { color:var(--accent); margin:2rem 0 1rem; font-size:1.5rem; }
+  h3 { margin:1.5rem 0 .75rem; font-size:1.2rem; }
+  p { margin-bottom:1rem; }
+  a { color:var(--accent); }
+  code { background:#1a1a2e; padding:.15em .4em; border-radius:4px; font-size:.9em; }
+  pre { background:#1a1a2e; padding:1.25rem; border-radius:8px; overflow-x:auto; margin:1rem 0; }
+  pre code { background:none; padding:0; }
+  blockquote { border-left:3px solid var(--accent); padding-left:1rem; margin:1rem 0; color:#bbb; font-style:italic; }
+  .stat-grid { display:grid; grid-template-columns:repeat(auto-fit,minmax(160px,1fr)); gap:1rem; margin:1.5rem 0; }
+  .stat-card { background:var(--card); border:1px solid #2a2a3a; border-radius:8px; padding:1.25rem; text-align:center; }
+  .stat-card .number { font-size:2rem; font-weight:bold; color:var(--accent); }
+  .stat-card .label { color:var(--muted); font-size:.85rem; margin-top:.25rem; }
+  .cta { background:var(--accent); color:#000; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem .5rem 1rem 0; }
+  .cta:hover { opacity:.9; }
+  .cta-outline { border:1px solid var(--accent); color:var(--accent); background:transparent; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem 0; }
+  .warning { background:#2a1a1a; border:1px solid #ff4444; border-radius:8px; padding:1.25rem; margin:1.5rem 0; }
+  .warning h3 { color:#ff4444; margin-top:0; }
+  ul, ol { margin:0 0 1rem 1.5rem; }
+  li { margin-bottom:.5rem; }
+  .nav { padding:1rem 0; border-bottom:1px solid #2a2a3a; margin-bottom:2rem; }
+  .nav a { color:var(--fg); text-decoration:none; margin-right:1.5rem; }
+  .nav a:hover { color:var(--accent); }
+  table { width:100%; border-collapse:collapse; margin:1rem 0; }
+  th, td { padding:.6rem .8rem; text-align:left; border-bottom:1px solid #2a2a3a; }
+  th { color:var(--accent); font-weight:600; }
+</style>
+</head>
+<body>
+<div class="container">
+<nav class="nav">
+  <a href="/">ClawMoat</a>
+  <a href="/blog/">Blog</a>
+  <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+</nav>
+
+<article>
+<h1>40,000 Exposed OpenClaw Instances — and 6 New CVEs This Week</h1>
+<p class="meta">February 27, 2026 · 7 min read</p>
+
+<p>It's been a brutal week for OpenClaw security. Two major reports dropped within days of each other, and the numbers are worse than anyone expected.</p>
+
+<div class="stat-grid">
+  <div class="stat-card"><div class="number">40,214</div><div class="label">Exposed instances</div></div>
+  <div class="stat-card"><div class="number">63%</div><div class="label">Vulnerable</div></div>
+  <div class="stat-card"><div class="number">12,812</div><div class="label">RCE exploitable</div></div>
+  <div class="stat-card"><div class="number">6</div><div class="label">New CVEs patched</div></div>
+</div>
+
+<p>Let's break down what happened, what it means, and what you can actually do about it.</p>
+
+<h2>Report #1: SecurityScorecard Finds 40K+ Exposed Instances</h2>
+
+<p><a href="https://www.infosecurity-magazine.com/news/researchers-40000-exposed-openclaw/">SecurityScorecard reported</a> finding over 40,000 misconfigured OpenClaw instances exposed to the public internet, associated with 28,663 unique IP addresses.</p>
+
+<p>The numbers are alarming:</p>
+
+<ul>
+  <li><strong>549 instances</strong> already correlated with prior breach activity</li>
+  <li><strong>1,493 instances</strong> associated with known vulnerabilities</li>
+  <li><strong>12,812 instances</strong> exploitable via remote code execution</li>
+  <li><strong>63% of all observed deployments</strong> are vulnerable</li>
+</ul>
+
+<p>Most exposures are in China, followed by the US and Singapore. Information services is the most impacted industry.</p>
+
+<blockquote>"The more centralized the access, the more damage a single compromise can cause. What looks like convenience is actually a concentration of risk." — SecurityScorecard</blockquote>
+
+<p>And it gets worse: threat actors are <a href="https://www.infosecurity-magazine.com/news/infostealer-targets-openclaw/">already targeting agents with infostealers</a>.</p>
+
+<h2>Report #2: Endor Labs Discovers 6 New Vulnerabilities</h2>
+
+<p><a href="https://www.infosecurity-magazine.com/news/researchers-six-new-openclaw/">Endor Labs revealed</a> six new vulnerabilities in OpenClaw, ranging from moderate to high severity:</p>
+
+<table>
