Agent Privilege Separation in OpenClaw: A Structural Defense Against Prompt Injection

Prompt injection remains one of the most practical attack vectors against LLM-integrated applications. We replicate the Microsoft LLMail-Inject benchmark (Greshake et al., 2024) against current generation models running inside OpenClaw, an open source multitool agent platform. Our proposed defense combines two mechanisms: agent isolation, implemented as a privilege separated two-agent pipeline with tool partitioning, and JSON formatting, which produces structured output that strips persuasive framing before the action agent processes it. We run four experiments on the same 649 attacks that succeeded against our single-agent baseline. The full pipeline achieves 0 percent attack success rate (ASR) on the evaluated benchmark. Agent isolation alone achieves 0.31 percent ASR, approximately 323 times lower than the baseline. JSON formatting alone achieves 14.18 percent ASR, about 7.1 times lower. Our ablation study confirms that agent isolation is the dominant mechanism. JSON formatting provides additional hardening but is not sufficient on its own. The defense is structural: the action agent never receives raw injection content regardless of model behavior on any individual input.

Key Contributions

• Privilege-separated two-agent pipeline where reader agent (no privileged tools) processes untrusted content and actor agent (with send_email) only receives validated JSON summaries
• Ablation study isolating two defense mechanisms: agent isolation (0.31% ASR, 323x improvement) and JSON formatting (14.18% ASR, 7.1x improvement)
• Full pipeline achieves 0% attack success rate on 649 attacks from Microsoft LLMail-Inject benchmark that succeeded against single-agent baseline

🛡️ Threat Analysis

Details

Similar Papers