Agent Privilege Separation in OpenClaw: A Structural Defense Against Prompt Injection
This addresses security vulnerabilities in LLM-based systems, offering a practical defense against prompt injection, though it is incremental as it builds on existing agent frameworks.
The paper tackles prompt injection attacks on LLM-integrated applications by proposing a structural defense in OpenClaw, achieving a 0% attack success rate on a benchmark with 649 attacks, compared to a baseline where attacks succeeded.
Prompt injection remains one of the most practical attack vectors against LLM-integrated applications. We replicate the Microsoft LLMail-Inject benchmark (Greshake et al., 2024) against current generation models running inside OpenClaw, an open source multitool agent platform. Our proposed defense combines two mechanisms: agent isolation, implemented as a privilege separated two-agent pipeline with tool partitioning, and JSON formatting, which produces structured output that strips persuasive framing before the action agent processes it. We run four experiments on the same 649 attacks that succeeded against our single-agent baseline. The full pipeline achieves 0 percent attack success rate (ASR) on the evaluated benchmark. Agent isolation alone achieves 0.31 percent ASR, approximately 323 times lower than the baseline. JSON formatting alone achieves 14.18 percent ASR, about 7.1 times lower. Our ablation study confirms that agent isolation is the dominant mechanism. JSON formatting provides additional hardening but is not sufficient on its own. The defense is structural: the action agent never receives raw injection content regardless of model behavior on any individual input.