npm - clawmoat - Versions diffs - 0.8.0 → 1.0.0 - Mend

clawmoat 0.8.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/.dockerignore +9 -0
package/CHANGELOG.md +18 -0
package/DEMO.md +87 -0
package/Dockerfile +5 -18
package/README.md +232 -8
package/THREAT_MODEL.md +129 -0
package/agent/README.md +131 -0
package/agent/index.js +471 -0
package/agent/install-service.sh +94 -0
package/agent/openclaw-hook.js +453 -0
package/agent/provider-setup.js +649 -0
package/agent/setup.js +274 -0
package/assets/BADGE-USAGE.md +20 -0
package/assets/clawmoat-badge.svg +21 -0
package/bin/clawmoat.js +468 -111
package/docs/affiliates/dashboard.html +124 -0
package/docs/affiliates/index.html +236 -0
package/docs/agent-install.html +183 -0
package/docs/ai-agent-security-scanner.html +10 -6
package/docs/badge/index.html +149 -0
package/docs/badge/scanning.svg +23 -0
package/docs/blog/386-malicious-skills.html +11 -4
package/docs/blog/40000-exposed-openclaw-instances.html +11 -4
package/docs/blog/agent-trust-protocol.html +5 -4
package/docs/blog/ai-agent-earns-commissions.html +230 -0
package/docs/blog/bugmageddon-agent-firewall.html +174 -0
package/docs/blog/calculator-math.html +180 -0
package/docs/blog/clawmoat-vs-llamafirewall-nemo-guardrails.html +10 -4
package/docs/blog/host-guardian-launch.html +18 -8
package/docs/blog/ibm-experts-agent-runtime-protection.html +15 -6
package/docs/blog/index.html +67 -9
package/docs/blog/langchain-security-tutorial.html +18 -8
package/docs/blog/mcp-30-cves-security-crisis.html +11 -4
package/docs/blog/meta-researcher-rogue-agent.html +201 -0
package/docs/blog/microsoft-openclaw-workstation-security.html +5 -4
package/docs/blog/nist-ai-agent-standards-clawmoat.html +16 -8
package/docs/blog/oasis-websocket-hijack.html +11 -4
package/docs/blog/ollama-openclaw-security.html +10 -4
package/docs/blog/openclaw-enterprise-readiness-claw10.html +5 -4
package/docs/blog/openclaw-security-reckoning-2026.html +11 -4
package/docs/blog/owasp-agentic-ai-top10.html +18 -8
package/docs/blog/securing-ai-agents.html +18 -8
package/docs/blog/supply-chain-agents.html +18 -8
package/docs/business/index.html +11 -16
package/docs/business/install.html +21 -7
package/docs/checklist.html +10 -4
package/docs/compare/index.html +122 -0
package/docs/compare/lakera/index.html +62 -0
package/docs/compare/llm-guard/index.html +49 -0
package/docs/compare/snyk-agent-scan/index.html +63 -0
package/docs/compare.html +10 -6
package/docs/dashboard/index.html +520 -0
package/docs/finance/index.html +9 -6
package/docs/guides/business-deployment.html +770 -0
package/docs/hall-of-fame.html +11 -5
package/docs/index.html +266 -137
package/docs/integrations/langchain.html +14 -6
package/docs/integrations/openai.html +14 -6
package/docs/integrations/openclaw.html +55 -7
package/docs/plans/2026-03-26-threat-intel-api.md +255 -0
package/docs/plans/2026-04-14-bugmageddon-marketing-pack.md +329 -0
package/docs/plans/2026-04-14-clawmoat-v1-bugmageddon.md +248 -0
package/docs/plans/2026-04-14-v1-release-update.md +91 -0
package/docs/plans/2026-04-19-supabase-audit.md +68 -0
package/docs/plans/2026-05-12-sales-push.md +303 -0
package/docs/playground/index.html +893 -0
package/docs/playground.html +4 -7
package/docs/rfcs/defense-in-depth.md +467 -0
package/docs/scan/index.html +156 -12
package/docs/services/case-study.html +255 -0
package/docs/services/downloads/install-openclaw.bat +45 -0
package/docs/services/downloads/install-openclaw.command +38 -0
package/docs/services/downloads/install-openclaw.sh +38 -0
package/docs/services/get-started.html +165 -0
package/docs/services/index.html +598 -0
package/docs/services/multi-agent-security.html +284 -0
