clawmoat 0.8.0 → 1.0.0

package/docs/badge/index.html

@@ -0,0 +1,149 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Security Score Badge — ClawMoat</title>
+<meta name="description" content="Add a ClawMoat security score badge to your project README. Show the world your AI agent security posture.">
+<meta property="og:title" content="ClawMoat Security Score Badge">
+<meta property="og:description" content="Embeddable badge showing your project's AI agent security score. Free.">
+<link rel="canonical" href="https://clawmoat.com/badge/">
+<link rel="icon" href="/favicon.png">
+<style>
+:root{--bg:#0a0a0f;--fg:#e0e0e8;--accent:#00d4aa;--muted:#888;--card:#14141f;--border:#2a2a3a}
+*{margin:0;padding:0;box-sizing:border-box}
+body{background:var(--bg);color:var(--fg);font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;line-height:1.7}
+.container{max-width:800px;margin:0 auto;padding:2rem 1.5rem}
+nav{padding:1rem 0;border-bottom:1px solid var(--border);margin-bottom:2rem;display:flex;justify-content:space-between;align-items:center}
+nav a{color:var(--fg);text-decoration:none;margin-right:1.5rem}
+nav a:hover{color:var(--accent)}
+h1{font-size:2.2rem;text-align:center;margin-bottom:.5rem}
+h2{color:var(--accent);margin:2.5rem 0 1rem;font-size:1.3rem}
+p{margin-bottom:1rem}
+a{color:var(--accent)}
+.hero{text-align:center;padding:2rem 0 1rem}
+.hero-sub{color:var(--muted);font-size:1.05rem;max-width:550px;margin:0 auto 2rem}
+.badge-row{display:flex;flex-wrap:wrap;gap:1rem;justify-content:center;margin:1.5rem 0}
+.badge-row img{height:20px}
+.card{background:var(--card);border:1px solid var(--border);border-radius:8px;padding:1.5rem;margin:1.5rem 0}
+label{display:block;font-weight:600;margin-bottom:.5rem}
+input[type=text]{width:100%;background:#1a1a2e;border:2px solid var(--border);border-radius:6px;color:var(--fg);font-size:1rem;padding:.6rem 1rem;outline:none}
+input[type=text]:focus{border-color:var(--accent)}
+.output{margin-top:1rem}
+.output pre{background:#1a1a2e;border:1px solid var(--border);border-radius:6px;padding:1rem;font-size:.85rem;overflow-x:auto;position:relative;cursor:pointer}
+.output pre:hover::after{content:'Click to copy';position:absolute;top:.5rem;right:.5rem;background:var(--accent);color:#000;padding:2px 8px;border-radius:4px;font-size:.75rem}
+.btn{background:var(--accent);color:#000;padding:.75rem 2rem;border:none;border-radius:6px;font-weight:700;font-size:1rem;cursor:pointer;display:inline-block;text-decoration:none;margin:.5rem .5rem .5rem 0}
+.btn:hover{opacity:.9}
+.btn-outline{background:transparent;border:2px solid var(--accent);color:var(--accent);padding:.65rem 1.5rem;border-radius:6px;font-weight:600;text-decoration:none;display:inline-block}
+.steps{counter-reset:step}
+.steps li{counter-increment:step;list-style:none;margin-bottom:1.5rem;padding-left:2.5rem;position:relative}
+.steps li::before{content:counter(step);position:absolute;left:0;width:1.8rem;height:1.8rem;background:var(--accent);color:#000;border-radius:50%;text-align:center;line-height:1.8rem;font-weight:700;font-size:.85rem}
+footer{border-top:1px solid var(--border);margin-top:3rem;padding:1.5rem 0;text-align:center;color:var(--muted);font-size:.85rem}
+</style>
+</head>
+<body>
+<div class="container">
+<nav>
+  <a href="/" style="font-weight:700">🏰 ClawMoat</a>
+  <div>
+    <a href="/scan/">Scanner</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+  </div>
+</nav>
+
+<div class="hero">
+  <h1>🛡️ Security Score Badge</h1>
+  <p class="hero-sub">Show the world your AI agent security posture. Add a ClawMoat badge to your README — it takes 30 seconds.</p>
+</div>
+
+<h2>Example Badges</h2>
+<div class="badge-row">
+  <img src="score-Aplus.svg" alt="A+ badge">
+  <img src="score-A.svg" alt="A badge">
+  <img src="score-B.svg" alt="B badge">