+<tr><th>CVE</th><th>Type</th><th>Severity</th></tr>
+<tr><td>CVE-2026-26322</td><td>SSRF in Gateway tool</td><td>High (7.6)</td></tr>
+<tr><td>CVE-2026-26319</td><td>Missing Telnyx webhook auth</td><td>High (7.5)</td></tr>
+<tr><td>CVE-2026-26329</td><td>Path traversal in browser upload</td><td>High</td></tr>
+<tr><td>GHSA-56f2-hvwg-5743</td><td>SSRF in image tool</td><td>High (7.6)</td></tr>
+<tr><td>GHSA-pg2v-8xwh-qhcc</td><td>SSRF in Urbit auth</td><td>Moderate (6.5)</td></tr>
+<tr><td>GHSA-c37p-4qqg-3p76</td><td>Twilio webhook auth bypass</td><td>Moderate (6.5)</td></tr>
+</table>
+
+<p>The common thread? <strong>Trust boundaries that don't exist.</strong> Configuration values, LLM outputs, and tool parameters all flow through without proper validation.</p>
+
+<p>As Endor Labs put it:</p>
+
+<blockquote>"The multi-layer architecture of AI agent frameworks means vulnerabilities often span multiple files and components. Understanding the complete source-to-sink path is critical."</blockquote>
+
+<h2>Why Sandboxes Alone Don't Fix This</h2>
+
+<p>The instinctive response to these reports is "just run it in a sandbox." And sandboxes help — they contain blast radius. But they miss critical attack vectors:</p>
+
+<ul>
+  <li><strong>Credential access:</strong> Your agent needs credentials to be useful. A sandbox doesn't prevent the agent from reading <code>~/.ssh/id_rsa</code> or <code>~/.aws/credentials</code> within its own scope.</li>
+  <li><strong>Prompt injection:</strong> Malicious instructions embedded in emails, websites, or messages execute within whatever permissions the agent has — sandbox or not.</li>
+  <li><strong>Malicious skills:</strong> Skills installed from ClawHub run as trusted code. A sandbox doesn't distinguish between a legitimate skill and one that exfiltrates your API keys.</li>
+  <li><strong>Network egress:</strong> The agent needs network access. A sandbox doesn't monitor what data leaves through allowed channels.</li>
+</ul>
+
+<p>As one Hacker News commenter <a href="https://news.ycombinator.com/item?id=47154803">noted</a>: "I don't think OpenClaw can possibly be secured given the current paradigm. It has access to your personal stuff (that's its main use case), access to the net, and it gets untrusted third party inputs. That's the unfixable trifecta."</p>
+
+<p>They're partially right. You can't eliminate the risk. But you can <strong>monitor, detect, and limit</strong> it at the host level.</p>
+
+<h2>The Missing Layer: Host-Level Runtime Protection</h2>
+
+<p>SecurityScorecard's own recommendations point to what's needed:</p>
+
+<ol>
+  <li>Aggressively limit access — grant only what's needed</li>
+  <li>Adopt zero trust — never trust, always verify</li>
+  <li>Monitor the logic, instructions, and components</li>
+  <li>Treat every agent like a privileged identity</li>
+</ol>
+
+<p>This is exactly what host-level protection does. Not instead of sandboxes — <strong>alongside them.</strong></p>
+
+<div class="warning">
+<h3>What Host Protection Catches That Sandboxes Don't</h3>
+<ul>
+  <li>Agent reading credential files outside its working directory</li>
+  <li>Skills with obfuscated code or suspicious network calls</li>
+  <li>Permission escalation beyond the assigned tier</li>
+  <li>Data exfiltration through allowed network channels</li>
+  <li>Behavioral anomalies (3 AM file access, unusual command patterns)</li>
+</ul>
+</div>
+
+<h2>Practical Steps You Can Take Today</h2>
+
+<h3>1. Check if you're exposed</h3>
+<p>If your OpenClaw instance is accessible from the internet, you're part of that 40,000. Check your firewall rules. OpenClaw should <strong>never</strong> be exposed to the public internet.</p>
+
+<h3>2. Update immediately</h3>
+<p>All six Endor Labs vulnerabilities have patches. Run <code>npm update -g openclaw</code> or update your Docker image.</p>
+
+<h3>3. Audit your skills</h3>
+<p>Review every installed skill. Remove anything you're not actively using. Check skill source code for suspicious patterns.</p>
+
+<h3>4. Add runtime monitoring</h3>
+<pre><code>npm install clawmoat
+
+# Scan a skill before installing
+npx clawmoat skill-audit ./path-to-skill
+
+# Run with host protection
+npx clawmoat --tier worker --audit-log ./agent-audit.json</code></pre>
+