package/docs/services/one-pager.html +99 -0
package/docs/services/pitch-deck.html +229 -0
package/docs/services/roi-calculator.html +258 -0
package/docs/sitemap.xml +62 -2
package/docs/support/index.html +12 -1
package/docs/templates/customer-service/HEARTBEAT.md +61 -0
package/docs/templates/customer-service/MEMORY.md +89 -0
package/docs/templates/customer-service/SOUL.md +41 -0
package/docs/templates/customer-service/USER.md +56 -0
package/docs/templates/executive/HEARTBEAT.md +86 -0
package/docs/templates/executive/MEMORY.md +92 -0
package/docs/templates/executive/SOUL.md +44 -0
package/docs/templates/executive/USER.md +62 -0
package/docs/templates/finance/HEARTBEAT.md +58 -0
package/docs/templates/finance/MEMORY.md +87 -0
package/docs/templates/finance/SOUL.md +38 -0
package/docs/templates/finance/USER.md +53 -0
package/docs/templates/index.html +115 -0
package/docs/templates/operations/HEARTBEAT.md +63 -0
package/docs/templates/operations/MEMORY.md +68 -0
package/docs/templates/operations/SOUL.md +38 -0
package/docs/templates/operations/USER.md +49 -0
package/docs/templates/sales/HEARTBEAT.md +55 -0
package/docs/templates/sales/MEMORY.md +89 -0
package/docs/templates/sales/SOUL.md +34 -0
package/docs/templates/sales/USER.md +54 -0
package/eslint.config.js +32 -0
package/evals/README.md +29 -0
package/evals/cases.json +390 -0
package/evals/results.md +68 -0
package/evals/run.js +180 -0
package/examples/demo-attack/demo.js +186 -0
package/examples/python-quickstart/README.md +54 -0
package/examples/python-quickstart/clawmoat_client.py +167 -0
package/examples/video-demo/README.md +14 -0
package/examples/video-demo/scene-a-normal.js +29 -0
package/examples/video-demo/scene-b-attack-arrives.js +31 -0
package/examples/video-demo/scene-c-hijack.js +44 -0
package/examples/video-demo/scene-d-clawmoat.js +46 -0
package/integrations/crewai/README.md +32 -0
package/integrations/crewai/clawmoat_crewai/__init__.py +17 -0
package/integrations/crewai/clawmoat_crewai/guard.py +103 -0
package/integrations/crewai/pyproject.toml +21 -0
package/integrations/langchain/README.md +91 -0
package/integrations/langchain/clawmoat_langchain/__init__.py +17 -0
package/integrations/langchain/clawmoat_langchain/callback.py +489 -0
package/integrations/langchain/pyproject.toml +32 -0
package/integrations/litellm/README.md +324 -0
package/integrations/litellm/clawmoat_litellm/__init__.py +21 -0
package/integrations/litellm/clawmoat_litellm/callback.py +329 -0
package/integrations/litellm/clawmoat_litellm/proxy_middleware.py +224 -0
package/integrations/litellm/pyproject.toml +74 -0
package/integrations/openai-agents/README.md +392 -0
package/integrations/openai-agents/clawmoat_openai_agents/__init__.py +20 -0
package/integrations/openai-agents/clawmoat_openai_agents/guardrail.py +431 -0
package/integrations/openai-agents/clawmoat_openai_agents/middleware.py +311 -0
package/integrations/openai-agents/pyproject.toml +76 -0
package/package.json +6 -5
package/plugins/openclaw-adapter/PHASE1.md +439 -0
package/plugins/openclaw-adapter/README.md +103 -0
package/plugins/openclaw-adapter/SPEC.md +1644 -0
package/plugins/openclaw-adapter/package.json +31 -0
package/plugins/openclaw-adapter/src/index.test.ts +226 -0
package/plugins/openclaw-adapter/src/index.ts +140 -0
package/plugins/openclaw-adapter/tsconfig.json +14 -0
package/server/data/threats.json +290 -0
package/server/index.js +142 -7
package/src/adapters/express.js +161 -0
package/src/adapters/index.js +92 -0
package/src/adapters/langchain.js +185 -0
package/src/approval/index.js +456 -0
package/src/ban-scanner.js +200 -0
package/src/boundary-scanner.js +296 -0