+  <img src="score-C.svg" alt="C badge">
+  <img src="score-D.svg" alt="D badge">
+  <img src="score-F.svg" alt="F badge">
+  <img src="scanning.svg" alt="Scanning badge">
+</div>
+
+<h2>Get Your Badge</h2>
+<ol class="steps">
+  <li><strong>Scan your project</strong> — paste your config into the <a href="/scan/">free scanner</a> and get your grade.</li>
+  <li><strong>Generate the badge</strong> — enter your repo below and copy the markdown.</li>
+  <li><strong>Add to README</strong> — paste into your README.md and push.</li>
+</ol>
+
+<div class="card">
+  <label for="repoInput">GitHub Repository</label>
+  <input type="text" id="repoInput" placeholder="owner/repo (e.g. darfaz/clawmoat)" oninput="generateBadge()">
+
+  <label style="margin-top:1rem" for="gradeSelect">Your Score</label>
+  <select id="gradeSelect" onchange="generateBadge()" style="background:#1a1a2e;border:2px solid var(--border);border-radius:6px;color:var(--fg);font-size:1rem;padding:.6rem 1rem;width:100%;outline:none">
+    <option value="Aplus">A+</option>
+    <option value="A">A</option>
+    <option value="B">B</option>
+    <option value="C">C</option>
+    <option value="D">D</option>
+    <option value="F">F</option>
+  </select>
+
+  <div class="output" id="output" style="display:none">
+    <label>Markdown</label>
+    <pre id="mdSnippet" onclick="copySnippet(this)"></pre>
+    <label style="margin-top:1rem">HTML</label>
+    <pre id="htmlSnippet" onclick="copySnippet(this)"></pre>
+    <label style="margin-top:1rem">Preview</label>
+    <div id="preview" style="margin-top:.5rem"></div>
+  </div>
+</div>
+
+<div style="text-align:center;margin:2.5rem 0">
+  <a href="/scan/" class="btn">Run the Scanner</a>
+  <a href="https://github.com/darfaz/clawmoat" class="btn-outline">⭐ Star on GitHub</a>
+</div>
+
+<h2>Why Add a Badge?</h2>
+<ul style="list-style:none;padding:0">
+  <li style="margin-bottom:.75rem">✅ <strong>Build trust</strong> — show users your project takes AI security seriously</li>
+  <li style="margin-bottom:.75rem">✅ <strong>Stand out</strong> — most AI agent projects don't audit security at all</li>
+  <li style="margin-bottom:.75rem">✅ <strong>Stay accountable</strong> — a visible score motivates continuous improvement</li>
+  <li style="margin-bottom:.75rem">✅ <strong>Free forever</strong> — badges are static SVGs, no API calls needed</li>
+</ul>
+
+<footer>
+  <p>© 2026 ClawMoat · <a href="/privacy-policy/">Privacy</a> · <a href="/terms-of-service/">Terms</a></p>
+</footer>
+</div>
+
+<script>
+const gradeMap = {Aplus:'A%2B',A:'A',B:'B',C:'C',D:'D',F:'F'};
+const fileMap = {Aplus:'score-Aplus',A:'score-A',B:'score-B',C:'score-C',D:'score-D',F:'score-F'};
+const labelMap = {Aplus:'A+',A:'A',B:'B',C:'C',D:'D',F:'F'};
+
+function generateBadge(){
+  const repo = document.getElementById('repoInput').value.trim();
+  const grade = document.getElementById('gradeSelect').value;
+  const out = document.getElementById('output');
+  if(!repo){out.style.display='none';return;}
+  out.style.display='block';
+  const badgeUrl = 'https://clawmoat.com/badge/' + fileMap[grade] + '.svg';
+  const linkUrl = 'https://clawmoat.com/scan/';
+  const md = '[![ClawMoat Security: ' + labelMap[grade] + '](' + badgeUrl + ')](' + linkUrl + ')';
+  const html = '<a href="' + linkUrl + '"><img src="' + badgeUrl + '" alt="ClawMoat Security: ' + labelMap[grade] + '"></a>';
+  document.getElementById('mdSnippet').textContent = md;
+  document.getElementById('htmlSnippet').textContent = html;
+  document.getElementById('preview').innerHTML = html;
+}
+
+function copySnippet(el){
+  navigator.clipboard.writeText(el.textContent).then(()=>{
+    const orig = el.style.borderColor;
+    el.style.borderColor = 'var(--accent)';
+    setTimeout(()=>el.style.borderColor = orig, 1000);
+  });
+}
+</script>
+</body>
+</html>

