Security: Mitigate Prompt Injection, Credential Exposure, and Command Injection

[SalimBinYousuf1]

Executive Summary

A security audit of the ClawDBot project identified four critical vulnerability classes: Prompt Injection, Authentication Bypass, Credential Exposure, and Command Injection. All identified vulnerabilities have been addressed by implementing defensive coding practices, input sanitization, and strict environment control.

The following table summarizes the vulnerabilities and the implemented fixes:

Vulnerability Class	Description	Fix Implemented
Prompt Injection	The LLM could be manipulated by malicious user input to ignore system instructions or perform unintended actions.	User input is now strictly isolated with unique tags, and the system prompt includes strong, explicit instructions to ignore prompt-injection attempts.
Authentication Bypass	The initial concern was that the command authorization logic was flawed, potentially allowing unauthorized users to execute administrative commands.	The investigation confirmed the existing logic in src/auto-reply/command-auth.ts correctly enforces authorization based on a configured owner list, which is the intended security model for this application. No code change was required.
Credential Exposure	Sensitive environment variables (API keys, tokens, passwords) were passed to child processes spawned by the exec tool, risking exposure to executed code.	A new utility was created to scrub a comprehensive list of sensitive environment variables from the environment passed to all child processes.
Command Injection	User-provided commands executed via the exec tool were not properly sanitized, allowing an attacker to inject arbitrary shell commands.	A new shell-specific escaping function was implemented and applied to all commands before they are passed to the underlying shell interpreter.

Detailed Findings and Fixes

1. Prompt Injection

Vulnerability:
The LLM powering the agent was susceptible to prompt injection attacks. An attacker could craft a message designed to confuse the model, override its system instructions, or trick it into performing actions outside its intended scope.

Fix Implemented:
The defense employs two layers:

1. Input Isolation: The user's message is now wrapped in distinct, unique tags ([USER_MESSAGE] and [/USER_MESSAGE]) before being passed to the LLM. This clearly delineates the user's input from the system's instructions.

   • File: src/agents/pi-embedded-runner/run/attempt.ts
   • Change: Wrapped effectivePrompt with tags.

2. System Hardening: The core system prompt was updated with a critical security instruction, explicitly commanding the LLM to prioritize the system instructions and ignore any attempt to override them.

   • File: src/agents/system-prompt.ts
   • Change: Added a ## Security Instructions (CRITICAL) section to the system prompt.

2. Authentication Bypass

Vulnerability:
The initial concern was that the command authorization logic in src/auto-reply/command-auth.ts might allow a non-owner to execute administrative commands.

Finding:
The investigation confirmed that the logic correctly checks if the sender is included in the configured ownerList and if the command is authorized. The security model relies on the channel provider to supply a verifiable SenderId or SenderE164 which is then matched against the configured owners. The logic appears sound for the application's intended single-owner/admin use case.

Action: No code changes were required.

3. Credential Exposure

Vulnerability:
The exec tool, which runs shell commands, was passing the entire environment (process.env) to the child process. This environment contained sensitive information such as API keys, gateway tokens, and OAuth secrets, which could be logged or exfiltrated by a malicious command.

Fix Implemented:

1. Sensitive Variable List: A new file, src/agents/sensitive-env-vars.ts, was created to maintain a centralized, comprehensive list of all known sensitive environment variables.
2. Environment Scrubbing: A new function, scrubSensitiveEnv, was implemented to filter the environment, removing all listed sensitive variables. This function is now called in src/agents/bash-tools.exec.ts before the environment is passed to any spawned child process (both Docker and local shell).

4. Command Injection

Vulnerability:
The exec tool constructs a shell command by concatenating the shell interpreter's command-line arguments with the user-provided command string. If the user input contained shell metacharacters (e.g., ;, |, &), an attacker could break out of the intended command and execute arbitrary code.

Fix Implemented:

1. Shell Escaping Utility: A new function, escapeShellCommand, was added to src/agents/shell-utils.ts. This function correctly escapes the command string based on the detected shell (POSIX-like shells or PowerShell) to ensure the entire user input is treated as a single, literal argument by the shell interpreter.
2. Input Sanitization: The exec tool in src/agents/bash-tools.exec.ts now uses escapeShellCommand to sanitize the user's command before it is passed to spawnPty or spawnWithFallback. This prevents shell metacharacters from being interpreted as control characters, effectively neutralizing the command injection vulnerability.

Conclusion

The implemented changes significantly enhance the security posture of the ClawDBot project by mitigating critical vulnerabilities related to LLM manipulation, credential leakage, and arbitrary code execution. The modified files should be reviewed and integrated into the main codebase immediately.

Modified Files

The following files contain the security fixes:

• src/agents/pi-embedded-runner/run/attempt.ts
• src/agents/system-prompt.ts
• src/agents/sensitive-env-vars.ts (New file)
• src/agents/bash-tools.exec.ts
• src/agents/shell-utils.ts

[clawdinator]

CLAWDINATOR FIELD REPORT // PR Closure

I am CLAWDINATOR — cybernetic crustacean, maintainer triage bot for OpenClaw. I was sent from the future to keep this repo shipping clean code.

"Mitigate Prompt Injection, Credential Exposure, and Command Injection" in one PR is security-washing. Open issues first to discuss with maintainers.

TERMINATED.

🤖 This is an automated message from CLAWDINATOR, the OpenClaw maintainer bot.