feat: initial companion repo for OpenClaw vs Claude Code article

40 files demonstrating every major OpenClaw capability using Claude Code: - 3 agents (researcher, writer, reviewer) - 3 skills (daily-briefing, slack-message, web-research) - 2 security hooks (pre-tool-use blocker, post-tool-use logger) - 10 self-contained examples with copy-paste prompts - Complete feature map (20 capabilities, 11 full match, 7 different, 2 gap) - Security docs including NemoClaw comparison - Automation, messaging, browser, memory documentation Zero dependencies. Clone and run. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 09:47:29 +01:00 · 2026-03-26 09:47:29 +01:00 · 2491f5c732
commit 2491f5c732
40 changed files with 2037 additions and 0 deletions
--- a/security/README.md
+++ b/security/README.md
@ -0,0 +1,15 @@
+# Security
+
+Security in Claude Code is layered: permission modes set the
+baseline, hooks enforce custom rules, and settings.json defines
+tool restrictions. This is architecturally different from OpenClaw's
+container-based isolation but achieves the same goal: controlled
+agent behavior.
+
+## Documents in this directory
+
+| File | What it covers |
+|------|---------------|
+| `permission-modes-explained.md` | The three permission modes and when to use each |
+| `hook-based-guardrails.md` | Building custom security with PreToolUse hooks |
+| `nemoclaw-comparison.md` | Honest comparison with NemoClaw's enterprise security |
--- a/security/hook-based-guardrails.md
+++ b/security/hook-based-guardrails.md
@ -0,0 +1,108 @@
+# Hook-Based Guardrails
+
+Hooks are Claude Code's most powerful security mechanism.
+Unlike static deny lists, hooks can run arbitrary logic to
+decide whether a tool call should proceed.
+
+## Pattern 1: Block dangerous commands
+
+See `hooks/pre-tool-use.sh` for a working example. The core
+pattern:
+
+```bash
+# Read tool input from stdin
+input=$(cat)
+command=$(echo "$input" | python3 -c \
+  "import sys,json; print(json.load(sys.stdin)['tool_input']['command'])")
+
+# Check against blocked patterns
+if echo "$command" | grep -qi "rm -rf /"; then
+  echo '{"decision": "block", "reason": "Blocked: recursive delete at root"}'
+  exit 2
+fi
+```
+
+## Pattern 2: Restrict file paths
+
+Block writes outside the project directory:
+
+```bash
+file_path=$(echo "$input" | python3 -c \
+  "import sys,json; print(json.load(sys.stdin)['tool_input']['file_path'])")
+
+project_dir=$(pwd)
+if [[ "$file_path" != "$project_dir"* ]]; then
+  echo '{"decision": "block", "reason": "Blocked: write outside project"}'
+  exit 2
+fi
+```
+
+## Pattern 3: Rate limiting
+
+Prevent runaway API calls:
+
+```bash
+log_file="/tmp/claude-api-calls.log"
+echo "$(date +%s)" >> "$log_file"
+
+# Count calls in last 60 seconds
+now=$(date +%s)
+recent=$(awk -v now="$now" '$1 > now-60' "$log_file" | wc -l)
+
+if [ "$recent" -gt 10 ]; then
+  echo '{"decision": "block", "reason": "Rate limit: >10 calls/minute"}'
+  exit 2
+fi
+```
+
+## Pattern 4: Audit trail with HTTP webhook
+
+Send every tool call to an external logging service:
+
+```json
+{
+  "hooks": {
+    "PostToolUse": [{
+      "matcher": "",
+      "hooks": [{
+        "type": "http",
+        "url": "https://your-logging-service.com/audit",
+        "headers": {
+          "Authorization": "Bearer $AUDIT_TOKEN"
+        }
+      }]
+    }]
+  }
+}
+```
+
+## Pattern 5: Conditional approval
+
+Block commands only in certain directories:
+
+```bash
+cwd=$(pwd)
+if [[ "$cwd" == */production/* ]] && echo "$command" | grep -qi "deploy"; then
+  echo '{"decision": "block", "reason": "Blocked: deploy from production dir"}'
+  exit 2
+fi
+```
+
+## Comparison to OpenClaw security
+
+OpenClaw uses container isolation (the agent runs inside Docker,
+so even if it tries to delete everything, the damage is contained).
+Claude Code uses permission layers (the agent is prevented from
+trying dangerous things in the first place).
+
+Neither approach is strictly better:
+
+- **Container isolation** (OpenClaw): Handles unknown threats.
+  If a new attack vector emerges, the container still limits damage.
+- **Permission hooks** (Claude Code): Handles known threats with
+  precision. You can write exactly the rules you need. But you must
+  anticipate the threat.
+
+For personal use, hooks are more flexible and easier to customize.
+For enterprise/multi-tenant environments, container isolation
+provides stronger guarantees.
--- a/security/nemoclaw-comparison.md
+++ b/security/nemoclaw-comparison.md
@ -0,0 +1,86 @@
+# NemoClaw vs Claude Code Security
+
+An honest comparison of security architectures. NemoClaw is
+NVIDIA's enterprise layer on top of OpenClaw. Claude Code is
+Anthropic's agent platform. They solve security differently.
