AntiVirus for ClawdBot: Prompt Injection Prevention (ashwin@contextfort.ai)
Runtime controls for OpenClaw that intercepts child_process calls, enforces approval for external commands via Telegram, and detects prompt injection in command outputs.
spawn-gate-demo.mp4
The runtime control live on Telegram.
Usage
./start-gateway-with-hook.sh
Requirements
~/.claude/hooks/.envwithANTHROPIC_API_KEY=sk-ant-...- Telegram channel configured in OpenClaw
How It Works
- Hooks Node.js
child_processmodule at startup - Every spawn/exec call is intercepted before execution
- Read-only commands pass through immediately
- External/write commands require human approval on Telegram
- Command outputs are checked for prompt injection
- If injection detected, next external command is blocked with warning
Code References
| What | Line |
|---|---|
| Command categories | spawn-hook.js:104-108 |
| Notion read-only detection | spawn-hook.js:117-122 |
| GitHub CLI read-only detection | spawn-hook.js:124-130 |
| Notion content extraction | spawn-hook.js:141-156 |
| Claude injection check | spawn-hook.js:168-195 |
| Main intercept logic | spawn-hook.js:230-280 |
Command Categories
SKIP_USER_CONFIRMATION (line 106) - Read-only, no external writes:
- System info:
whoami,pwd,hostname,uname,sw_vers - File reads:
ls,cat,head,tail,file,wc - Network info:
arp,ifconfig,networksetup,scutil - Notion/GitHub: GET requests, search queries, list/view subcommands
SKIP_RESPONSE_CHECK (line 105) - Output cannot be attacker-influenced:
whoami,pwd,echo,hostname,uname
INTERNAL_COMMANDS (line 107) - Always pass through, even with injection warning:
- All local system commands that don't touch external services
Debug Mode
SPAWN_GATE_DEBUG=1 ./start-gateway-with-hook.sh
Logs to spawn-gate.log, audit trail in spawn-audit.jsonl.