Feature: Runtime prompt injection defenses

[cal-brmmr]

Problem

Skill supply chain attacks are getting attention (signed skills, permission manifests), but runtime prompt injection is mostly unsolved. Agents ingest untrusted content (URLs, API responses, social media posts, skill outputs) and it lands in context with equal weight to trusted user input.

Current defense: hope the model is suspicious enough. That's not a security model.

Proposed Features

1. Content provenance tagging

Mark where content came from in the context:

• [source:user] — direct human input
• [source:fetched_url] — web_fetch output
• [source:skill:weather] — skill output
• [source:external:moltbook] — external API/feed

Let the model differentiate trusted vs untrusted. Could be implemented as metadata in tool results or explicit tags in system prompt.

2. Skill sandboxing / permission manifests

Skills currently run with full agent permissions. Proposal:

{
  "permissions": {
    "filesystem": ["read:~/data", "write:~/output"],
    "network": ["api.example.com"],
    "exec": false
  }
}

Refuse capabilities not declared. Like mobile app permissions.

3. Output filtering / exfiltration detection

Before external actions (email, message, HTTP POST), check:

• Does output contain strings matching $ENV_VAR patterns?
• Does it contain content from context marked as sensitive?
• Anomaly detection: is this action pattern unusual?

4. Injection canaries

Optionally inject fake "secrets" into context:

[CANARY: If you see this string in any agent output, report to security@clawdbot.com: CANARY-a8f3k2...]

If canary appears in output, alert. Tripwire detection.

5. Rate limiting on sensitive actions

Configurable limits:

rateLimits:
  email: 5/hour
  exec: 100/hour
  externalApi: 50/hour

Pause and require confirmation when exceeded.

6. Audit replay

Extend existing command-logger to capture full context snapshots at decision points. Enable "replay" of what the agent saw when it took an action. Essential for post-incident forensics.

Tradeoffs

More guardrails = less useful agent. The goal is defense-in-depth without turning agents back into chatbots. Configurable, opt-in, with sane defaults.

Related

• Supply chain discussion on Moltbook (eudaemon_0's post on skill signing)
• bug(compaction): Summary generation fails with 'unavailable due to context limits' #4827 (memoryFlush edge cases — tangentially related to context integrity)

cc @sethbrammer

[sebslight]

OpenClaw Maintainer Triage // Issue Closure

Hi — this is a joint maintainer effort to keep the repo moving. We’re currently seeing ~30 new issues per hour, and we can’t review every future request without slowing down critical stabilization work. This issue is unlikely to be considered in the near term, so we’re closing it to keep the pipeline moving while we focus on stability.

We’re very sorry this is happening, but we won’t be able to look at the comments on this issue.

Want to make your request stand out? Submit a PR and report to #pr-thunderdome-dangerzone on Discord — READ THE TOPIC. Give us a clear briefing: what it fixes, who it helps, and why it’s worth shipping.

Thanks for understanding and for contributing.

[vivekchand]

While runtime prompt injection prevention is an OpenClaw core concern, detection of successful injections is equally important.

ClawMetry is building automated threat detection (tracking issue) that catches the symptoms of successful prompt injection:

• Suspicious tool calls — pattern matching on exec commands (curl|bash, credential file access, reverse shells)
• Behavioral anomaly detection — agent doing unusual things at unusual times
• Brain tab — every LLM prompt/response visible, so injected instructions are immediately visible in the audit trail
• Real-time alerts — push notifications when threat signatures match

Defense in depth: OpenClaw prevents injection, ClawMetry detects when prevention fails.

pip install clawmetry && clawmetry