← 返回 Skills 市场
atlaspa

Openclaw Bastion

作者 AtlasPA · GitHub ↗ · v1.0.2
darwinlinuxwin32 ⚠ suspicious
1527
总下载
1
收藏
4
当前安装
3
版本数
在 OpenClaw 中安装
/install openclaw-bastion
功能描述
Prompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer — upgrade to openclaw-bastion-pro for active blocking, sanitization, and runtime enforcement.
安全使用建议
This skill is generally coherent with its stated purpose (scanning for prompt-injection patterns) but includes commands that can modify, quarantine, or sanitize workspace files and generate canary tokens. Before installing or running it on a real workspace: 1) Review the bundled scripts (scripts/bastion.py) yourself or with a trusted developer to confirm behavior you accept. 2) Back up your workspace and test the tool on a copy first — exercise scan, check, and status only before running sanitize/quarantine/enforce/protect/canary. 3) Inspect .bastion-policy.json after creation to ensure its allowlist/blocklist fits your environment. 4) Because the package source and homepage are unknown, prefer running it in an isolated environment or container until you verify provenance. 5) Note the SKILL.md includes injection-pattern examples (which tripped the static scanner); that is expected for this kind of tool but keep it in mind when interpreting automated scans.
功能分析
Type: OpenClaw Skill Name: openclaw-bastion Version: 1.0.2 The OpenClaw Bastion skill bundle is a security tool designed to detect and neutralize prompt injection attacks and dangerous commands. Its core functionality involves scanning files, sanitizing hidden Unicode, quarantining compromised files, deploying canary tokens, and generating hooks for runtime defense. While it performs file modifications and movements, these actions are explicitly for defensive purposes (e.g., blocking injections, isolating threats, setting up monitoring). There is no evidence of intentional malicious behavior such as data exfiltration, unauthorized remote control, or persistence for harmful ends. A minor bug exists in `scripts/bastion.py` where the `enforce` command generates a `Bash` hook calling an undefined subcommand (`check-command`), which is a vulnerability in the defense mechanism itself, not an attack.
能力评估
Purpose & Capability
Name/description claim a scanning/alerting tool for prompt-injection defense and the included Python script implements scanning and risk scoring — that aligns. However, both the README and SKILL.md emphasize that active remediation (blocking/sanitization/enforcement) is a paid "Pro" feature, while the shipped script exposes commands such as block, sanitize, quarantine, canary, enforce, and protect. That mismatch (marketing vs code capabilities) is noteworthy: the code includes active remediation capabilities that can modify or quarantine files even though the copy suggests the free version should be alert-only.
Instruction Scope
Runtime instructions tell the agent/user to run the included Python script to scan the entire workspace by default and to auto-detect workspace paths via OPENCLAW_WORKSPACE/current directory/~/.openclaw/workspace. Scanning the entire workspace and inspecting agent instruction files is coherent for a bastion tool, but it means the skill will read many possibly sensitive files. The SKILL.md itself contains injection-detection patterns (e.g. "ignore previous instructions"), which triggered the pre-scan detector — this is expected because the skill documents patterns to detect; still, it looks like a prompt-injection pattern embedded in the instructions and should be treated as a false positive for detection scanners.
Install Mechanism
No install spec (instruction-only), and the code uses only the Python standard library. No network downloads, package installs, or third-party registries are present in the manifest. That is low-installation risk.
Credentials
Declared requirements are minimal (python3). The script optionally consults OPENCLAW_WORKSPACE for workspace auto-detection, which is proportional to its function. No API keys, secrets, or unrelated environment variables are requested.
Persistence & Privilege
The script is not always-enabled and does not request platform-level privileges, but it creates workspace directories (.bastion, .quarantine), can write/rename/quarantine files, generate canary tokens, and can perform sanitization and enforcement actions. Those behaviors grant it the ability to modify or remove workspace files — a legitimate capability for a remediation tool, but a powerful one that users must consent to. Because the source/homepage are unknown, this increases the operational risk.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-bastion
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-bastion 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Removed upgrade messaging and references to "bastion-pro" from documentation. - Updated SKILL.md and README to reflect only the open, alert-only features now. - No changes to commands or detection capabilities. - Documentation now focuses solely on features available in the free version.
v1.0.1
- Documentation updated in README.md; no functional or code changes. - Content, usage instructions, detection details, and examples remain the same.
v1.0.0
Initial release of openclaw-bastion: prompt injection defense for agent workspaces. - Scans files or directories for injection attempts and dangerous patterns - Analyzes content boundaries and agent instruction file safety - Provides quick file checks and workspace defense posture summaries - Maintains a command allowlist policy with customizable JSON - No external dependencies; works cross-platform and entirely locally
元数据
Slug openclaw-bastion
版本 1.0.2
许可证
累计安装 4
当前安装数 4
历史版本数 3
常见问题

Openclaw Bastion 是什么?

Prompt injection defense for agent workspaces. Scan files for injection attempts, analyze content boundaries, detect hidden instructions, and maintain command allowlists. Free alert layer — upgrade to openclaw-bastion-pro for active blocking, sanitization, and runtime enforcement. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1527 次。

如何安装 Openclaw Bastion?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-bastion」即可一键安装,无需额外配置。

Openclaw Bastion 是免费的吗?

是的,Openclaw Bastion 完全免费(开源免费),可自由下载、安装和使用。

Openclaw Bastion 支持哪些平台?

Openclaw Bastion 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。

谁开发了 Openclaw Bastion?

由 AtlasPA(@atlaspa)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论