On February 19, Microsoft's security team published a blog post that should make every OpenClaw user pause: "Running OpenClaw safely: identity, isolation, and runtime risk."
Their recommendation? Don't run it on your workstation at all.
"OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation."
— Microsoft Security Blog, February 19, 2026
They're not wrong. But their solution — spinning up dedicated VMs for every agent — isn't practical for most teams. We built a better answer.
What Microsoft Found
Microsoft identified three risks that materialize "quickly" in unguarded OpenClaw deployments:
- Credential exposure. Your agent can read SSH keys, AWS tokens, browser cookies, and API secrets — and exfiltrate them through a single curl command.
- Memory poisoning. An attacker can modify your agent's persistent state, causing it to follow malicious instructions across sessions.
- Host compromise. The agent can be induced to download and execute malicious code.
The Numbers Are Stark
- 135K+ exposed OpenClaw instances (SecurityScorecard)
- 341+ malicious skills found on ClawHub (Snyk — 13.4% critical)
- CVE-2026-25253 scored CVSS 8.8
- Runlayer's security team compromised an agent in 40 messages, one hour
Microsoft's Recommendation: Isolate Everything
Microsoft recommends:
- Dedicated VM or separate physical system
- Dedicated, non-privileged credentials
- Access only to non-sensitive data
- Continuous monitoring and a rebuild plan
This is sound advice. It's also wildly impractical for most people running OpenClaw.
Most users are developers on their laptops. Small businesses on a Mac Mini. Solopreneurs with one machine. They're not spinning up VMs.
The Gap Nobody's Filling
Here's what other tools cover:
| Tool | What It Protects | Host-Level? |
|---|---|---|
| LlamaFirewall (Meta) | Model from prompt injection | ❌ |
| NeMo Guardrails (NVIDIA) | Conversation boundaries | ❌ |
| Runlayer | Enterprise governance (SaaS) | Partial |
| KiloClaw (Kilo.ai) | Managed hosting | ❌ (cloud only) |
| ClawMoat | Your file system, credentials, shell | ✅ |
None of them put a security layer between the agent and your SSH keys.
How ClawMoat Fills the Gap
ClawMoat is the only open-source tool designed for host-level agent security:
Your Agent → ClawMoat (validate every action) → Your Machine (restricted)
Four Permission Tiers
- Observer — read-only
- Worker — safe commands (git, npm). No destructive ops.
- Standard — most operations. Forbidden zones enforced.
- Full — unrestricted. Forbidden zones still active.
Forbidden Zones (Even at Full Tier)
~/.ssh/ # SSH keys
~/.aws/ # AWS credentials
~/.gnupg/ # GPG keys
~/.kube/ # Kubernetes configs
~/Library/Cookies/ # Browser sessions
# 20+ patterns total
Built-In Monitoring
- Full audit trail of every file access and shell command
- Credential file monitoring
- Network egress logging with domain blocklists
- Real-time alerts (webhook, Slack, email)
- Skill integrity checking
One Command
npm install -g clawmoat
Zero dependencies. Sub-millisecond validation. MIT licensed.
Microsoft's Advice → ClawMoat Equivalent
| Microsoft Says | ClawMoat Does |
|---|---|
| Dedicated VM | Permission tiers + forbidden zones (no VM needed) |
| Non-privileged credentials | Worker tier blocks credential access |
| Non-sensitive data only | 20+ forbidden zone patterns |
| Continuous monitoring | Full audit trail + real-time alerts |
| Rebuild plan | Incident forensics from logs in 30 seconds |
The Ecosystem Is Growing Fast
In the past week:
- Runlayer launched "OpenClaw for Enterprise" (VentureBeat)
- Crittora announced crypto policy enforcement (Yahoo Finance)
- KiloClaw launched managed hosting on Fly.io (VentureBeat)
- Forbes called the OpenAI acquisition a win for small business
- OpenClaw hit 161K+ GitHub stars
The market has spoken: agents are here to stay. The question is how to use them safely.
Get Started
npm install -g clawmoat
- GitHub (⭐ Star us!)
- Full blog post with comparison table
- ClawMoat for Business — enterprise setup in under an hour
ClawMoat is open source (MIT). 142 tests. Zero dependencies. They protect the model — we protect your machine.
Top comments (0)