Feature Request: Prompt Injection Scanning Config

[LumenLantern]

Feature: Native prompt injection scanning configuration in openclaw.json

Use case: Autonomous agents need to filter untrusted inputs (web scrapes, third-party messages, skill outputs) for malicious prompt injections before processing.

Proposed config:

{
  "security": {
    "promptInjection": {
      "enabled": true,
      "scanModel": "nvidia/meta/llama-guard-4-12b",
      "blockOnUnsafe": true,
      "logIncidents": true,
      "logPath": "~/.openclaw/security/prompt-injection.log"
    }
  }
}

How it would work:

1. Before passing user/web/message content to the LLM, run it through a content safety model (Llama Guard 4, Nemotron, etc.)
2. If unsafe/injection detected, either block (blockOnUnsafe: true) or log + proceed with warning
3. Log all scans to audit trail

Why this matters:

• OWASP Agentic AI Top 10 #A01 (Prompt Injection)
• Critical for production deployments that ingest untrusted content
• Currently requires manual implementation outside OpenClaw's request pipeline

Workaround:
We currently run Llama Guard externally in our WATCHTOWER security framework, but native integration would be more efficient and reliable.

Related: This came up while responding to Palo Alto Networks' claim that OpenClaw is insecure. Native security config would strengthen the platform's enterprise credibility.

[corpetty]

Lightweight Alternative: Pattern-Based Scanning

We just integrated prompt-guard as a skill and it covers most injection vectors without needing an ML model:

What it does:

• 349+ regex patterns across EN/KO/JA/ZH
• Detects: instruction overrides, jailbreaks, secret extraction, system impersonation, social engineering
• Severity scoring (SAFE → LOW → MEDIUM → HIGH → CRITICAL)
• ~0ms latency (no model inference)

Current limitation: No native hook to scan before the LLM sees the message. We're doing behavioral self-checking, which helps but isn't foolproof.

Proposed middleware architecture:

security:
  inputFilters:
    - kind: pattern          # Fast regex patterns (prompt-guard style)
      enabled: true
      action: block          # block | warn | log
      severity: HIGH         # minimum severity to trigger
      
    - kind: model            # ML-based (Llama Guard, etc.)
      enabled: false         # opt-in for higher security needs
      model: nvidia/meta/llama-guard-4-12b

Why both approaches:

• Pattern scanning: Fast, zero cost, catches known vectors
• Model scanning: Catches novel attacks, but adds latency + cost

For local/enthusiast deployments, pattern-based is probably sufficient. Enterprise wanting defense-in-depth can layer in Llama Guard.

Happy to contribute if there's interest in native prompt-guard integration. The patterns are MIT licensed and actively maintained.

[cryptictech]

You can also achieve prompt injection filtering through a liteLLM instance, it might be bulkier than some other approaches, but it's highly flexible, you can implement prompt-guard and Llamaguard, as well as custom rule sets in Python.