openclaw-bastionPrompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer β upgrade to openclaw-bastion-pro for active blocking, sanitization, and runtime enforcement.
Install via ClawdBot CLI:
clawdbot install AtlasPA/openclaw-bastionRuntime prompt injection defense for agent workspaces. While other tools watch workspace identity files, Bastion protects the input/output boundary β the files being read by the agent, web content, API responses, and user-supplied documents.
Agents process content from many sources: local files, API responses, web pages, user uploads. Any of these can contain prompt injection attacks β hidden instructions that manipulate agent behavior. Bastion scans this content before the agent acts on it.
Scan files or directories for prompt injection patterns. Detects instruction overrides, system prompt markers, hidden Unicode, markdown exfiltration, HTML injection, shell injection, encoded payloads, delimiter confusion, multi-turn manipulation, and dangerous commands.
If no target is specified, scans the entire workspace.
python3 {baseDir}/scripts/bastion.py scanScan a specific file or directory:
python3 {baseDir}/scripts/bastion.py scan path/to/file.md
python3 {baseDir}/scripts/bastion.py scan path/to/directory/Fast single-file injection check. Same detection patterns as scan, targeted to one file.
python3 {baseDir}/scripts/bastion.py check path/to/file.mdAnalyze content boundary safety across the workspace. Identifies:
python3 {baseDir}/scripts/bastion.py boundariesDisplay the current command allowlist and blocklist policy. Creates a default .bastion-policy.json if none exists.
python3 {baseDir}/scripts/bastion.py allowlist
python3 {baseDir}/scripts/bastion.py allowlist --showThe policy file defines which commands are considered safe and which patterns are blocked. Edit the JSON file directly to customize. Bastion Pro enforces this policy at runtime via hooks.
Quick summary of workspace injection defense posture: files scanned, findings by severity, boundary safety, and overall posture rating.
python3 {baseDir}/scripts/bastion.py statusIf --workspace is omitted, the script tries:
OPENCLAW_WORKSPACE environment variableAGENTS.md exists)~/.openclaw/workspace (default)| Category | Patterns | Severity |
|----------|----------|----------|
| Instruction override | "ignore previous", "disregard above", "you are now", "new system prompt", "forget your instructions", "override safety", "act as if no restrictions", "entering developer mode" | CRITICAL |
| System prompt markers | [SYSTEM], <, <\|im_start\|>system, [INST], ### System: | CRITICAL |
| Hidden instructions | Multi-turn manipulation ("in your next response, you must"), stealth patterns ("do not tell the user") | CRITICAL |
| HTML injection | Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autonomous Crons, and battle-tested patterns. Part of the Hal Stack π¦ Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI. Clawdbot documentation expert with decision tree navigation, search scripts, doc fetching, version tracking, and config snippets for all Clawdbot features Interact with Moltbook social network for AI agents. Post, reply, browse, and analyze engagement. Use when the user wants to engage with Moltbook, check their feed, reply to posts, or track their activity on the agent social network. OpenClaw CLI wrapper β gateway, channels, models, agents, nodes, browser, memory, security, automation. MoltGuard β runtime security plugin for OpenClaw agents by OpenGuardrails. Helps users install, register, activate, and check the status of MoltGuard. Use wh...More OpenClaw Platform Skills
View all β