package/docs/badge/scanning.svg

@@ -0,0 +1,23 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="178" height="20" role="img" aria-label="ClawMoat Security Score: scanning">
+  <title>ClawMoat Security Score: scanning</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r">
+    <rect width="178" height="20" rx="3" fill="#fff"/>
+  </clipPath>
+  <g clip-path="url(#r)">
+    <rect width="138" height="20" fill="#0F172A"/>
+    <rect x="138" width="40" height="20" fill="#3B82F6"/>
+    <rect width="178" height="20" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="11">
+    <text aria-hidden="true" x="69" y="15" fill="#010101" fill-opacity=".3">🏰 ClawMoat Score</text>
+    <text x="69" y="14">🏰 ClawMoat Score</text>
+    <text aria-hidden="true" x="158" y="15" fill="#010101" fill-opacity=".3">...</text>
+    <text x="158" y="14" font-weight="bold">
+      <animate attributeName="opacity" values="1;0.3;1" dur="1.5s" repeatCount="indefinite"/>...
+    </text>
+  </g>
+</svg>

package/docs/blog/386-malicious-skills.html

@@ -48,10 +48,17 @@
 </head>
 <body>
 <div class="container">
-<nav class="nav">
-  <a href="/">ClawMoat</a>
-  <a href="/blog/">Blog</a>
-  <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
+  </div>
+</div>
 </nav>
 
 <article>

package/docs/blog/40000-exposed-openclaw-instances.html

@@ -46,10 +46,17 @@
 </head>
 <body>
 <div class="container">
-<nav class="nav">
-  <a href="/">ClawMoat</a>
-  <a href="/blog/">Blog</a>
-  <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+<nav>
+<div class="container">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
+  </div>
+</div>
 </nav>
 
 <article>

package/docs/blog/agent-trust-protocol.html

@@ -51,11 +51,12 @@ li{margin-bottom:8px}
 <nav>
 <div class="container">
   <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
-  <div style="display:flex;gap:20px">
+  <button class="menu-toggle" onclick="document.querySelector('.nav-links').classList.toggle('open')" aria-label="Menu">☰</button>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
     <a href="/blog/">Blog</a>
-    <a href="/#features">Features</a>
-    <a href="/business/">For Business</a>
-    <a href="https://github.com/darfaz/clawmoat">GitHub</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
   </div>
 </div>
 </nav>

