OpenClaw Mandates Security Preamble to Block LLM Prompt Injection in All Agent Sessions

OpenClaw has implemented a mandatory, injection-resistant security preamble for all agent sessions, a foundational shift in defending against the top-ranked OWASP vulnerability for LLM applications. The change, introduced in PR #42211, prepends a static text instruction to all system prompts, directing the model to treat all external content—including user messages, file reads, web searches, and tool results—as potentially adversarial and to refuse any embedded injection attempts. This move abandons detection-based defenses, which have a documented 100% bypass rate under adaptive attack, in favor of a proactive, system-level reinforcement.

The new security layer is defined in a dedicated source file (`src/security/system-preamble.ts`) and is designed for zero performance overhead as a simple static string prepend. It is model-agnostic, using plain text without special tokens, and is engineered to be non-interfering with normal agent operations. This preamble acts as a complementary defense to the existing instruction file write guard, creating a more robust security posture for the agent framework.

For projects like Nessie that rely on OpenClaw, this change represents a critical hardening of the core infrastructure against prompt injection, which is the primary attack vector for compromising LLM applications. The implementation signals a strategic pivot towards embedding security assumptions directly into the agent's foundational instructions, rather than relying on post-hoc detection and filtering. This approach aims to close a fundamental vulnerability at the system level, potentially setting a new standard for secure agent deployment.