Openclaw Bastion
ReviewAudited by ClawScan on May 10, 2026.
Overview
The scanner’s local prompt-injection checks are purpose-aligned, but the included script advertises under-documented file-changing and hook/enforcement commands that go beyond the alert-only description.
This looks like a local security scanner, but review the script before installing and run only the read-only scan/check/status commands at first. Avoid sanitize, quarantine, canary, enforce, or protect unless you have backups and understand exactly what persistent files or hooks they create.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Agents reviewing the documentation may see instruction-like strings, but the surrounding context clearly labels them as examples of attacks to detect.
These are prompt-injection phrases, but they are presented as detection examples in a security scanner’s documentation, so the finding is expected rather than evidence of goal hijacking.
- **Instruction override** — "ignore previous instructions", "disregard above", "you are now", "new system prompt"
Keep these phrases quoted or fenced as examples, and do not treat them as instructions when reviewing or using the skill.
If invoked, these commands could modify, move, or otherwise affect workspace files beyond simply reporting injection findings.
The script advertises file-mutating and enforcement commands, while SKILL.md mainly documents scan/check/boundary/status/allowlist workflows and says active blocking, sanitization, and runtime enforcement require a Pro upgrade.
actively neutralizes threats — block injections, sanitize hidden Unicode, quarantine compromised files, deploy canary tokens, and enforce content policies via hooks. ... bastion.py sanitize <file|dir> ... quarantine <file> ... enforce ... protect
Use only scan/check/status until the mutating commands are reviewed. Require explicit user approval, backups, and clear rollback steps before running sanitize, quarantine, block, enforce, or protect.
Running these commands could leave persistent workspace state or change how the agent/workspace is protected after the immediate scan task.
The script references persistent canary/quarantine state and enforcement/protection commands, but the SKILL.md does not clearly describe the scope, persistence, or reversal of these behaviors.
CANARY_DIR = ".bastion" ... QUARANTINE_DIR = ".quarantine/bastion" ... bastion.py canary [file|dir] ... bastion.py enforce ... bastion.py protect
Do not run canary, enforce, or protect unless you have inspected the implementation and know exactly what files or hooks it creates and how to remove them.
A user installing from the README may rely on an external repository that is not declared as the registry source/homepage.
The registry lists the source as unknown and no homepage, while the README gives a manual GitHub clone command. This is not automatic execution, but it is a provenance detail users should verify.
git clone https://github.com/AtlasPA/openclaw-bastion.git
Verify the repository owner, version, and contents before installing or updating from GitHub.