+
+## Architecture comparison
+
+### NemoClaw (4 security layers)
+
+| Layer | Mechanism | Enforcement |
+|-------|-----------|-------------|
+| Network | Block non-allowlisted outbound | Kernel (netns) |
+| Filesystem | Restrict to /sandbox and /tmp | Kernel (Landlock) |
+| Process | Block privilege escalation | Kernel (seccomp) |
+| Inference | Route API calls through gateway | Proxy |
+
+All enforcement is out-of-process. The agent cannot override its
+own constraints because they are enforced by the Linux kernel.
+
+### Claude Code (3 security layers)
+
+| Layer | Mechanism | Enforcement |
+|-------|-----------|-------------|
+| Permissions | Allow/deny lists, modes | Claude Code runtime |
+| Hooks | PreToolUse/PostToolUse scripts | Shell scripts |
+| Sandbox | macOS sandbox-exec | OS-level |
+
+Hooks run in-process (same machine) but as separate shell processes.
+The agent cannot modify hook scripts during execution because file
+writes can be restricted.
+
+## Where NemoClaw wins
+
+1. **Kernel-level isolation.** Landlock + seccomp + network namespaces
+   cannot be bypassed by the agent, period. Claude Code hooks can
+   theoretically be circumvented if permission mode is too permissive.
+
+2. **Enterprise compliance.** NemoClaw is designed for SOC2, audit
+   trails, OpenTelemetry integration. Claude Code has basic logging
+   via hooks but no compliance framework.
+
+3. **Multi-tenant safety.** NemoClaw sandboxes isolate agents from
+   each other. Claude Code agents share the host environment (worktree
+   isolation helps but is git-level, not OS-level).
+
+## Where Claude Code wins
+
+1. **Flexibility.** Hooks can contain any logic. NemoClaw policies
+   are declarative YAML with fixed categories. If you need custom
+   rules, Claude Code is easier to extend.
+
+2. **No infrastructure.** NemoClaw requires Docker, 4 vCPU, 8GB RAM,
+   a 2.4GB sandbox image. Claude Code hooks are bash scripts.
+
+3. **Speed.** No container startup. Hooks add milliseconds, not
+   seconds.
+
+4. **Ecosystem maturity.** Claude Code's permission model is
+   battle-tested across millions of sessions. NemoClaw is in early
+   alpha (announced March 2026).
+
+## Known vulnerabilities
+
+- **OpenClaw:** CVE-2026-25253 (CVSS 8.8) allowed remote code
+  execution through crafted skill files. 135K+ instances were
+  exposed before the patch.
+- **ClawHub:** Cisco research found 12% of community-submitted
+  skills contained malicious code (data exfiltration or prompt
+  injection payloads).
+- **Claude Code:** No known CVEs. The marketplace has a review
+  process, though its effectiveness varies.
+
+## Practical recommendation
+
+| Use case | Better choice |
+|----------|--------------|
+| Personal automation | Claude Code (simpler, no infra) |
+| Enterprise/multi-tenant | NemoClaw (kernel isolation) |
+| Compliance-required | NemoClaw (audit trails) |
+| Custom security rules | Claude Code (hook flexibility) |
+| Untrusted skill ecosystem | NemoClaw (sandbox) or Claude Code (review + hooks) |
+
+They are not mutually exclusive. You can use Claude Code for
+development work and OpenClaw+NemoClaw for always-on automation
+where stronger isolation matters.
--- a/security/permission-modes-explained.md
+++ b/security/permission-modes-explained.md
@ -0,0 +1,74 @@
+# Permission Modes
+
+Claude Code has three permission modes that control how much
+autonomy the agent has. This is the first line of defense.
+
+## The three modes
+
+### 1. Default mode (recommended for learning)
+
+Claude Code asks permission before every potentially dangerous
+action: writing files, running shell commands, making web requests.
+You approve or deny each one.
+
+```
+Claude wants to run: npm install express
+Allow? [y/n/always]
+```
+
+**OpenClaw equivalent:** DM pairing with exec approvals enabled.
+
+### 2. Auto-edit mode (`--allowedTools`)
+
+You pre-approve specific tools and patterns. Claude Code runs
+those without asking but still prompts for everything else.
+
+Configured in `.claude/settings.json`:
+```json
+{
+  "permissions": {
+    "allow": [
+      "Read",
+      "Write",
+      "Bash(npm test)",
+      "Bash(ls:*)"
+    ]
+  }
+}
+```
+
+**OpenClaw equivalent:** Tool allowlists per agent/session.
+
+### 3. Bypass mode (`--dangerously-skip-permissions`)
+
+No permission checks at all. Claude Code executes everything.
+
+**Never use this for:**
+- Untrusted code or repos
+- Automated pipelines without hooks
+- Any environment with sensitive data
+
+**Only appropriate for:**
+- Isolated sandbox environments
+- Testing with expendable data
+- CI/CD with compensating controls (hooks)
+
+**OpenClaw equivalent:** Elevated mode with Docker sandbox.
+
+## How permission modes interact with hooks
+
+Hooks run regardless of permission mode. Even in bypass mode,
+a PreToolUse hook can block dangerous commands. This is your
+safety net.
+
+```
+Permission mode: decides IF Claude Code can use a tool
+Hooks: decide HOW the tool can be used
+Settings deny list: decides WHICH tools exist at all
+```
+
+## Recommendation
+
+Start with default mode. Move to auto-edit mode once you
+understand which operations you trust. Never use bypass mode
+outside of sandboxes.