Security products ask for trust. ClawMoat earns it by giving your own coding agent the files, commands, and review checklist to inspect what it does before you install or buy.
After that, ClawMoat acts as the seatbelt for Claude Code, Cursor, Codex, Windsurf, MCP tools, shell access, local files, browser sessions, and background jobs.
The old threat model was hallucination. The new threat model is tool use on a laptop full of credentials, private files, browser sessions, and background tasks.
Your agent works better when it can see the files you actually use. It also has a bigger blast radius.
Helpful agents run commands, edit files, install packages, and call APIs. Those same tools can leak secrets or destroy state.
Emails, webpages, docs, and tickets are untrusted input. Prompt injection stops being cute when it can trigger tool calls.
Cron jobs and background sessions keep working after your attention moves elsewhere. That is exactly when guardrails matter.
ClawMoat should not demand blind trust. The first workflow is a self-check: your agent reviews the ClawMoat repo, package, install commands, network behavior, and threat model, then tells you whether it looks safe and worth using.
It scans the things that influence your agent, the actions your agent wants to take, and the data your agent is about to expose.
Security is invisible until it fails. ClawMoat makes the invisible work visible: sessions protected, tool calls checked, risky actions blocked, secrets not exposed, and the next best fix.
Hidden instructions in webpages, READMEs, emails, Slack exports, PDFs, and support tickets.
API keys, SSH keys, GitHub tokens, cloud credentials, npm tokens, and secrets in logs or outbound messages.
Destructive shell commands, sketchy curl pipes, sensitive file reads, suspicious network exfiltration.
No identity, no approval gates, no kill switch, no MCP policy, no trail for what the agent did while you were gone.
The open-source scanner earns trust. Pro and Team are for the recurring proof layer: saved receipts, weekly safety summaries, audit evidence packs, policy history, CI gates, alerts, and support.
For quick local checks before you give an agent more power.
For one builder who wants recurring reassurance, not just a one-time scan.
For small teams that need evidence, not every developer hand-rolling local scans.
Use the scanner free forever if one-off local checks are enough. Pay when you need continuity, team policy, CI enforcement, audit artifacts, and someone accountable when it breaks.
Scan locally, watch the attack, audit the lifecycle, then buy protection or request a deeper review.
Use this as the quick mental model for Hermes, Claude Code, Codex, OpenCode, Cursor agents, local models, and MCP-heavy setups.
Short enough to post, specific enough to land.
ClawMoat is open source, zero dependency, and built for the people putting agents on real machines right now.