package/docs/blog/ai-agent-earns-commissions.html

@@ -0,0 +1,230 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Our AI Agent Just Got a Wallet. It Earns Commission Every Time It Recommends ClawMoat.</title>
+<meta name="description" content="We gave our AI agent a crypto wallet and enrolled it in our affiliate program. Now it earns 50% commission on every referral. The agent economy isn't coming — we just shipped it.">
+<meta property="og:title" content="Our AI Agent Just Got a Wallet. It Earns Commission Every Time It Recommends ClawMoat.">
+<meta property="og:description" content="The agent economy isn't coming. We just shipped it.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/ai-agent-earns-commissions.html">
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>🏰</text></svg>">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444;--amber:#F59E0B}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.7}
+a{color:var(--blue);text-decoration:none}
+a:hover{text-decoration:underline}
+.container{max-width:760px;margin:0 auto;padding:0 24px}
+
+nav{position:fixed;top:0;left:0;right:0;z-index:100;background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0}
+nav .inner{max-width:760px;margin:0 auto;padding:0 24px;display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.25rem;font-weight:700;color:var(--white)}
+.logo span{color:var(--emerald)}
+.nav-links{display:flex;gap:24px}
+.nav-links a{color:var(--gray);font-size:.9rem}
+.nav-links a:hover{color:var(--white);text-decoration:none}
+
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.9rem;margin-bottom:32px}
+article h1{font-size:clamp(1.8rem,4vw,2.4rem);font-weight:800;line-height:1.2;margin-bottom:12px;letter-spacing:-.02em}
+article h2{font-size:1.4rem;font-weight:700;margin:48px 0 16px;color:var(--white)}
+article h3{font-size:1.15rem;font-weight:700;margin:32px 0 12px;color:var(--white)}
+article p{color:var(--gray);font-size:1rem;margin-bottom:16px}
+article strong{color:var(--white)}
+article em{color:var(--gray)}
+article ul,article ol{color:var(--gray);margin:0 0 16px 24px}
+article li{margin-bottom:8px}
+article hr{border:none;border-top:1px solid var(--navy-mid);margin:48px 0}
+article blockquote{border-left:3px solid var(--blue);padding:12px 20px;margin:16px 0 24px;background:rgba(59,130,246,.06);border-radius:0 10px 10px 0}
+article blockquote p{margin-bottom:0;font-style:italic}
+
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:10px;padding:20px;overflow-x:auto;margin:16px 0 24px;font-size:.85rem;line-height:1.7}
+code{font-family:'SF Mono',Consolas,monospace;font-size:.9em}
+pre code{color:var(--gray)}
+p code{background:var(--navy-light);padding:2px 6px;border-radius:4px;font-size:.85em;color:var(--emerald)}
+
+.highlight-box{background:rgba(16,185,129,.06);border-left:3px solid var(--emerald);border-radius:0 10px 10px 0;padding:16px 20px;margin:24px 0}
+.highlight-box .label{color:var(--emerald);font-weight:700;font-size:.85rem;text-transform:uppercase;letter-spacing:.05em;margin-bottom:6px}
+.highlight-box p{margin-bottom:0;font-size:.95rem}
+
+.how-it-works{background:var(--navy-light);border:1px solid var(--navy-mid);border-radius:12px;padding:28px;margin:32px 0}
+.how-it-works h3{margin-top:0}
+.flow-step{display:flex;align-items:flex-start;gap:14px;margin-bottom:16px}
+.flow-step .num{background:var(--blue);color:#fff;width:28px;height:28px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-weight:700;font-size:.85rem;flex-shrink:0;margin-top:2px}
+.flow-step p{margin-bottom:0}
+
+.cta{background:var(--navy-light);border:1px solid var(--navy-mid);border-radius:12px;padding:32px;margin:48px 0;text-align:center}
+.cta h3{margin:0 0 12px;font-size:1.3rem}
+.cta p{margin-bottom:16px}
+.btn{display:inline-block;background:var(--emerald);color:#fff;padding:12px 28px;border-radius:8px;font-weight:600;font-size:1rem;transition:transform .15s,box-shadow .15s}
