安全加固实操:阻断 CWD 注入进入 LLM 提示词链路
问题/场景:工作目录名可被恶意构造并污染提示词,诱发越权行为。前置条件:存在多租户或不受信目录输入。实施步骤:升级到含修复版本→约束工作目录来源→复测注入样本。关键命令:`openclaw status`、`openclaw gateway restart`。验证:注入样本不再进入模型上下文。风险:过严路径策略会影响合法工作流。
GITHUBDiscovered 2026-02-15Author bwplotka
Prerequisites
- Your deployment executes tasks in directories that may include untrusted names/paths.
- You can patch/upgrade OpenClaw and run controlled regression tests.
Steps
- Upgrade to a build that includes PR #16967 and restart gateway cleanly.
- Constrain allowed workdir roots (project allowlist) so agents cannot be launched from arbitrary paths.
- Replay a known malicious path sample and inspect prompts/logs for escaped/sanitized representation.
- Add periodic security checks to catch regressions after updates.
Commands
openclaw statusopenclaw gateway restartVerify
Injected path payload no longer appears as executable prompt content, and agent behavior remains within policy boundaries.
Caveats
- This mitigates one injection vector; complete hardening still needs filesystem and permission controls.
- Validate downstream plugins/tools for similar path-propagation patterns(需验证).
Source attribution
This tip is aggregated from community/public sources and preserved with attribution.
Open original source ↗