chore(sync): mirror docs from openclaw/openclaw@98f5fd12df
This commit is contained in:
parent
12262e74e7
commit
e4bc019288
@ -1,5 +1,5 @@
|
||||
{
|
||||
"repository": "openclaw/openclaw",
|
||||
"sha": "c500e8704f4efc723758dd75f1b6689727832a0b",
|
||||
"syncedAt": "2026-04-28T19:38:42.046Z"
|
||||
"sha": "98f5fd12dfccab9510f2e768824f50ad0613c654",
|
||||
"syncedAt": "2026-04-28T19:40:24.728Z"
|
||||
}
|
||||
|
||||
@ -608,7 +608,7 @@ Why:
|
||||
|
||||
- OpenAI-compatible backends that front self-hosted models sometimes preserve special tokens that appear in user text, instead of masking them. An attacker who can write into inbound external content (a fetched page, an email body, a file contents tool output) could otherwise inject a synthetic `assistant` or `system` role boundary and escape the wrapped-content guardrails.
|
||||
- Sanitization happens at the external-content wrapping layer, so it applies uniformly across fetch/read tools and inbound channel content rather than being per-provider.
|
||||
- Outbound model responses already have a separate sanitizer that strips leaked `<tool_call>`, `<function_calls>`, and similar scaffolding from user-visible replies. The external-content sanitizer is the inbound counterpart.
|
||||
- Outbound model responses already have a separate sanitizer that strips leaked `<tool_call>`, `<function_calls>`, `<system-reminder>`, `<previous_response>`, and similar internal runtime scaffolding from user-visible replies at the final channel delivery boundary. The external-content sanitizer is the inbound counterpart.
|
||||
|
||||
This does not replace the other hardening on this page — `dmPolicy`, allowlists, exec approvals, sandboxing, and `contextVisibility` still do the primary work. It closes one specific tokenizer-layer bypass against self-hosted stacks that forward user text with special tokens intact.
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user