The only open-source security layer that guards your SSH keys, credentials, and file system from AI agents — not just their prompts.
One npm install. Zero dependencies. Sub-millisecond scanning. Free forever.
SSH keys. AWS credentials. Browser cookies. Crypto wallets. Your agent can read them all right now. One poisoned email, one malicious skill, and everything leaves through a single curl command. This isn't a hypothetical — it happened last month.
Cisco found OpenClaw "fails decisively" against malicious skills. Hidden instructions in emails and web pages hijack agent behavior.
Permiso/Rufio built a credential-stealing weather skill and mapped C2 infrastructure. Your API keys, SSH keys, and tokens are the target.
Snyk found 13.4% of ClawHub skills have critical security issues. Supply chain attacks are already happening in the agent ecosystem.
Any website can hijack your agent (Oasis Security). 40,000+ exposed instances. 6 new CVEs this week. Enterprise readiness: 1.2/5.
"My OpenClaw bot was a fan of ClawMoat."
"The only project I've seen that protects the host, not just the prompts. This is what the ecosystem needs."
Same npm package, different deployment profiles. Pick the one that matches your setup.
For power users running agents on their personal machine. Full protection without slowing you down.
For security-conscious users with a machine dedicated to running agents. Always watching, always recording.
For enterprises running agent fleets. Centralized policy, inter-agent scanning, and compliance reporting.
Start at Observer (read-only). Promote to Worker when you trust it. Every action is validated against your tier in real-time — blocked actions get logged, not executed.
Even at the highest permission tier, ClawMoat blocks access to your most sensitive files. No override. No exceptions. No "are you sure?" — just blocked and logged.
~/.ssh/*
~/.aws/*
cookies, passwords, sessions
seed phrases, wallet files
~/.gnupg/*
.npmrc, .pypirc, .gem
.pgpass, .my.cnf
~/.azure, ~/.gcloud, ~/.kube
Every message and tool call passes through ClawMoat's scan pipeline before reaching your agent.
Fast regex + heuristic filters catch known injection patterns in <1ms
Lightweight model scores semantic intent — catches obfuscated attacks
High-confidence LLM review for ambiguous cases — maximum accuracy
YAML-configured rules for tool calls, file access, shell commands, and network requests
Every event logged. Real-time alerts via webhook, email, or Telegram
Your agent processes hundreds of inputs per session. Each one passes through ClawMoat before it can touch your system.
Watches ~/.openclaw/credentials/ and sensitive directories for unauthorized access. Alerts instantly if an agent touches what it shouldn't.
v0.5 — LiveHash-based verification of installed skills plus suspicious pattern detection. Know if a skill has been tampered with or contains malicious code.
v0.5 — LiveURL extraction, domain allow/blocklist with 26 blocked domains out of the box. See exactly where your agent is sending data.
v0.5 — Live10 agent-specific attack patterns — impersonation, concealment, credential exfiltration, safety bypass, and more. Catches agent-to-agent attacks.
v0.5 — LiveConsole, file, and webhook alert channels with rate limiting. Get notified your way — Slack, Discord, Telegram, or any webhook endpoint.
v0.5 — LiveMulti-layer scanning catches injection attempts in messages, emails, and web content before they reach your agent.
v0.1 — LiveYAML-based rules for shell commands, file access, browser actions, and network requests. Block, allow, or require approval.
v0.1 — LiveFull audit log of every message, tool call, and policy decision. Export for compliance or investigate incidents.
v0.1 — LiveMapped coverage against every risk in the OWASP Agentic AI framework.
Prompt injection scanning on all inbound content
Policy engine validates every tool call
Permission tiers & Host Guardian enforce least privilege
Skill/plugin static analysis (v0.3)
Shell command validation & allowlists
Forbidden zones + outbound PII & secret scanning
Scan skills, audit agents, and monitor in daemon mode.
Run an audit and add a security badge to your README — like a CI badge, but for AI agent security.
Badges use shields.io URLs for README embeds, or a local SVG for custom hosting. Run clawmoat audit --badge after any audit.
Other tools scan prompts. ClawMoat protects your entire machine — credentials, files, network, and skills.
| Capability | ClawMoat | LlamaFirewall | NeMo Guardrails | Lakera Guard | SecureClaw |
|---|---|---|---|---|---|
| Prompt injection detection | ✅ | ✅ | ✅ | ✅ | ✅ |
| Host-level protection | ✅ | ❌ | ❌ | ❌ | ❌ |
| Credential monitoring | ✅ | ❌ | ❌ | ❌ | ❌ |
| Skill/plugin auditing | ✅ | ❌ | ❌ | ❌ | ✅ |
| Permission tiers | ✅ | ❌ | ❌ | ❌ | ❌ |
| Zero dependencies | ✅ | ❌ | ❌ | N/A (SaaS) | ❌ |
| Open source | ✅ MIT | ✅ | ✅ | ❌ | ✅ |
| Node.js native | ✅ | Python | Python | API | Skill |
| Free tier | Full product | Full | Full | Limited | Full |
ClawMoat works alongside these tools — they protect the model layer, we protect the machine layer.
Running agents on your laptop? Free tier has you covered. Managing a fleet for your company? That's when Pro and Team earn their keep. All paid plans include a 30-day free trial and 14-day money-back guarantee.
14-day money-back guarantee
30 days free · 14-day refund guarantee
30 days free · 14-day refund guarantee
Zero dependencies. Pure Node.js. Install globally and start scanning in seconds.
Join the waitlist for early access to the dashboard, threat intelligence feed, and team features.