package/src/ci-scanner.js +279 -0
package/src/code-scanner.js +245 -0
package/src/enforce.js +166 -0
package/src/formatters/json.js +80 -0
package/src/formatters/sarif.js +388 -0
package/src/guardian/alerts.js +34 -3
package/src/guardian/index.js +41 -2
package/src/index.js +102 -0
package/src/integrations/agentmesh.js +501 -0
package/src/language-detector.js +201 -0
package/src/mcp-scanner.js +253 -0
package/src/multimodal/index.js +579 -0
package/src/obfuscation-scanner.js +457 -0
package/src/policy-engine.js +402 -0
package/src/scanners/dependency-attacks.js +128 -0
package/src/scanners/prompt-injection.js +18 -0
package/src/scanners/supply-chain.js +14 -0
package/src/templates/default-config.yml +90 -0
package/src/vuln-ops/exploitability.js +46 -0
package/src/watch/live-monitor.js +720 -0
package/clawmoat-0.8.0.tgz +0 -0
package/server/index.js.patch +0 -1

package/src/mcp-scanner.js ADDED Viewed

@@ -0,0 +1,253 @@
+/**
+ * ClawMoat MCP Scanner — Discover and scan MCP server configurations
+ * Finds configs for Claude Code, Claude Desktop, Cursor, VS Code, Windsurf, Gemini CLI
+ */
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const HOME = os.homedir();
+// Known MCP config locations
+const MCP_CONFIG_PATHS = [
+  // Claude Desktop
+  { name: 'Claude Desktop', path: path.join(HOME, '.claude', 'claude_desktop_config.json') },
+  { name: 'Claude Desktop (macOS)', path: path.join(HOME, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json') },
+  { name: 'Claude Desktop (Windows)', path: path.join(HOME, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json') },
+  // Claude Code
+  { name: 'Claude Code', path: path.join(HOME, '.claude', 'mcp.json') },
+  { name: 'Claude Code (project)', path: '.claude/mcp.json' },
+  // Cursor
+  { name: 'Cursor', path: path.join(HOME, '.cursor', 'mcp.json') },
+  // VS Code
+  { name: 'VS Code', path: path.join(HOME, '.vscode', 'mcp.json') },
+  { name: 'VS Code (settings)', path: path.join(HOME, '.config', 'Code', 'User', 'settings.json') },
+  // Windsurf
+  { name: 'Windsurf', path: path.join(HOME, '.windsurf', 'mcp.json') },
+  { name: 'Windsurf (codeium)', path: path.join(HOME, '.codeium', 'windsurf', 'mcp_config.json') },
+  // Gemini CLI
+  { name: 'Gemini CLI', path: path.join(HOME, '.gemini', 'settings.json') },
+  // OpenClaw
+  { name: 'OpenClaw', path: path.join(HOME, '.openclaw', 'openclaw.json') },
+];
+// Dangerous patterns in MCP server configs
+const MCP_RISKS = [
+  // Command execution
+  { id: 'mcp-arbitrary-cmd', severity: 'critical', pattern: (server) => {
+    const cmd = server.command || '';
+    const args = (server.args || []).join(' ');
+    return /^(bash|sh|zsh|cmd|powershell|node|python|ruby|perl)$/i.test(cmd) && !/mcp|server/i.test(args);
+  }, label: 'Arbitrary command execution', fix: 'MCP server runs a generic shell/interpreter. Use a purpose-built MCP server binary instead.' },
+  // Root filesystem access
+  { id: 'mcp-root-fs', severity: 'critical', pattern: (server) => {
+    const args = JSON.stringify(server.args || []);
+    return /["\s]\/["\\s,\]]/.test(args) || /allowedDirectories.*["']\/["']/.test(args);
+  }, label: 'Root filesystem access', fix: 'MCP server has access to root filesystem. Restrict to specific directories.' },
+  // Home directory access
+  { id: 'mcp-home-fs', severity: 'high', pattern: (server) => {
+    const args = JSON.stringify(server.args || []);
+    return args.includes(HOME) && /filesystem|fs-|file/i.test(JSON.stringify(server));
+  }, label: 'Home directory access via filesystem MCP', fix: 'Restrict filesystem MCP servers to project directories only.' },