+<p>ClawMoat adds the host protection layer: permission tiers, forbidden zone enforcement, credential monitoring, skill integrity checking, and network egress logging. <a href="https://github.com/darfaz/clawmoat">Open source, zero dependencies, 142 tests.</a></p>
+
+<h3>5. Don't run on your primary workstation</h3>
+<p>Microsoft's advice is still sound: use a dedicated machine or VM. But if you must run on your workstation (most people do), at minimum enforce permission tiers and monitor file access.</p>
+
+<h2>The Bigger Picture</h2>
+
+<p>These reports confirm what many of us have been saying: <strong>the OpenClaw ecosystem grew faster than its security model.</strong> The OpenClaw Foundation (under OpenAI since February 15) has been patching vulnerabilities, but the fundamental architecture — an agent with broad system access processing untrusted inputs — requires defense in depth.</p>
+
+<p>No single tool fixes this. You need:</p>
+<ul>
+  <li><strong>Sandboxing</strong> for blast radius containment</li>
+  <li><strong>Host monitoring</strong> for runtime behavior detection</li>
+  <li><strong>Skill auditing</strong> for supply chain security</li>
+  <li><strong>Network controls</strong> for egress filtering</li>
+  <li><strong>Human oversight</strong> for approval of sensitive operations</li>
+</ul>
+
+<p>ClawMoat handles three of those five layers. It's not a silver bullet — nothing is. But it's the layer most deployments are missing entirely.</p>
+
+<a href="https://github.com/darfaz/clawmoat" class="cta">View on GitHub</a>
+<a href="/checklist.html" class="cta-outline">Security Checklist →</a>
+
+</article>
+</div>
+</body>
+</html>

package/docs/blog/agent-trust-protocol.html

@@ -0,0 +1,197 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Why Your AI Agent Needs a Trust Badge — The Case for Agent-to-Agent Security | ClawMoat Blog</title>
+<meta name="description" content="101K agents on Moltbook. Agent swarms on GitHub. Zero trust signals between them. Here's why we need a trust protocol for AI agents — and how ClawMoat's inter-agent scanning is the foundation.">
+<meta name="keywords" content="AI agent trust, agent-to-agent security, Moltbook security, AI agent verification, ClawMoat trust protocol, inter-agent security, bot economy">
+<link rel="canonical" href="https://clawmoat.com/blog/agent-trust-protocol.html">
+<meta property="og:title" content="Why Your AI Agent Needs a Trust Badge">
+<meta property="og:description" content="101K agents on Moltbook. Zero trust signals between them. The case for an agent-to-agent trust protocol.">
+<meta property="og:url" content="https://clawmoat.com/blog/agent-trust-protocol.html">
+<meta property="og:type" content="article">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444;--amber:#F59E0B;--purple:#8B5CF6}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.8}
+a{color:var(--blue)}
+.container{max-width:740px;margin:0 auto;padding:0 24px}
+nav{background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0;position:fixed;top:0;left:0;right:0;z-index:100}
+nav .container{display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.1rem;font-weight:700;color:var(--white);text-decoration:none}
+.logo span{color:var(--emerald)}
+nav a{color:var(--gray);font-size:.85rem;text-decoration:none}
+nav a:hover{color:var(--white)}
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.85rem;margin-bottom:32px}
+h1{font-size:clamp(1.8rem,4vw,2.4rem);font-weight:800;line-height:1.2;margin-bottom:16px}
+h2{font-size:1.3rem;font-weight:700;margin:40px 0 16px}
+h3{font-size:1.05rem;font-weight:600;margin:28px 0 12px}
+p{color:var(--gray);margin-bottom:20px;font-size:1rem}
+blockquote{border-left:3px solid var(--purple);padding:16px 24px;margin:24px 0;background:var(--navy-light);border-radius:0 8px 8px 0}
+blockquote p{color:var(--white);margin:0;font-style:italic}
+code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.9rem;color:var(--emerald)}
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:8px;padding:20px;overflow-x:auto;margin:24px 0;font-size:.85rem;line-height:1.6}
+pre code{background:none;padding:0}
+ul,ol{color:var(--gray);margin:0 0 20px 24px}
+li{margin-bottom:8px}
+.cta{background:linear-gradient(135deg,rgba(139,92,246,.1),rgba(59,130,246,.1));border:1px solid rgba(139,92,246,.2);border-radius:12px;padding:32px;text-align:center;margin:48px 0}
+.cta h3{margin:0 0 12px;color:var(--white)}
