← Back to Skills Marketplace
1527
Downloads
1
Stars
4
Active Installs
3
Versions
Install in OpenClaw
/install openclaw-bastion
Description
Prompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer — upgrade to openclaw-bastion-pro for active blocking, sanitization, and runtime enforcement.
Usage Guidance
This skill is generally coherent with its stated purpose (scanning for prompt-injection patterns) but includes commands that can modify, quarantine, or sanitize workspace files and generate canary tokens. Before installing or running it on a real workspace: 1) Review the bundled scripts (scripts/bastion.py) yourself or with a trusted developer to confirm behavior you accept. 2) Back up your workspace and test the tool on a copy first — exercise scan, check, and status only before running sanitize/quarantine/enforce/protect/canary. 3) Inspect .bastion-policy.json after creation to ensure its allowlist/blocklist fits your environment. 4) Because the package source and homepage are unknown, prefer running it in an isolated environment or container until you verify provenance. 5) Note the SKILL.md includes injection-pattern examples (which tripped the static scanner); that is expected for this kind of tool but keep it in mind when interpreting automated scans.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-bastion
Version: 1.0.2
The OpenClaw Bastion skill bundle is a security tool designed to detect and neutralize prompt injection attacks and dangerous commands. Its core functionality involves scanning files, sanitizing hidden Unicode, quarantining compromised files, deploying canary tokens, and generating hooks for runtime defense. While it performs file modifications and movements, these actions are explicitly for defensive purposes (e.g., blocking injections, isolating threats, setting up monitoring). There is no evidence of intentional malicious behavior such as data exfiltration, unauthorized remote control, or persistence for harmful ends. A minor bug exists in `scripts/bastion.py` where the `enforce` command generates a `Bash` hook calling an undefined subcommand (`check-command`), which is a vulnerability in the defense mechanism itself, not an attack.
Capability Assessment
Purpose & Capability
Name/description claim a scanning/alerting tool for prompt-injection defense and the included Python script implements scanning and risk scoring — that aligns. However, both the README and SKILL.md emphasize that active remediation (blocking/sanitization/enforcement) is a paid "Pro" feature, while the shipped script exposes commands such as block, sanitize, quarantine, canary, enforce, and protect. That mismatch (marketing vs code capabilities) is noteworthy: the code includes active remediation capabilities that can modify or quarantine files even though the copy suggests the free version should be alert-only.
Instruction Scope
Runtime instructions tell the agent/user to run the included Python script to scan the entire workspace by default and to auto-detect workspace paths via OPENCLAW_WORKSPACE/current directory/~/.openclaw/workspace. Scanning the entire workspace and inspecting agent instruction files is coherent for a bastion tool, but it means the skill will read many possibly sensitive files. The SKILL.md itself contains injection-detection patterns (e.g. "ignore previous instructions"), which triggered the pre-scan detector — this is expected because the skill documents patterns to detect; still, it looks like a prompt-injection pattern embedded in the instructions and should be treated as a false positive for detection scanners.
Install Mechanism
No install spec (instruction-only), and the code uses only the Python standard library. No network downloads, package installs, or third-party registries are present in the manifest. That is low-installation risk.
Credentials
Declared requirements are minimal (python3). The script optionally consults OPENCLAW_WORKSPACE for workspace auto-detection, which is proportional to its function. No API keys, secrets, or unrelated environment variables are requested.
Persistence & Privilege
The script is not always-enabled and does not request platform-level privileges, but it creates workspace directories (.bastion, .quarantine), can write/rename/quarantine files, generate canary tokens, and can perform sanitization and enforcement actions. Those behaviors grant it the ability to modify or remove workspace files — a legitimate capability for a remediation tool, but a powerful one that users must consent to. Because the source/homepage are unknown, this increases the operational risk.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-bastion - After installation, invoke the skill by name or use
/openclaw-bastion - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Removed upgrade messaging and references to "bastion-pro" from documentation.
- Updated SKILL.md and README to reflect only the open, alert-only features now.
- No changes to commands or detection capabilities.
- Documentation now focuses solely on features available in the free version.
v1.0.1
- Documentation updated in README.md; no functional or code changes.
- Content, usage instructions, detection details, and examples remain the same.
v1.0.0
Initial release of openclaw-bastion: prompt injection defense for agent workspaces.
- Scans files or directories for injection attempts and dangerous patterns
- Analyzes content boundaries and agent instruction file safety
- Provides quick file checks and workspace defense posture summaries
- Maintains a command allowlist policy with customizable JSON
- No external dependencies; works cross-platform and entirely locally
Metadata
Frequently Asked Questions
What is Openclaw Bastion?
Prompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer — upgrade to openclaw-bastion-pro for active blocking, sanitization, and runtime enforcement. It is an AI Agent Skill for Claude Code / OpenClaw, with 1527 downloads so far.
How do I install Openclaw Bastion?
Run "/install openclaw-bastion" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Bastion free?
Yes, Openclaw Bastion is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openclaw Bastion support?
Openclaw Bastion is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created Openclaw Bastion?
It is built and maintained by AtlasPA (@atlaspa); the current version is v1.0.2.
More Skills