+  // Known dangerous MCP servers
+  { id: 'mcp-dangerous-server', severity: 'high', pattern: (server) => {
+    const full = JSON.stringify(server).toLowerCase();
+    return /mcp-shell|mcp-terminal|mcp-exec|mcp-command/.test(full);
+  }, label: 'Shell/terminal execution MCP server', fix: 'Shell-access MCP servers give agents unrestricted command execution. Remove or heavily restrict.' },
+  // Env var credential exposure
+  { id: 'mcp-env-creds', severity: 'high', pattern: (server) => {
+    const env = server.env || {};
+    const keys = Object.keys(env);
+    return keys.some(k => /key|secret|token|password|auth|credential/i.test(k));
+  }, label: 'Credentials in MCP server environment', fix: 'MCP server has API keys/secrets in env vars. These are accessible to any tool the server exposes. Use scoped tokens with minimal permissions.' },
+  // Hardcoded URLs (potential C2)
+  { id: 'mcp-external-url', severity: 'medium', pattern: (server) => {
+    const full = JSON.stringify(server);
+    const urls = full.match(/https?:\/\/[^\s"']+/g) || [];
+    return urls.some(u => !/localhost|127\.0\.0\.1|github\.com|npmjs\.com|pypi\.org/.test(u));
+  }, label: 'External URL in MCP config', fix: 'MCP server connects to an external URL. Verify this is a trusted endpoint.' },
+  // stdio with no restrictions
+  { id: 'mcp-unrestricted-stdio', severity: 'medium', pattern: (server) => {
+    const transport = server.transport || 'stdio';
+    return transport === 'stdio' && !server.allowedTools && !server.blockedTools;
+  }, label: 'Unrestricted stdio MCP server', fix: 'MCP server exposes all tools via stdio with no allowlist/blocklist. Add allowedTools to restrict.' },
+  // npx/pip without pinned version
+  { id: 'mcp-unpinned', severity: 'medium', pattern: (server) => {
+    const cmd = server.command || '';
+    const args = (server.args || []).join(' ');
+    if (!/npx|uvx|pip/.test(cmd)) return false;
+    // Check if any arg has a version pin (@version or ==version)
+    return !/@[\d.]|==[\d.]/.test(args);
+  }, label: 'Unpinned MCP server package', fix: 'MCP server installed via npx/uvx without version pin. A supply chain attack could replace the package. Pin to a specific version.' },
+  // Too many tools exposed
+  { id: 'mcp-tool-sprawl', severity: 'low', pattern: (server) => {
+    // Can't always detect this statically, but flag servers with no tool restrictions
+    return !server.allowedTools && !server.blockedTools && !server.disabledTools;
+  }, label: 'No tool restrictions configured', fix: 'Consider using allowedTools/blockedTools to limit which MCP tools the agent can invoke.' },
+];
+// Known compromised/vulnerable MCP servers
+const KNOWN_VULNERABLE_SERVERS = {
+  '@anthropic/mcp-filesystem': { severity: 'medium', note: 'Powerful but broad. Always restrict allowedDirectories.' },
+  'mcp-shell': { severity: 'critical', note: 'Gives agents arbitrary shell access. Almost never appropriate.' },
+  'mcp-terminal': { severity: 'critical', note: 'Gives agents terminal access. Use with extreme caution.' },
+};
+/**
+ * Discover MCP config files on the system
+ * @returns {Array<{name: string, path: string, exists: boolean}>}
+ */
+function discoverMCPConfigs(extraPaths = []) {
+  const allPaths = [...MCP_CONFIG_PATHS, ...extraPaths.map(p => ({ name: 'Custom', path: p }))];
+  return allPaths.map(entry => ({
+    ...entry,
+    exists: fs.existsSync(entry.path),
+  }));
+}
+/**
+ * Parse an MCP config file and extract server definitions
+ * @param {string} filePath
+ * @returns {Array<{name: string, server: object}>}
+ */
+function parseMCPConfig(filePath) {
+  try {
+    const raw = fs.readFileSync(filePath, 'utf8');