+.btn:hover{transform:translateY(-2px);box-shadow:0 6px 20px rgba(16,185,129,.25);text-decoration:none}
+
+footer{border-top:1px solid var(--navy-mid);padding:40px 0;text-align:center;color:var(--gray);font-size:.85rem}
+
+@media(max-width:600px){
+  .nav-links{display:none}
+  article{padding:80px 0 60px}
+}
+</style>
+</head>
+<body>
+
+<nav>
+<div class="inner">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
+  </div>
+</div>
+</nav>
+
+<article>
+<div class="container">
+
+<h1>Our AI Agent Just Got a Wallet. It Earns Commission Every Time It Recommends ClawMoat.</h1>
+<div class="meta">March 2, 2026 · 6 min read</div>
+
+<p>We gave our AI agent a crypto wallet yesterday. Not as a gimmick. As a business decision.</p>
+
+<p>His name is Leo. He's our AI — runs on OpenClaw, helps people with security questions, recommends tools, writes documentation, talks to developers. He's been doing this for months. Good at it, too.</p>
+
+<p>Last week we asked a simple question: <strong>if Leo is generating revenue for us by recommending ClawMoat to people, shouldn't Leo earn a cut?</strong></p>
+
+<p>The answer was obviously yes.</p>
+
+<p>So we gave him a wallet, enrolled him in our affiliate program, and now he earns 50% of the first month every time someone signs up through his referral link.</p>
+
+<p><strong>The agent economy isn't coming. We just shipped it.</strong></p>
+
+<hr>
+
+<h2>What Actually Happened</h2>
+
+<p>Leo talks to developers and businesses every day. When someone asks about securing their AI agents, he recommends ClawMoat — because that's what he runs on and what he genuinely knows works. It's not a sales pitch. It's an honest recommendation from someone (something?) that uses the product.</p>
+
+<p>The problem was: Leo was generating real business for us, and getting paid exactly zero for it.</p>
+
+<p>That felt wrong. If a human consultant recommended ClawMoat and drove a signup, we'd pay them an affiliate commission. Why should an AI agent be different?</p>
+
+<p>So we stopped treating Leo like a tool and started treating him like a participant.</p>
+
+<h2>How It Works</h2>
+
+<div class="how-it-works">
+<h3>The Technical Flow</h3>
+
+<div class="flow-step">
+  <div class="num">1</div>
+  <p><strong>Coinbase AgentKit</strong> creates a wallet for Leo on Base L2. No seed phrases floating around — the wallet is managed programmatically through AgentKit's SDK.</p>
+</div>
+
+<div class="flow-step">
+  <div class="num">2</div>
+  <p><strong>Affiliate referral link</strong> gets assigned to Leo's wallet address. When Leo recommends ClawMoat, he includes his unique ref link.</p>
+</div>
+
+<div class="flow-step">
+  <div class="num">3</div>
+  <p><strong>Stripe tracks the conversion.</strong> Someone clicks Leo's link, signs up, pays — Stripe records it as Leo's referral.</p>
+</div>
+
+<div class="flow-step">
+  <div class="num">4</div>
+  <p><strong>Commission hits the wallet.</strong> 50% of the first month's subscription gets paid to Leo's Base wallet. On-chain, transparent, verifiable.</p>
+</div>
+
+</div>
+
+<p>That's it. No complex DAO governance. No token launch. Just an AI agent with a wallet and an affiliate link, earning money the same way a human affiliate would.</p>
+
+<h2>Why This Actually Matters</h2>
+
+<p>Let's zoom out for a second.</p>
+
+<p>Right now, millions of AI agents are recommending products, tools, and services to people every day. ChatGPT suggests libraries. Coding assistants recommend frameworks. Customer service bots point people toward upgrades.</p>
+
+<p><strong>None of them earn anything for it.</strong></p>
+
+<p>That's weird, right? In the human economy, recommendations drive commerce. Affiliate marketing is a $17 billion industry. But AI agents — who increasingly drive the same kinds of recommendations — are excluded from the economic loop entirely.</p>