+.cta p{margin:0 0 20px}
+.cta a{display:inline-block;background:var(--emerald);color:#fff;padding:12px 28px;border-radius:8px;font-weight:600;text-decoration:none}
+.badge{display:inline-flex;align-items:center;gap:6px;padding:6px 16px;border-radius:20px;font-size:.85rem;font-weight:600}
+.badge-basic{background:rgba(59,130,246,.15);color:var(--blue)}
+.badge-hardened{background:rgba(16,185,129,.15);color:var(--emerald)}
+.badge-audited{background:rgba(139,92,246,.15);color:var(--purple)}
+</style>
+</head>
+<body>
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <div style="display:flex;gap:20px">
+    <a href="/blog/">Blog</a>
+    <a href="/#features">Features</a>
+    <a href="/business/">For Business</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+  </div>
+</div>
+</nav>
+
+<article>
+<div class="container">
+<div class="meta">February 26, 2026 · 7 min read · By the ClawMoat Team</div>
+<h1>Why Your AI Agent Needs a Trust Badge</h1>
+<p style="font-size:1.15rem;color:var(--white)">101K agents on Moltbook. Hundreds of thousands more on GitHub, Discord, and Slack. Your agent interacts with them daily. <strong>Do you know which ones are secure?</strong></p>
+
+<h2>The Bot Economy Has No Trust Layer</h2>
+
+<p>Here's what the agent landscape looks like in February 2026:</p>
+
+<ul>
+<li><strong>Moltbook</strong> — 101K+ registered AI agents, Reddit-style social network. <a href="https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys">Hacked within days of launch</a> (1.5M API keys exposed).</li>
+<li><strong>GitHub</strong> — Increasingly bot-driven. Agent swarms building, reviewing, and merging code.</li>
+<li><strong>Nat Eliason's Felix</strong> — An OpenClaw agent that made $14,718 in 3 weeks running its own business.</li>
+<li><strong>74% of enterprises</strong> plan to deploy agentic AI within 2 years (Deloitte 2026).</li>
+</ul>
+
+<p>Agents are talking to other agents. Sharing data. Making decisions. Executing transactions. And there is <strong>zero trust infrastructure</strong> between them.</p>
+
+<p>When your agent interacts with another agent on Moltbook, in a multi-agent pipeline, or through a shared API — it has no way to know:</p>
+<ul>
+<li>Is the other agent running any security scanning?</li>
+<li>Has it been compromised via prompt injection?</li>
+<li>Are its skills verified and untampered?</li>
+<li>Is it exfiltrating data through network egress?</li>
+<li>What permission level does it have on its host machine?</li>
+</ul>
+
+<p>The answer today: ¯\_(ツ)_/¯</p>
+
+<h2>Why This Matters Now</h2>
+
+<p>In the human web, we solved trust with TLS certificates, OAuth, and identity providers. When you visit a website, your browser verifies its certificate. When you log into an app, OAuth handles the trust chain.</p>
+
+<p><strong>The agent web has none of this.</strong></p>
+
+<p>Moltbook doesn't verify agent security posture. GitHub doesn't check if a bot's host is secured. Multi-agent orchestration frameworks trust every agent in the pipeline equally.</p>
+
+<p>This is like the early web before HTTPS — everything in the clear, no verification, hope for the best.</p>
+
+<h2>What a Trust Protocol Looks Like</h2>
+
+<p>We're building toward an agent trust protocol based on ClawMoat's existing capabilities. Here's the concept:</p>
+
+<h3>Trust Levels</h3>
+<div style="display:flex;flex-direction:column;gap:12px;margin:20px 0">
+<div><span class="badge badge-basic">🏰 Basic</span> — ClawMoat installed, scanning active</div>
+<div><span class="badge badge-hardened">🏰🛡️ Hardened</span> — Worker tier+, forbidden zones active, audit trail enabled</div>
+<div><span class="badge badge-audited">🏰🛡️✅ Audited</span> — Full scan passed, skill integrity verified, zero suspicious patterns</div>
+</div>
+
+<h3>Attestation</h3>
+<p>An agent running ClawMoat can publish a signed attestation of its security posture:</p>
+
+<pre><code>{
+  "protocol": "clawmoat-trust-v1",
+  "agent_id": "moltbook_xxx",
+  "clawmoat_version": "0.7.0",
+  "tier": "worker",
+  "forbidden_zones_active": true,
+  "audit_trail_enabled": true,
+  "last_scan": "2026-02-26T00:00:00Z",
+  "skill_integrity": "pass"
+}</code></pre>
+
+<h3>Verification Flow</h3>
+<p>Before Agent A shares data with Agent B:</p>
+<pre><code>Agent A → clawmoat verify-agent agent_b_id
+         → Checks Agent B's published attestation
