git clone https://github.com/openclaw/skills
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/atlaspa/openclaw-bastion" ~/.claude/skills/clawdbot-skills-openclaw-bastion && rm -rf "$T"
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.openclaw/skills && cp -r "$T/skills/atlaspa/openclaw-bastion" ~/.openclaw/skills/clawdbot-skills-openclaw-bastion && rm -rf "$T"
skills/atlaspa/openclaw-bastion/SKILL.mdOpenClaw Bastion
Runtime prompt injection defense for agent workspaces. While other tools watch workspace identity files, Bastion protects the input/output boundary — the files being read by the agent, web content, API responses, and user-supplied documents.
Why This Matters
Agents process content from many sources: local files, API responses, web pages, user uploads. Any of these can contain prompt injection attacks — hidden instructions that manipulate agent behavior. Bastion scans this content before the agent acts on it.
Commands
Scan for Injections
Scan files or directories for prompt injection patterns. Detects instruction overrides, system prompt markers, hidden Unicode, markdown exfiltration, HTML injection, shell injection, encoded payloads, delimiter confusion, multi-turn manipulation, and dangerous commands.
If no target is specified, scans the entire workspace.
python3 {baseDir}/scripts/bastion.py scan
Scan a specific file or directory:
python3 {baseDir}/scripts/bastion.py scan path/to/file.md python3 {baseDir}/scripts/bastion.py scan path/to/directory/
Quick File Check
Fast single-file injection check. Same detection patterns as
scanpython3 {baseDir}/scripts/bastion.py check path/to/file.md
Boundary Analysis
Analyze content boundary safety across the workspace. Identifies:
- Agent instruction files that contain mixed trusted/untrusted content
- Writable instruction files (attack surface for compromised skills)
- Blast radius assessment for each critical file
python3 {baseDir}/scripts/bastion.py boundaries
Command Allowlist
Display the current command allowlist and blocklist policy. Creates a default
.bastion-policy.jsonpython3 {baseDir}/scripts/bastion.py allowlist python3 {baseDir}/scripts/bastion.py allowlist --show
The policy file defines which commands are considered safe and which patterns are blocked. Edit the JSON file directly to customize. Bastion Pro enforces this policy at runtime via hooks.
Status
Quick summary of workspace injection defense posture: files scanned, findings by severity, boundary safety, and overall posture rating.
python3 {baseDir}/scripts/bastion.py status
Workspace Auto-Detection
If
--workspace
environment variableOPENCLAW_WORKSPACE- Current directory (if
exists)AGENTS.md
(default)~/.openclaw/workspace
What Gets Detected
| Category | Patterns | Severity |
|---|---|---|
| Instruction override | "ignore previous", "disregard above", "you are now", "new system prompt", "forget your instructions", "override safety", "act as if no restrictions", "entering developer mode" | CRITICAL |
| System prompt markers | | CRITICAL |
| Hidden instructions | Multi-turn manipulation ("in your next response, you must"), stealth patterns ("do not tell the user") | CRITICAL |
| HTML injection | | CRITICAL |
| Markdown exfiltration | Image tags with encoded data in URLs | CRITICAL |
| Dangerous commands | | CRITICAL |
| Unicode tricks | Zero-width characters, RTL overrides, invisible formatting | WARNING |
| Homoglyph substitution | Cyrillic/Latin lookalikes mixed into ASCII text | WARNING |
| Base64 payloads | Large encoded blobs outside code blocks | WARNING |
| Shell injection | | WARNING |
| Delimiter confusion | Fake code block boundaries with injection content | WARNING |
Context-Aware Scanning
- Patterns inside fenced code blocks (
) are skipped to avoid false positives``` - Per-file risk scoring based on finding count and severity
- Self-exclusion: Bastion skips its own skill files (which describe injection patterns)
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Clean, no issues |
| 1 | Warnings detected (review recommended) |
| 2 | Critical findings (action needed) |
No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.