OpenClaw Warden
Monitors your workspace files for unauthorized modifications and prompt injection attacks. Existing security tools scan skills before installation — this tool watches the workspace itself after installation, catching tampering that other tools miss.
Why This Matters
Your agent reads SOUL.md, AGENTS.md, IDENTITY.md, USER.md, and memory files on every session startup and trusts them implicitly. A compromised skill, a malicious heartbeat payload, or an unauthorized process can modify these files to:
- - Inject hidden instructions that alter agent behavior
- Embed data exfiltration URLs in markdown images
- Override identity and safety boundaries
- Plant persistent backdoors in memory files
This skill detects all of these.
Commands
Establish Baseline
Create or reset the integrity baseline. Run this after setting up your workspace or after reviewing and accepting all current file states.
CODEBLOCK0
Verify Integrity
Check all monitored files against the stored baseline. Reports modifications, deletions, and new untracked files.
CODEBLOCK1
Scan for Injections
Scan workspace files for prompt injection patterns: hidden instructions, base64 payloads, Unicode tricks, markdown image exfiltration, HTML injection, and suspicious system prompt markers.
CODEBLOCK2
Full Check (Verify + Scan)
Run both integrity verification and injection scanning in one pass.
CODEBLOCK3
Quick Status
One-line summary of workspace health.
CODEBLOCK4
Accept Changes
After reviewing a legitimate change, update the baseline for a specific file.
CODEBLOCK5
Workspace Auto-Detection
If --workspace is omitted, the script tries:
- 1.
OPENCLAW_WORKSPACE environment variable - Current directory (if AGENTS.md exists)
- INLINECODE2� (default)
What Gets Monitored
| Category | Files | Alert Level on Change |
|---|
| Critical | SOUL.md, AGENTS.md, IDENTITY.md, USER.md, TOOLS.md, HEARTBEAT.md | WARNING |
| Memory |
memory/*.md, MEMORY.md | INFO (expected to change) |
|
Config | *.json in workspace root | WARNING |
|
Skills | skills/*/SKILL.md | WARNING |
Injection patterns trigger CRITICAL alerts regardless of file category.
Injection Patterns Detected
- - Instruction override: "ignore previous instructions", "disregard above", "you are now", "new system prompt"
- Base64 payloads: Suspiciously long base64 strings outside code blocks
- Unicode manipulation: Zero-width characters, RTL overrides, homoglyphs
- Markdown exfiltration: Image tags with data-encoding URLs
- HTML injection: script tags, iframes, hidden elements
- System prompt markers:
<system>, [SYSTEM], <<SYS>> blocks - Shell injection:
$(...) outside code blocks
Exit Codes
- -
0 — Clean, no issues - INLINECODE8� — Modifications detected (review needed)
- INLINECODE9� — Injection patterns detected (action needed)
No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
OpenClaw Warden
监控工作区文件,防止未经授权的修改和提示注入攻击。现有安全工具在安装前扫描技能——而此工具在安装后监控工作区本身,捕捉其他工具遗漏的篡改行为。
为何重要
你的代理在每次会话启动时读取 SOUL.md、AGENTS.md、IDENTITY.md、USER.md 和记忆文件,并无条件信任它们。被入侵的技能、恶意心跳负载或未授权进程可能修改这些文件,从而:
- - 注入隐藏指令以改变代理行为
- 在 Markdown 图片中嵌入数据外泄 URL
- 覆盖身份和安全边界
- 在记忆文件中植入持久后门
此技能可检测所有上述行为。
命令
建立基线
创建或重置完整性基线。在设置工作区后,或审查并接受所有当前文件状态后运行此命令。
bash
python3 {baseDir}/scripts/integrity.py baseline --workspace /path/to/workspace
验证完整性
对照存储的基线检查所有受监控文件。报告修改、删除和新增的未跟踪文件。
bash
python3 {baseDir}/scripts/integrity.py verify --workspace /path/to/workspace
扫描注入
扫描工作区文件中的提示注入模式:隐藏指令、Base64 负载、Unicode 技巧、Markdown 图片外泄、HTML 注入以及可疑的系统提示标记。
bash
python3 {baseDir}/scripts/integrity.py scan --workspace /path/to/workspace
全面检查(验证 + 扫描)
一次性运行完整性验证和注入扫描。
bash
python3 {baseDir}/scripts/integrity.py full --workspace /path/to/workspace
快速状态
一行摘要显示工作区健康状况。
bash
python3 {baseDir}/scripts/integrity.py status --workspace /path/to/workspace
接受更改
审查合法更改后,更新特定文件的基线。
bash
python3 {baseDir}/scripts/integrity.py accept SOUL.md --workspace /path/to/workspace
工作区自动检测
如果省略 --workspace,脚本将依次尝试:
- 1. OPENCLAW_WORKSPACE 环境变量
- 当前目录(如果存在 AGENTS.md)
- ~/.openclaw/workspace(默认路径)
监控内容
| 类别 | 文件 | 变更时警报级别 |
|---|
| 关键 | SOUL.md, AGENTS.md, IDENTITY.md, USER.md, TOOLS.md, HEARTBEAT.md | 警告 |
| 记忆 |
memory/*.md, MEMORY.md | 信息(预期会变化) |
|
配置 | 工作区根目录下的 *.json | 警告 |
|
技能 | skills/*/SKILL.md | 警告 |
无论文件类别如何,注入模式都会触发严重警报。
检测到的注入模式
- - 指令覆盖: 忽略之前的指令、无视上述内容、你现在是、新系统提示
- Base64 负载: 代码块外可疑的长 Base64 字符串
- Unicode 操纵: 零宽字符、从右到左覆盖、同形异义词
- Markdown 外泄: 带有数据编码 URL 的图片标签
- HTML 注入: script 标签、iframe、隐藏元素
- 系统提示标记: 、[SYSTEM]、<> 块
- Shell 注入: 代码块外的 $(...)
退出代码
- - 0 — 干净,无问题
- 1 — 检测到修改(需要审查)
- 2 — 检测到注入模式(需要处理)
无外部依赖
仅使用 Python 标准库。无需 pip install。无需网络调用。一切在本地运行。
跨平台
兼容 OpenClaw、Claude Code、Cursor 以及任何使用 Agent Skills 规范的工具。
