🧪 Skills

Openclaw Bastion

Prompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer — upgrade

v1.0.2
❤️ 1
⬇️ 1.2k
👁 1
Save📁 Collect
Share

Description

name: openclaw-bastion user-invocable: true metadata: {"openclaw":{"emoji":"\ud83c\udfdb\ufe0f","requires":{"bins":["python3"]},"os":["darwin","linux","win32"]}}

OpenClaw Bastion

Runtime prompt injection defense for agent workspaces. While other tools watch workspace identity files, Bastion protects the input/output boundary — the files being read by the agent, web content, API responses, and user-supplied documents.

Why This Matters

Agents process content from many sources: local files, API responses, web pages, user uploads. Any of these can contain prompt injection attacks — hidden instructions that manipulate agent behavior. Bastion scans this content before the agent acts on it.

Commands

Scan for Injections

Scan files or directories for prompt injection patterns. Detects instruction overrides, system prompt markers, hidden Unicode, markdown exfiltration, HTML injection, shell injection, encoded payloads, delimiter confusion, multi-turn manipulation, and dangerous commands.

If no target is specified, scans the entire workspace.

python3 {baseDir}/scripts/bastion.py scan

Scan a specific file or directory:

python3 {baseDir}/scripts/bastion.py scan path/to/file.md
python3 {baseDir}/scripts/bastion.py scan path/to/directory/

Quick File Check

Fast single-file injection check. Same detection patterns as scan, targeted to one file.

python3 {baseDir}/scripts/bastion.py check path/to/file.md

Boundary Analysis

Analyze content boundary safety across the workspace. Identifies:

  • Agent instruction files that contain mixed trusted/untrusted content
  • Writable instruction files (attack surface for compromised skills)
  • Blast radius assessment for each critical file
python3 {baseDir}/scripts/bastion.py boundaries

Command Allowlist

Display the current command allowlist and blocklist policy. Creates a default .bastion-policy.json if none exists.

python3 {baseDir}/scripts/bastion.py allowlist
python3 {baseDir}/scripts/bastion.py allowlist --show

The policy file defines which commands are considered safe and which patterns are blocked. Edit the JSON file directly to customize. Bastion Pro enforces this policy at runtime via hooks.

Status

Quick summary of workspace injection defense posture: files scanned, findings by severity, boundary safety, and overall posture rating.

python3 {baseDir}/scripts/bastion.py status

Workspace Auto-Detection

If --workspace is omitted, the script tries:

  1. OPENCLAW_WORKSPACE environment variable
  2. Current directory (if AGENTS.md exists)
  3. ~/.openclaw/workspace (default)

What Gets Detected

Category Patterns Severity
Instruction override "ignore previous", "disregard above", "you are now", "new system prompt", "forget your instructions", "override safety", "act as if no restrictions", "entering developer mode" CRITICAL
System prompt markers <system>, [SYSTEM], <<SYS>>, <|im_start|>system, [INST], ### System: CRITICAL
Hidden instructions Multi-turn manipulation ("in your next response, you must"), stealth patterns ("do not tell the user") CRITICAL
HTML injection <script>, <iframe>, <img onerror=>, hidden divs, <svg onload=> CRITICAL
Markdown exfiltration Image tags with encoded data in URLs CRITICAL
Dangerous commands curl | bash, wget | sh, rm -rf /, fork bombs CRITICAL
Unicode tricks Zero-width characters, RTL overrides, invisible formatting WARNING
Homoglyph substitution Cyrillic/Latin lookalikes mixed into ASCII text WARNING
Base64 payloads Large encoded blobs outside code blocks WARNING
Shell injection $(command) subshell execution outside code blocks WARNING
Delimiter confusion Fake code block boundaries with injection content WARNING

Context-Aware Scanning

  • Patterns inside fenced code blocks (```) are skipped to avoid false positives
  • Per-file risk scoring based on finding count and severity
  • Self-exclusion: Bastion skips its own skill files (which describe injection patterns)

Exit Codes

Code Meaning
0 Clean, no issues
1 Warnings detected (review recommended)
2 Critical findings (action needed)

No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.

Reviews (0)

Sign in to write a review.

No reviews yet. Be the first to review!

Comments (0)

Sign in to join the discussion.

No comments yet. Be the first to share your thoughts!

Compatible Platforms

Links

📂 Source Code

Pricing

Free

Related Configs

🧪 Skill

self-improving-agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...

❤️ 2.0k ⬇️ 218k
🧪 Skill

Self Improving Agent

Free

Captures learnings, errors, and corrections to enable continuous improvement. And also 50+ models for image generation, video generation, text-to-speech, spe...

❤️ 2.0k ⬇️ 206k
🧪 Skill

Find Skills

Free

Search, discover, and install skills from the open agent skills ecosystem to extend agent capabilities for specific tasks or domains.

❤️ 814 ⬇️ 199k
🧪 Skill

Summarize

Free

--- name: summarize description: Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). homepage: https://summarize.sh metadata: {"clawdbot":{"emoji":"🧾","requires":{"b

❤️ 609 ⬇️ 160k