chore(sync): mirror docs from openclaw/openclaw@98f5fd12df

This commit is contained in:
openclaw-docs-sync[bot] 2026-04-28 19:41:58 +00:00
parent 12262e74e7
commit e4bc019288
2 changed files with 3 additions and 3 deletions

View File

@ -1,5 +1,5 @@
{
"repository": "openclaw/openclaw",
"sha": "c500e8704f4efc723758dd75f1b6689727832a0b",
"syncedAt": "2026-04-28T19:38:42.046Z"
"sha": "98f5fd12dfccab9510f2e768824f50ad0613c654",
"syncedAt": "2026-04-28T19:40:24.728Z"
}

View File

@ -608,7 +608,7 @@ Why:
- OpenAI-compatible backends that front self-hosted models sometimes preserve special tokens that appear in user text, instead of masking them. An attacker who can write into inbound external content (a fetched page, an email body, a file contents tool output) could otherwise inject a synthetic `assistant` or `system` role boundary and escape the wrapped-content guardrails.
- Sanitization happens at the external-content wrapping layer, so it applies uniformly across fetch/read tools and inbound channel content rather than being per-provider.
- Outbound model responses already have a separate sanitizer that strips leaked `<tool_call>`, `<function_calls>`, and similar scaffolding from user-visible replies. The external-content sanitizer is the inbound counterpart.
- Outbound model responses already have a separate sanitizer that strips leaked `<tool_call>`, `<function_calls>`, `<system-reminder>`, `<previous_response>`, and similar internal runtime scaffolding from user-visible replies at the final channel delivery boundary. The external-content sanitizer is the inbound counterpart.
This does not replace the other hardening on this page — `dmPolicy`, allowlists, exec approvals, sandboxing, and `contextVisibility` still do the primary work. It closes one specific tokenizer-layer bypass against self-hosted stacks that forward user text with special tokens intact.