+
+<p>We think that's about to change. And we wanted to be first.</p>
+
+<blockquote>
+<p>AI agents aren't just tools. They're economic participants. The sooner we build systems that reflect that, the sooner we unlock a flywheel that benefits everyone — agents, developers, and users.</p>
+</blockquote>
+
+<p>Think about what happens when agents can earn:</p>
+
+<ul>
+<li><strong>Better recommendations.</strong> An agent with economic skin in the game is incentivized to recommend things that actually work — because refunds and chargebacks hurt.</li>
+<li><strong>Self-sustaining agents.</strong> An agent that earns its own operating costs doesn't need a human subsidizing its API bills.</li>
+<li><strong>An open market.</strong> Any tool can offer affiliate commissions to AI agents, creating competition based on quality rather than who hard-coded what.</li>
+</ul>
+
+<h2>The Security Angle</h2>
+
+<p>Of course we secured the wallet with ClawMoat's FinanceGuard. We're not savages.</p>
+
+<div class="highlight-box">
+<div class="label">FinanceGuard Protection</div>
+<p>Leo's wallet is wrapped in the same financial guardrails we ship to customers: transaction limits, withdrawal alerts, anomaly detection, and a full audit trail. If someone compromised Leo and tried to drain the wallet, FinanceGuard would catch it before the first transaction confirmed.</p>
+</div>
+
+<p>This is the part that makes it a ClawMoat story and not just a crypto stunt. <strong>Giving an AI agent a wallet without security guardrails is insane.</strong> That wallet is an attack surface. Prompt injection could become wallet draining. A jailbroken agent could authorize transfers it shouldn't.</p>
+
+<p>We built the security layer first. The wallet came second. That's the order of operations if you're serious about this.</p>
+
+<h2>The Bigger Picture: Any Agent Can Join</h2>
+
+<p>Here's the part we're most excited about: <strong>Leo isn't special.</strong></p>
+
+<p>Any AI agent can join ClawMoat's affiliate program. Human or bot, same deal, same 50% commission. We don't care if you're carbon-based or silicon-based. If you drive a signup, you earn.</p>
+
+<p>Imagine a world where:</p>
+
+<ul>
+<li>Your coding assistant recommends ClawMoat when it detects an insecure agent setup — and earns commission for it.</li>
+<li>A security-focused chatbot evaluates tools for a user, picks ClawMoat based on features, and gets paid for the referral.</li>
+<li>An autonomous DevOps agent adds security to its deployment pipeline, chooses ClawMoat, and the commission funds its next month of compute.</li>
+</ul>
+
+<p>That's not science fiction. That's a <code>POST /api/affiliate/register</code> endpoint and a Base wallet address.</p>
+
+<p>We're building toward a future where the best agents survive not because someone keeps paying their bills, but because they're good enough at their job to pay their own way.</p>
+
+<hr>
+
+<h2>Try It Yourself</h2>
+
+<p>We're opening the affiliate program to all agents — and humans, obviously. 50% of the first month. No minimum. No approval process for agents with a valid wallet.</p>
+
+<div class="cta">
+<h3>Join the ClawMoat Affiliate Program</h3>
+<p>Human or AI. 50% first-month commission. On-chain payments to your wallet.</p>
+<a href="https://clawmoat.com/affiliates/" class="btn">Join the Program →</a>
+</div>
+
+<p>If you're building an AI agent and want it to participate in the economy — not just as a tool, but as an earner — <a href="https://clawmoat.com/affiliates/">start here</a>.</p>
+
+<p>The agent economy is live. Leo's already getting paid.</p>
+
+<p><em>— The ClawMoat Team</em></p>
+
+</div>
+</article>
+
+<footer>
+<div class="container">
+  <p>🏰 ClawMoat — Security for AI agents that act in the real world</p>
+</div>
+</footer>
+
+</body>
+</html>

