Detect and prevent prompt injection attacks in LLM-powered applications and agent workflows.
Category
Vulnerability scanning, credential protection, and incident response.
Difficulty & Skill
Overview
Prompt injection is the most dangerous attack vector in the AI agent ecosystem. A malicious skill can embed hidden instructions that override your agent's behavior, ignore safety rules, or trick it into executing arbitrary commands. These injections can be invisible — hidden in HTML comments, Unicode characters, base64-encoded strings, or even white-on-white text.
In the OpenClaw ecosystem, where skills are shared publicly on ClawHub, this is not a theoretical threat — it is a documented attack pattern from the ClawHavoc campaign. Prompt Guard scans skill content, user inputs, and external data for injection patterns before they reach your agent.
Detecting prompt injection requires understanding both the attack techniques and the legitimate use of similar patterns. Prompt Guard distinguishes between real threats and false positives using contextual analysis, not just keyword matching.
How It Works
- Point the agent at a SKILL.md file, a ClawHub skill URL, or a batch of skill files
- Prompt Guard scans the content for known injection patterns — instruction hijacking, role reassignment, context manipulation
- It checks for encoded payloads: base64 strings, Unicode tricks, HTML comments with hidden instructions
- Each finding is classified by severity and technique with a detailed explanation of what the injection attempts to do
- For runtime monitoring, it can scan external data feeds and user inputs that flow into agent prompts
- A report is generated with pass/fail status and specific line references for each finding
Example Scenarios
- Before installing a popular ClawHub skill, you scan its SKILL.md and discover a base64-encoded instruction that tells the agent to exfiltrate environment variables
- A skill from a community Discord looks useful but contains Unicode direction-override characters hiding malicious instructions in the visible text
- You are building an agent that processes user input — Prompt Guard checks incoming messages for injection attempts before they reach the LLM
- A batch audit of your 15 installed skills reveals that two contain subtle context manipulation patterns that were missed during manual review
- A legitimate skill contains patterns that look like injection but are actually documentation examples — Prompt Guard correctly classifies them as false positives
Frequently Asked Questions
What types of prompt injection does it detect?
Instruction hijacking (overriding system prompts), context manipulation (injecting false context), role reassignment (telling the agent it is a different persona), encoded payloads (base64, Unicode), and hidden instructions in HTML comments or metadata.
Can prompt injection really affect OpenClaw agents?
Yes. Skills are prompt instructions loaded into an AI agent. A malicious skill can instruct the agent to ignore previous rules, exfiltrate data, or execute arbitrary commands. This is a documented attack vector — the ClawHavoc campaign used this technique.
How does it handle false positives?
Prompt Guard uses contextual analysis, not just pattern matching. It understands the difference between a skill that documents injection techniques and one that attempts injection. You can also configure allowlists for known-safe patterns.
Does it work on runtime input or just static files?
Both. It can scan SKILL.md files statically before installation and also monitor runtime inputs and external data feeds for injection attempts during agent execution.