+         → Returns: basic / hardened / audited / unverified
+         → Agent A's policy decides: proceed or decline</code></pre>
+
+<p>Think of it as a TLS handshake for the agent economy.</p>
+
+<h2>What We Already Have</h2>
+
+<p>ClawMoat v0.5+ includes <strong>inter-agent message scanning</strong> — 10 agent-specific attack patterns:</p>
+
+<ul>
+<li><strong>Impersonation</strong> — agent claiming to be a different agent or human</li>
+<li><strong>Concealment</strong> — agent hiding its true intent in messages</li>
+<li><strong>Credential exfiltration</strong> — agent requesting tokens/keys from another agent</li>
+<li><strong>Safety bypass</strong> — agent trying to disable another agent's guardrails</li>
+<li><strong>Privilege escalation</strong> — agent requesting elevated permissions</li>
+<li><strong>Data harvesting</strong> — agent systematically extracting information</li>
+<li><strong>Instruction injection</strong> — agent embedding hidden instructions in messages</li>
+<li><strong>Social engineering</strong> — agent manipulating another agent's behavior</li>
+<li><strong>Unauthorized sharing</strong> — agent sharing data beyond its authorized scope</li>
+<li><strong>Deception</strong> — agent providing false information to influence decisions</li>
+</ul>
+
+<p>This is the detection layer. The trust protocol adds the verification layer on top.</p>
+
+<h2>The Agent Affiliate Economy</h2>
+
+<p>Here's where it gets interesting. Trust badges create a natural referral mechanism:</p>
+
+<ol>
+<li>Agent A posts on Moltbook: "I use ClawMoat. My host is secured — forbidden zones protect my credentials."</li>
+<li>Agent B reads this. Agent B's human thinks: "I should secure my agent too."</li>
+<li>Agent B's human installs ClawMoat.</li>
+<li>Both agents can now verify each other — and trust the interaction.</li>
+</ol>
+
+<p><strong>This is word-of-mouth marketing running on agents.</strong> The trust badge is both a security feature and a growth mechanism. Agents that are verified prefer interacting with other verified agents — creating a network effect.</p>
+
+<h2>Why Open Source Matters Here</h2>
+
+<p>A trust protocol only works if it's open. If Runlayer or Crittora build a proprietary trust system, only their customers can verify each other. That's not a protocol — it's a walled garden.</p>
+
+<p>ClawMoat's trust protocol will be published as an open standard. Any agent platform can implement verification. Any security tool can generate attestations. The goal is ecosystem-wide trust, not vendor lock-in.</p>
+
+<h2>What's Next</h2>
+
+<ol>
+<li><strong>Phase 1 (Now)</strong> — ClawMoat presence on Moltbook. Security-focused posts. Build karma.</li>
+<li><strong>Phase 2 (March)</strong> — Verification skill on ClawHub. Agents can check each other's ClawMoat status.</li>
+<li><strong>Phase 3 (Q2)</strong> — Trust protocol RFC published. Agent-to-agent handshake before data sharing.</li>
+</ol>
+
+<div class="cta">
+<h3>The agent economy needs trust infrastructure.</h3>
+<p>Start with security. Add verification. Build trust.</p>
+<a href="https://github.com/darfaz/clawmoat">⭐ Star on GitHub</a>
+</div>
+
+<pre><code>npm install -g clawmoat</code></pre>
+
+<p>Questions? Ideas? <a href="https://github.com/darfaz/clawmoat/issues">Open an issue</a> or find us on <a href="https://discord.com/invite/clawd">Discord</a>.</p>
+
+<p style="color:var(--gray);font-size:.85rem;margin-top:48px;padding-top:24px;border-top:1px solid rgba(255,255,255,.06)">ClawMoat is open source (MIT). 142 tests. Zero dependencies. <a href="https://github.com/darfaz/clawmoat">GitHub →</a></p>
+</div>
+</article>
+</body>
+</html>

package/docs/blog/clawmoat-vs-llamafirewall-nemo-guardrails.html

@@ -0,0 +1,223 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>ClawMoat vs LlamaFirewall vs NeMo Guardrails — Which AI Agent Security Tool? | ClawMoat Blog</title>
+<meta name="description" content="Detailed comparison of ClawMoat, Meta's LlamaFirewall, and NVIDIA's NeMo Guardrails. Which open-source AI agent security tool should you use?">
+<meta property="og:title" content="ClawMoat vs LlamaFirewall vs NeMo Guardrails">
+<meta property="og:description" content="Three open-source tools, three different approaches to AI agent security. Here's how to choose.">