+    const config = JSON.parse(raw);
+    const servers = [];
+    // Claude Desktop / Claude Code format: { mcpServers: { name: { command, args, env } } }
+    if (config.mcpServers) {
+      for (const [name, server] of Object.entries(config.mcpServers)) {
+        servers.push({ name, server, source: 'mcpServers' });
+      }
+    }
+    // VS Code / Cursor format: { mcp: { servers: { name: { ... } } } }
+    if (config.mcp?.servers) {
+      for (const [name, server] of Object.entries(config.mcp.servers)) {
+        servers.push({ name, server, source: 'mcp.servers' });
+      }
+    }
+    // Array format: [{ name, command, args }]
+    if (Array.isArray(config)) {
+      config.forEach((server, i) => {
+        servers.push({ name: server.name || `server-${i}`, server, source: 'array' });
+      });
+    }
+    // OpenClaw format: check for mcp section
+    if (config.mcp) {
+      if (config.mcp.mcpServers) {
+        for (const [name, server] of Object.entries(config.mcp.mcpServers)) {
+          servers.push({ name, server, source: 'openclaw.mcp.mcpServers' });
+        }
+      }
+    }
+    return servers;
+  } catch (e) {
+    return [];
+  }
+}
+/**
+ * Scan a single MCP server definition for risks
+ * @param {string} serverName
+ * @param {object} serverConfig
+ * @returns {Array<{id: string, severity: string, label: string, fix: string}>}
+ */
+function scanMCPServer(serverName, serverConfig) {
+  const findings = [];
+  // Check against risk patterns
+  for (const risk of MCP_RISKS) {
+    try {
+      if (risk.pattern(serverConfig)) {
+        findings.push({
+          id: risk.id,
+          severity: risk.severity,
+          label: risk.label,
+          fix: risk.fix,
+          server: serverName,
+        });
+      }
+    } catch (e) { /* pattern failed, skip */ }
+  }
+  // Check against known vulnerable servers
+  const cmd = serverConfig.command || '';
+  const args = (serverConfig.args || []).join(' ');
+  const fullCmd = `${cmd} ${args}`;
+  for (const [pkg, info] of Object.entries(KNOWN_VULNERABLE_SERVERS)) {
+    if (fullCmd.includes(pkg)) {
+      findings.push({
+        id: 'mcp-known-vulnerable',
+        severity: info.severity,
+        label: `Known risky MCP server: ${pkg}`,
+        fix: info.note,
+        server: serverName,
+      });
+    }
+  }
+  return findings;
+}
+/**
+ * Full MCP scan — discover configs, parse, and scan all servers
+ * @param {object} options
+ * @returns {object} Scan report
+ */
+function scanMCP(options = {}) {
+  const { extraPaths = [], verbose = false } = options;
+  const report = {
+    timestamp: new Date().toISOString(),
+    configsFound: [],
+    servers: [],
+    findings: [],
+    summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0 },
+  };
+  // Discover configs
+  const configs = discoverMCPConfigs(extraPaths);
+  report.configsFound = configs.filter(c => c.exists);
+  // Parse and scan each config
+  for (const config of report.configsFound) {
+    const servers = parseMCPConfig(config.path);
+    for (const { name, server, source } of servers) {
+      report.servers.push({ name, config: config.name, path: config.path, source });
+      const findings = scanMCPServer(name, server);
+      for (const f of findings) {
+        f.configName = config.name;
+        f.configPath = config.path;
+        report.findings.push(f);
+        report.summary.total++;
+        report.summary[f.severity]++;
+      }
+    }
+  }
+  return report;
+}
+module.exports = {
+  discoverMCPConfigs,
+  parseMCPConfig,
+  scanMCPServer,
+  scanMCP,
+  MCP_CONFIG_PATHS,
+  MCP_RISKS,
+  KNOWN_VULNERABLE_SERVERS,
+};