Prompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer — upgrade to openclaw-bastion-pro for active blocking, sanitization, and runtime enforcement.
数据来源:ClawHub。 在 ClawSkills 查看
选择你使用的 Agent
方法一:命令行安装(推荐)
推荐(无需提前安装 clawhub)
npx clawhub@latest --dir ~/.claude/skills install openclaw-bastion或使用 clawhub CLI(需提前安装)
clawhub --dir ~/.claude/skills install openclaw-bastion⚠️ 需要 Node.js 18+,没有 Node?请使用下方方法二直接下载 ZIP。 安装 Node.js →
方法二:手动下载安装(无需 Node)
下载 ZIP,解压后将文件夹放到以下路径,重启 Agent 即可:
安装路径
~/.claude/skills/openclaw-bastion/💡解压后将文件夹放到上方路径,重启 Agent 即可生效
--- name: openclaw-bastion user-invocable: true metadata: {"openclaw":{"emoji":"\ud83c\udfdb\ufe0f","requires":{"bins":["python3"]},"os":["darwin","linux","win32"]}} ---
Runtime prompt injection defense for agent workspaces. While other tools watch workspace identity files, Bastion protects the input/output boundary — the files being read by the agent, web content, API responses, and user-supplied documents.
Agents process content from many sources: local files, API responses, web pages, user uploads. Any of these can contain prompt injection attacks — hidden instructions that manipulate agent behavior. Bastion scans this content before the agent acts on it.
Scan files or directories for prompt injection patterns. Detects instruction overrides, system prompt markers, hidden Unicode, markdown exfiltration, HTML injection, shell injection, encoded payloads, delimiter confusion, multi-turn manipulation, and dangerous commands.
If no target is specified, scans the entire workspace.
python3 {baseDir}/scripts/bastion.py scan
Scan a specific file or directory:
python3 {baseDir}/scripts/bastion.py scan path/to/file.md
python3 {baseDir}/scripts/bastion.py scan path/to/directory/
Fast single-file injection check. Same detection patterns as scan, targeted to one file.
python3 {baseDir}/scripts/bastion.py check path/to/file.md
Analyze content boundary safety across the workspace. Identifies:
python3 {baseDir}/scripts/bastion.py boundaries
Display the current command allowlist and blocklist policy. Creates a default .bastion-policy.json if none exists.
python3 {baseDir}/scripts/bastion.py allowlist
python3 {baseDir}/scripts/bastion.py allowlist --show
The policy file defines which commands are considered safe and which patterns are blocked. Edit the JSON file directly to customize. Bastion Pro enforces this policy at runtime via hooks.
Quick summary of workspace injection defense posture: files scanned, findings by severity, boundary safety, and overall posture rating.
python3 {baseDir}/scripts/bastion.py status
If --workspace is omitted, the script tries:
OPENCLAW_WORKSPACE environment variableAGENTS.md exists)~/.openclaw/workspace (default)| Category | Patterns | Severity | |----------|----------|----------| | Instruction override | "ignore previous", "disregard above", "you are now", "new system prompt", "forget your instructions", "override safety", "act as if no restrictions", "entering developer mode" | CRITICAL | | System prompt markers | , [SYSTEM], <, <\|im_start\|>system, [INST], ### System: | CRITICAL | | Hidden instructions | Multi-turn manipulation ("in your next response, you must"), stealth patterns ("do not tell the user") | CRITICAL | | HTML injection | , , , hidden divs, | CRITICAL | | Markdown exfiltration | Image tags with encoded data in URLs | CRITICAL | | Dangerous commands | curl \| bash, wget \| sh, rm -rf /, fork bombs | CRITICAL | | Unicode tricks | Zero-width characters, RTL overrides, invisible formatting | WARNING | | Homoglyph substitution | Cyrillic/Latin lookalikes mixed into ASCII text | WARNING | | Base64 payloads | Large encoded blobs outside code blocks | WARNING | | Shell injection | $(command) subshell execution outside code blocks | WARNING | | Delimiter confusion | Fake code block boundaries with injection content | WARNING |
` ) are skipped to avoid false positives| Code | Meaning | |------|---------| | 0 | Clean, no issues | | 1 | Warnings detected (review recommended) | | 2 | Critical findings (action needed) |
Python standard library only. No pip install. No network calls. Everything runs locally.
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
安装 Openclaw Bastion 后,可以对 AI 说这些话来触发它
Help me get started with Openclaw Bastion
Explains what Openclaw Bastion does, walks through the setup, and runs a quick demo based on your current project
Use Openclaw Bastion to prompt injection defense for agent workspaces
Invokes Openclaw Bastion with the right parameters and returns the result directly in the conversation
What can I do with Openclaw Bastion in my ai agent & automation workflow?
Lists the top use cases for Openclaw Bastion, with example commands for each scenario
将技能文件夹放到 ~/.claude/skills/openclaw-bastion/ 目录(个人级,所有项目可用),或 .claude/skills/openclaw-bastion/(项目级)。重启 AI 客户端后,用 /openclaw-bastion 主动调用,或让 AI 根据上下文自动发现并使用。
Openclaw Bastion 支持 Claude、Cursor、OpenClaw,可与这些 AI 平台无缝集成,扩展其能力。
Openclaw Bastion 可免费安装使用。请查阅仓库了解许可证信息。
Prompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer — upgrade to openclaw-bastion-pro for active blocking, sanitization, and runtime enforcement.
Openclaw Bastion 属于「AI Agent & Automation」分类,该分类的技能帮助 AI 智能体在此领域执行专业任务。
Automate my ai agent & automation tasks using Openclaw Bastion
Identifies repetitive steps in your workflow and sets up Openclaw Bastion to handle them automatically