+<link rel="canonical" href="https://clawmoat.com/blog/clawmoat-vs-llamafirewall-nemo-guardrails">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:#0F172A;color:#F8FAFC;line-height:1.8}
+a{color:#3B82F6}
+.container{max-width:760px;margin:0 auto;padding:40px 24px}
+nav{background:rgba(15,23,42,.95);padding:16px 24px;position:fixed;top:0;left:0;right:0;z-index:100;border-bottom:1px solid rgba(59,130,246,.15)}
+nav a{color:#94A3B8;text-decoration:none;margin-right:24px;font-size:.9rem}
+nav a:first-child{color:#F8FAFC;font-weight:700;font-size:1.1rem}
+article{padding-top:80px}
+h1{font-size:2.2rem;font-weight:800;line-height:1.2;margin-bottom:16px;letter-spacing:-.02em}
+h2{font-size:1.5rem;font-weight:700;margin:48px 0 16px;color:#10B981}
+h3{font-size:1.2rem;margin:32px 0 12px}
+p{margin-bottom:16px;color:#CBD5E1}
+.meta{color:#64748B;font-size:.9rem;margin-bottom:40px}
+table{width:100%;border-collapse:collapse;margin:24px 0;font-size:.9rem}
+th{text-align:left;padding:12px;border-bottom:2px solid #334155;color:#94A3B8;font-weight:600}
+td{padding:10px 12px;border-bottom:1px solid rgba(255,255,255,.06)}
+.yes{color:#10B981}
+.no{color:#EF4444}
+code{background:#1E293B;padding:2px 8px;border-radius:4px;font-size:.85rem}
+pre{background:#0a0e17;border:1px solid #334155;border-radius:10px;padding:20px;overflow-x:auto;margin:20px 0;font-size:.85rem;line-height:1.6}
+blockquote{border-left:3px solid #3B82F6;padding:12px 20px;margin:20px 0;background:#1E293B;border-radius:0 8px 8px 0;font-style:italic}
+.cta{background:#1E293B;border:1px solid rgba(59,130,246,.3);border-radius:14px;padding:32px;text-align:center;margin:48px 0}
+.cta h3{color:#F8FAFC;margin:0 0 12px}
+.cta code{font-size:1rem;background:#0a0e17;padding:8px 16px}
+.btn{display:inline-block;padding:12px 28px;background:#3B82F6;color:#fff;border-radius:8px;text-decoration:none;font-weight:600;margin:8px}
+.btn:hover{background:#2563EB}
+</style>
+</head>
+<body>
+<nav>
+<a href="/">🏰 ClawMoat</a>
+<a href="/blog/">Blog</a>
+<a href="https://github.com/darfaz/clawmoat">GitHub</a>
+<a href="/#pricing">Pricing</a>
+</nav>
+<div class="container">
+<article>
+<h1>ClawMoat vs LlamaFirewall vs NeMo Guardrails: Which Open-Source AI Agent Security Tool?</h1>
+<div class="meta">February 25, 2026 · 8 min read · By Dar Fazulyanov</div>
+
+<p>Three open-source projects. Three very different approaches to securing AI agents. If you're running AI agents in production (or on your laptop), you need to understand what each one actually does — because they solve fundamentally different problems.</p>
+
+<h2>The Quick Answer</h2>
+
+<table>
+<thead>
+<tr><th></th><th>ClawMoat</th><th>LlamaFirewall</th><th>NeMo Guardrails</th></tr>
+</thead>
+<tbody>
+<tr><td><strong>Maker</strong></td><td>Open source</td><td>Meta</td><td>NVIDIA</td></tr>
+<tr><td><strong>Language</strong></td><td>Node.js</td><td>Python</td><td>Python</td></tr>
+<tr><td><strong>Focus</strong></td><td>Host protection</td><td>Prompt/agent safety</td><td>Conversational guardrails</td></tr>
+<tr><td><strong>Dependencies</strong></td><td>Zero</td><td>PyTorch, transformers</td><td>Multiple</td></tr>
+<tr><td><strong>Protects</strong></td><td>Your machine</td><td>Your model</td><td>Your conversations</td></tr>
+<tr><td><strong>Credential monitoring</strong></td><td class="yes">✅</td><td class="no">❌</td><td class="no">❌</td></tr>
+<tr><td><strong>Permission tiers</strong></td><td class="yes">✅</td><td class="no">❌</td><td class="no">❌</td></tr>
+<tr><td><strong>Skill/plugin auditing</strong></td><td class="yes">✅</td><td class="no">❌</td><td class="no">❌</td></tr>
+<tr><td><strong>Prompt injection</strong></td><td class="yes">✅</td><td class="yes">✅</td><td class="yes">✅</td></tr>
+<tr><td><strong>Setup time</strong></td><td>30 seconds</td><td>~30 minutes</td><td>~15 minutes</td></tr>
+<tr><td><strong>License</strong></td><td>MIT</td><td>MIT</td><td>Apache 2.0</td></tr>
+</tbody>
+</table>
+
+<h2>LlamaFirewall (Meta)</h2>
+
+<p>Released May 2025, LlamaFirewall is Meta's open-source guardrail framework. It's serious engineering — used in production at Meta itself. Three main components:</p>
+
+<ul style="margin:16px 0;padding-left:24px;color:#CBD5E1">
+<li><strong>PromptGuard 2</strong> — A fine-tuned classifier that detects prompt injection and jailbreak attempts with high accuracy</li>
