ClawMoat v1.0.0 is the stable release of the open-source agent firewall.
This release focuses on practical runtime protection for AI agents, MCP setups, coding agents, and tool-using LLM systems.
New: Agent Lifecycle Exposure Report
ClawMoat now includes a lifecycle audit that turns agent risk into a shareable markdown report:
npx clawmoat lifecycle audit --path . --format markdown --output lifecycle-report.mdUse it before an agent gets filesystem, shell, browser, GitHub, email, MCP, or credential access. The report maps visible surfaces, framework context, credential hints, missing controls, and remediation steps.
Lifecycle page: https://clawmoat.com/agent-lifecycle-crisis/
Free exposure review: https://clawmoat.com/assessment/
Highlights
clawmoat lifecycle auditfor identity, credential, permission, audit, kill-switch, and offboarding gaps- Markdown, JSON, and text lifecycle report formats
- Framework detection for LangChain, CrewAI, AutoGen, OpenAI Agents, Claude, and MCP
clawmoat watchlive monitoring dashboard for agent activityclawmoat scan-mcpfor MCP configuration risk scanning- Prompt injection, secret leakage, PII exposure, exfiltration, supply-chain, and dangerous tool-call detection
- Vulnerability-ops exploitability scoring and analysis API
- Runtime protection exports for embedding ClawMoat into agent apps
- Integration docs and adapters for LangChain, OpenAI Agents, LiteLLM, CrewAI, and OpenClaw
- Package hygiene improvements to keep stale local artifacts and mutable server key state out of npm packages
Verification
- Local
npm test: 536 passing, 0 failing - Local
npm run lint: passing - Local
npm pack --dry-run --json: passing - GitHub CI: passing on Ubuntu, macOS, Windows, Node 18/20/22
- GitHub Pages deployment: passing
- ClawMoat self security scan: passing
Install
npm install -g clawmoat
clawmoat --helpOr run the lifecycle report directly:
npx clawmoat lifecycle audit --path . --format markdown --output lifecycle-report.md