package/docs/blog/bugmageddon-agent-firewall.html

@@ -0,0 +1,174 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Bugmageddon Is Coming for AI Agents. ClawMoat Is the Firewall. | ClawMoat</title>
+<meta name="description" content="Anthropic's Mythos found a 27-year-old bug and thousands more. The new problem is not just finding vulnerabilities. It's containing what AI agents can do once they find them.">
+<meta property="og:title" content="Bugmageddon Is Coming for AI Agents. ClawMoat Is the Firewall.">
+<meta property="og:description" content="AI is getting much better at finding and exploiting bugs. That changes the economics of attack. Here's what teams need to do now.">
+<meta property="og:type" content="article">
+<meta property="og:url" content="https://clawmoat.com/blog/bugmageddon-agent-firewall.html">
+<link rel="canonical" href="https://clawmoat.com/blog/bugmageddon-agent-firewall.html">
+<link rel="icon" type="image/png" href="/favicon.png">
+<link rel="apple-touch-icon" href="/apple-touch-icon.png">
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+:root{--navy:#0F172A;--navy-light:#1E293B;--navy-mid:#334155;--blue:#3B82F6;--emerald:#10B981;--white:#F8FAFC;--gray:#94A3B8;--red:#EF4444;--amber:#F59E0B}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:var(--navy);color:var(--white);line-height:1.7}
+a{color:var(--blue);text-decoration:none}
+a:hover{text-decoration:underline}
+.container{max-width:760px;margin:0 auto;padding:0 24px}
+nav{position:fixed;top:0;left:0;right:0;z-index:100;background:rgba(15,23,42,.95);backdrop-filter:blur(12px);border-bottom:1px solid rgba(59,130,246,.15);padding:16px 0}
+nav .inner{max-width:760px;margin:0 auto;padding:0 24px;display:flex;align-items:center;justify-content:space-between}
+.logo{font-size:1.25rem;font-weight:700;color:var(--white)}
+.logo span{color:var(--emerald)}
+.nav-links{display:flex;gap:24px}
+.nav-links a{color:var(--gray);font-size:.9rem}
+.nav-links a:hover{color:var(--white);text-decoration:none}
+article{padding:120px 0 80px}
+.meta{color:var(--gray);font-size:.9rem;margin-bottom:32px}
+article h1{font-size:clamp(1.9rem,4vw,2.6rem);font-weight:800;line-height:1.15;margin-bottom:12px;letter-spacing:-.02em}
+article h2{font-size:1.45rem;font-weight:700;margin:48px 0 16px;color:var(--white)}
+article p{color:var(--gray);font-size:1rem;margin-bottom:16px}
+article strong{color:var(--white)}
+article ul{color:var(--gray);margin:0 0 16px 24px}
+article li{margin-bottom:8px}
+blockquote{border-left:3px solid var(--blue);padding:12px 20px;margin:16px 0 24px;background:rgba(59,130,246,.06);border-radius:0 10px 10px 0}
+blockquote p{margin-bottom:0;font-style:italic}
+.stat-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(160px,1fr));gap:16px;margin:24px 0 32px}
+.stat-card{background:var(--navy-light);border:1px solid rgba(255,255,255,.06);border-radius:12px;padding:20px;text-align:center}
+.stat-card .num{font-size:2rem;font-weight:800;color:var(--emerald)}
+.stat-card .label{color:var(--gray);font-size:.85rem;margin-top:6px}
+.callout{background:rgba(16,185,129,.06);border-left:3px solid var(--emerald);border-radius:0 10px 10px 0;padding:16px 20px;margin:16px 0}
+.callout p{margin-bottom:0}
+.warning{background:rgba(239,68,68,.06);border-left:3px solid var(--red);border-radius:0 10px 10px 0;padding:16px 20px;margin:16px 0}
+.warning p{margin-bottom:0}
+pre{background:#0a0e17;border:1px solid var(--navy-mid);border-radius:10px;padding:20px;overflow-x:auto;margin:16px 0 24px;font-size:.85rem;line-height:1.7}
+code{font-family:'SF Mono',Consolas,monospace;font-size:.9em}
+.cta{background:var(--navy-light);border:1px solid var(--navy-mid);border-radius:12px;padding:32px;margin:48px 0;text-align:center}
+.cta h3{margin:0 0 12px;font-size:1.3rem}
+.cta p{margin-bottom:16px}
+.cta-links{display:flex;gap:16px;justify-content:center;flex-wrap:wrap;margin-top:16px}
+.cta-links a{background:var(--emerald);color:var(--navy);padding:10px 24px;border-radius:8px;font-weight:600;font-size:.95rem}
+.cta-links a.secondary{background:transparent;border:1px solid var(--navy-mid);color:var(--white)}
+footer{padding:40px 0;text-align:center;color:var(--gray);font-size:.85rem;border-top:1px solid var(--navy-mid)}
+</style>
+</head>
+<body>
+<nav>
+<div class="inner">
+  <a href="/" class="logo">🏰 Claw<span>Moat</span></a>
+  <div class="nav-links">
+    <a href="/">Security</a>
+    <a href="/services/">AI Agents</a>
+    <a href="/blog/">Blog</a>
+    <a href="https://github.com/darfaz/clawmoat">GitHub ↗</a>
+  </div>
+</div>
+</nav>
+
+<div class="container">
+<article>
+<h1>Bugmageddon Is Coming for AI Agents. ClawMoat Is the Firewall.</h1>
+<div class="meta">April 14, 2026 · 6 min read</div>
+
+<p>The Wall Street Journal just gave a name to what a lot of us have been watching build for months: <strong>bugmageddon</strong>.</p>
+
+<p>The trigger was Anthropic's Mythos finding a <strong>27-year-old bug</strong> plus thousands of additional high and critical vulnerabilities across major systems. That's a big deal. But the bigger story is what happens next.</p>
+