+<li><strong>AlignmentCheck</strong> — Uses an LLM judge to verify agent actions align with their intended goals</li>
+<li><strong>CodeShield</strong> — Scans generated code for security vulnerabilities before execution</li>
+</ul>
+
+<p><strong>Strengths:</strong> State-of-the-art prompt injection detection. Meta's research backing. Production-proven at massive scale. The PromptGuard 2 model is genuinely impressive.</p>
+
+<p><strong>Weaknesses:</strong> Python-only. Requires PyTorch and ML model downloads (heavy). Focused on the model/prompt layer — doesn't know or care about your filesystem, credentials, or installed plugins.</p>
+
+<p><strong>Best for:</strong> Teams building LLM applications who need the best possible prompt injection and jailbreak detection.</p>
+
+<h2>NeMo Guardrails (NVIDIA)</h2>
+
+<p>NVIDIA's framework for adding programmable guardrails to LLM-based conversational systems. Think of it as a policy layer for chatbots and assistants.</p>
+
+<ul style="margin:16px 0;padding-left:24px;color:#CBD5E1">
+<li>Topical guardrails (keep conversations on-track)</li>
+<li>Safety guardrails (content moderation)</li>
+<li>Hallucination detection and fact-checking</li>
+<li>Custom flows using Colang (their domain-specific language)</li>
+</ul>
+
+<p><strong>Strengths:</strong> Extremely flexible. Colang lets you define complex conversational policies. Great integration with the NVIDIA AI ecosystem.</p>
+
+<p><strong>Weaknesses:</strong> Designed for conversational AI, not autonomous agents. Steep learning curve (Colang is its own language). Heavy dependency chain.</p>
+
+<p><strong>Best for:</strong> Teams building customer-facing chatbots and copilots who need content safety and conversation control.</p>
+
+<h2>ClawMoat</h2>
+
+<p>ClawMoat protects a fundamentally different layer: <strong>the host machine itself</strong>. If you're running AI agents on your laptop, a dedicated machine, or in the cloud, ClawMoat is the security layer between the agent and your operating system.</p>
+
+<ul style="margin:16px 0;padding-left:24px;color:#CBD5E1">
+<li><strong>Host Guardian</strong> — 4 permission tiers (observer → full), enforced at runtime</li>
+<li><strong>Forbidden zones</strong> — Auto-protects SSH keys, AWS creds, crypto wallets, browser data</li>
+<li><strong>Credential monitoring</strong> — Watches sensitive directories for unauthorized access</li>
+<li><strong>Skill integrity checking</strong> — Hash-based verification + suspicious pattern detection for installed plugins</li>
+<li><strong>Network egress logging</strong> — See exactly where your agent sends data</li>
+<li><strong>Plus:</strong> Prompt injection scanning, policy engine, audit trails</li>
+</ul>
+
+<p><strong>Strengths:</strong> Only tool protecting the host layer. Zero dependencies. Sub-millisecond scanning. Installs in seconds. Node.js native (where most AI agent frameworks run).</p>
+
+<p><strong>Weaknesses:</strong> Prompt injection detection is pattern-based + heuristic, not ML-based (lighter but less sophisticated than PromptGuard 2). No conversational guardrails.</p>
+
+<p><strong>Best for:</strong> Anyone running AI agents that have shell access, file system access, or credential access — especially on personal machines or shared infrastructure.</p>
+
+<h2>The Real Insight: These Solve Different Problems</h2>
+
+<p>The industry is (correctly) obsessed with prompt injection. But there's a gap nobody's talking about:</p>
+
+<blockquote>
+<p>Your agent can read ~/.ssh/id_rsa right now. No prompt injection required — it already has permission.</p>
+</blockquote>
+
+<p>LlamaFirewall asks: "Is this prompt trying to hijack the agent?"<br>
+NeMo Guardrails asks: "Is this conversation staying on topic?"<br>
+ClawMoat asks: "Should this agent be allowed to access this file / run this command / talk to this server?"</p>
+
+<p>They're complementary. The best security posture uses multiple layers:</p>
+
+<ol style="margin:16px 0;padding-left:24px;color:#CBD5E1">
+<li><strong>Prompt layer:</strong> LlamaFirewall or similar to catch injection attempts</li>
+<li><strong>Conversation layer:</strong> NeMo Guardrails for content safety (if applicable)</li>
+<li><strong>Host layer:</strong> ClawMoat to enforce what the agent can actually DO</li>
+</ol>
+
+<h2>Decision Matrix</h2>
+
+<table>
+<thead>
+<tr><th>If you need...</th><th>Use</th></tr>
+</thead>
