tool 2026

OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents

Frank Li

UNSW Sydney

0 citations
α

Published on arXiv

2603.11853

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

Preliminary benchmarks on curated same-slice experiments and operational microbenchmarks demonstrate PRISM's defense-in-depth coverage across all ten lifecycle hook layers with measured runtime overhead and false-positive rates.

OpenClaw PRISM

Novel technique introduced

Tool-augmented LLM agents introduce security risks that extend beyond user-input filtering, including indirect prompt injection through fetched content, unsafe tool execution, credential leakage, and tampering with local control files. We present OpenClaw PRISM, a zero-fork runtime security layer for OpenClaw-based agent gateways. PRISM combines an in-process plugin with optional sidecar services and distributes enforcement across ten lifecycle hooks spanning message ingress, prompt construction, tool execution, tool-result persistence, outbound messaging, sub-agent spawning, and gateway startup. Rather than introducing a novel detection model, PRISM integrates a hybrid heuristic-plus-LLM scanning pipeline, conversation- and session-scoped risk accumulation with TTL-based decay, policy-enforced controls over tools, paths, private networks, domain tiers, and outbound secret patterns, and a tamper-evident audit and operations plane with integrity verification and hot-reloadable policy management. We outline an evaluation methodology and benchmark pipeline for measuring security effectiveness, false positives, layer contribution, runtime overhead, and operational recoverability in an agent-runtime setting, and we report current preliminary benchmark results on curated same-slice experiments and operational microbenchmarks. The system targets deployable runtime defense for real agent gateways rather than benchmark-only detection.

Key Contributions

  • Zero-fork runtime security layer (PRISM) distributed across ten lifecycle hooks covering all major agent interaction surfaces — ingress, prompt construction, tool execution, result persistence, outbound messaging, and sub-agent spawning
  • Hybrid heuristic-plus-LLM scanning pipeline with conversation- and session-scoped risk accumulation and TTL-based decay for nuanced threat scoring
  • Policy-enforced tool and network governance with tamper-evident audit plane, integrity verification, and hot-reloadable policy management targeting production deployability over benchmark-only detection

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Applications
llm agentsagent gatewaystool-augmented llm systems
Read PDF arXiv

Similar Papers

tool

MCP-SandboxScan: WASM-based Secure Execution and Runtime Analysis for MCP Tools

2026 0 cit.
100%
benchmark

Systematic Analysis of MCP Security

2025 0 cit.
85%
benchmark

Unsafer in Many Turns: Benchmarking and Defending Multi-Turn Safety Risks in Tool-Using Agents

2026 0 cit.
85%
benchmark

When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins

2025 1 cit.
85%
survey

Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis of Vulnerabilities in Skills, Tools, and Protocol Ecosystems

2026 1 cit.
85%
benchmark

Quantifying Distributional Robustness of Agentic Tool-Selection

2025 3 cit.
85%
defense

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

2026 0 cit.
85%
defense

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

2026 0 cit.
85%