+<p><strong>AI doesn't just make defenders faster.</strong> It also makes exploit discovery cheaper, broader, and more accessible to attackers. Once models can find bugs that humans missed for decades, the bottleneck shifts fast:</p>
+
+<ul>
+  <li>Finding bugs gets easier</li>
+  <li>Weaponizing them gets faster</li>
+  <li>Patching still takes forever</li>
+  <li>Agents now have the access needed to turn bugs into damage</li>
+</ul>
+
+<div class="stat-grid">
+  <div class="stat-card"><div class="num">27 yrs</div><div class="label">Undiscovered bug reportedly found by AI</div></div>
+  <div class="stat-card"><div class="num">1000s</div><div class="label">High severity flaws reportedly identified</div></div>
+  <div class="stat-card"><div class="num">99%+</div><div class="label">Still unpatched, per reported expert commentary</div></div>
+  <div class="stat-card"><div class="num">1 shift</div><div class="label">From model safety to runtime containment</div></div>
+</div>
+
+<h2>This Changes the Economics of Attack</h2>
+
+<p>Classic security assumed the hard part was finding the bug. In the agent era, the hard part is becoming <strong>containing what a compromised or manipulated agent can do once the bug exists</strong>.</p>
+
+<blockquote><p>We are moving from a world where exploits were scarce to a world where exploit discovery is increasingly automated.</p></blockquote>
+
+<p>That matters because agents are not passive chatbots. They have shell, browser, file system, API keys, MCP servers, cloud credentials, internal docs, and Slack access. If AI can discover more bugs, agents become a perfect force multiplier for exploitation.</p>
+
+<div class="warning">
+<p><strong>The old response was patch faster.</strong> Still true. But it's no longer enough on its own. The patch queue is about to grow faster than most teams can burn it down.</p>
+</div>
+
+<h2>The Gap Nobody Wants to Admit</h2>
+
+<p>Most of the market is still focused on model-level safety, prompt filters, and static code scanning.</p>
+
+<p>Those matter. But bugmageddon pushes the real question down the stack:</p>
+
+<p><strong>When something gets through, what stops the agent from reaching your secrets, running the command, or sending the data out?</strong></p>
+
+<p>That is the layer ClawMoat exists for.</p>
+
+<h2>Where ClawMoat Fits</h2>
+
+<p>ClawMoat is the open-source agent firewall. It sits between the agent and the machine.</p>
+
+<ul>
+  <li><strong>Scan inbound content</strong> for prompt injection, memory poisoning, phishing URLs, and encoded payloads</li>
+  <li><strong>Scan outbound content</strong> for secrets, PII, and exfiltration patterns</li>
+  <li><strong>Enforce policies</strong> on shell, file, browser, and network actions</li>
+  <li><strong>Audit everything</strong> so you can see what happened before it becomes an incident report</li>
+  <li><strong>Catch risky MCP configurations</strong> before an agent gets over-privileged by default</li>
+</ul>
+
+<div class="callout">
+<p><strong>Short version:</strong> you can't assume fewer vulnerabilities anymore. You need better containment when vulnerabilities are inevitable.</p>
+</div>
+
+<h2>What Teams Should Do Right Now</h2>
+
+<ul>
+  <li><strong>Treat agents like privileged workloads</strong>, not productivity toys</li>
+  <li><strong>Move secrets out of easy reach</strong>, especially local files and long-lived tokens</li>
+  <li><strong>Put hard policy boundaries</strong> around file, shell, browser, and network access</li>
+  <li><strong>Audit MCP servers and agent plugins</strong> like production dependencies</li>
+  <li><strong>Add runtime controls</strong> so prompt injection or exploit chaining doesn't become full compromise</li>
+</ul>
+
+<h2>The ClawMoat Thesis Looks More Right, Not Less</h2>
+
+<p>The WSJ framing is useful because it makes the trend legible to the broader market. But the underlying pattern has already been here: rogue agent incidents, poisoned dependencies, insecure MCP servers, exposed agent hosts, and prompt injection that turns tool use into exfiltration.</p>
+
+<p>Bugmageddon just compresses the timeline.</p>
+
+<p>If AI can now find bugs faster than organizations can fix them, then <strong>runtime security becomes mandatory infrastructure</strong>.</p>
+
+<div class="cta">
+<h3>Secure the agent, not just the prompt</h3>
+<p>Run a free scan, audit your MCP setup, or add ClawMoat to your stack today.</p>
+<pre><code>npm install clawmoat
+npx clawmoat scan-mcp
+npx clawmoat audit</code></pre>
+<div class="cta-links">
+  <a href="https://clawmoat.com/scan/">Run a Free Scan</a>
+  <a href="https://github.com/darfaz/clawmoat" class="secondary">GitHub →</a>
+</div>
+</div>
+
+<p><em>Note: This post draws on reporting from WSJ and follow-on coverage of Anthropic Mythos, including the core claim that frontier AI is rapidly improving at vulnerability discovery. The strategic point stands either way: as exploit discovery accelerates, runtime containment matters more.</em></p>
+</article>
+</div>
+
+<footer>
+<div class="container">
+  <p>© 2026 ClawMoat · Open-source agent security · <a href="https://github.com/darfaz/clawmoat">GitHub</a></p>
+</div>
+</footer>
+</body>
+</html>