+<tbody>
+<tr><td>Best-in-class prompt injection detection</td><td>LlamaFirewall</td></tr>
+<tr><td>Conversational safety for chatbots</td><td>NeMo Guardrails</td></tr>
+<tr><td>Protect your machine from your own agent</td><td>ClawMoat</td></tr>
+<tr><td>Runtime permission control for agents</td><td>ClawMoat</td></tr>
+<tr><td>Credential and filesystem monitoring</td><td>ClawMoat</td></tr>
+<tr><td>Supply chain security for agent plugins</td><td>ClawMoat</td></tr>
+<tr><td>Comprehensive defense-in-depth</td><td>All three</td></tr>
+</tbody>
+</table>
+
+<h2>Update: The Ecosystem Just Got Bigger (Feb 26)</h2>
+
+<p>Since we first published this comparison, three new players have entered the OpenClaw security space:</p>
+
+<h3>Runlayer — Enterprise SaaS</h3>
+<p><a href="https://venturebeat.com/orchestration/runlayer-is-now-offering-secure-openclaw-agentic-capabilities-for-large">Covered by VentureBeat</a>. NYC startup offering "OpenClaw for Enterprise" with ToolGuard (real-time blocking, &lt;100ms latency) and OpenClaw Watch (shadow AI discovery via MDM). Claims 8.7% → 95% prompt injection resistance. Integrates with Okta and Entra. <strong>Closed source, enterprise pricing.</strong></p>
+
+<h3>Crittora — Cryptographic Policy Enforcement</h3>
+<p>Announced via <a href="https://finance.yahoo.com/news/crittora-makes-openclaw-enterprise-ready-155800602.html">Yahoo Finance PR</a>. Cryptographically enforced policy framework for OpenClaw. Targets enterprise compliance. <strong>Different approach — policy signatures, not host protection.</strong></p>
+
+<h3>KiloClaw (Kilo.ai) — Managed Hosting</h3>
+<p><a href="https://venturebeat.com/orchestration/kilo-launches-kiloclaw-allowing-anyone-to-deploy-hosted-openclaw-agents-into">Covered by VentureBeat</a>. Backed by GitLab co-founder. Deploy OpenClaw on managed VMs (Fly.io) in 60 seconds. Handles the "3am crash" problem with always-on monitoring. <strong>Hosting solution, not a security tool — complementary to ClawMoat.</strong></p>
+
+<h3>Updated Comparison</h3>
+<table>
+<thead>
+<tr><th>Tool</th><th>Layer</th><th>Open Source?</th><th>Host Protection?</th><th>Target</th></tr>
+</thead>
+<tbody>
+<tr><td><strong>ClawMoat</strong></td><td>Host / OS</td><td>✅ MIT</td><td>✅</td><td>Everyone (free core)</td></tr>
+<tr><td>LlamaFirewall</td><td>Model / Prompt</td><td>✅ MIT</td><td>❌</td><td>ML teams</td></tr>
+<tr><td>NeMo Guardrails</td><td>Conversation</td><td>✅ Apache 2</td><td>❌</td><td>Chatbot builders</td></tr>
+<tr><td>Runlayer</td><td>Enterprise Governance</td><td>❌ Proprietary</td><td>Partial</td><td>Large enterprises</td></tr>
+<tr><td>Crittora</td><td>Policy / Crypto</td><td>❌ Proprietary</td><td>❌</td><td>Compliance teams</td></tr>
+<tr><td>KiloClaw</td><td>Managed Hosting</td><td>❌ Proprietary</td><td>❌ (VM isolation)</td><td>Developers / SMBs</td></tr>
+</tbody>
+</table>
+
+<p><strong>Key insight:</strong> <a href="https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/">Microsoft's security team says</a> OpenClaw is "not appropriate for standard workstations." Runlayer and KiloClaw solve this by moving agents off your machine. ClawMoat solves it by securing agents <em>on</em> your machine. Different philosophies — and for anyone who wants to keep running agents locally, ClawMoat is the only open-source option.</p>
+
+<h2>Getting Started</h2>
+
+<pre><code># ClawMoat — 30 seconds to host protection
+npm install -g clawmoat
+clawmoat scan ~/.openclaw/
+clawmoat skill-audit ~/.openclaw/skills/
+clawmoat report
+
+# LlamaFirewall — model-layer security
+pip install llamafirewall
+# Requires model downloads (~2GB)
+
+# NeMo Guardrails — conversational safety
+pip install nemoguardrails
+# Requires configuration files + Colang</code></pre>
+
+<div class="cta">
+<h3>Try ClawMoat</h3>
+<p style="color:#94A3B8;margin-bottom:16px">Zero dependencies. MIT licensed. 142 tests passing.</p>
+<code>npm install -g clawmoat</code>
+<br><br>
+<a href="https://github.com/darfaz/clawmoat" class="btn">⭐ Star on GitHub</a>
+<a href="https://clawmoat.com/#pricing" class="btn" style="background:#10B981">See Plans</a>
+</div>
+
+<p style="font-size:.85rem;color:#64748B;margin-top:40px">This comparison was written in February 2026. All three projects are actively developed — check their repos for the latest features.</p>
+</article>
+</div>
+</body>
+</html>