From e4bc019288034d4551f8901448cc1bce0e154ca6 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Tue, 28 Apr 2026 19:41:58 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@98f5fd12dfccab9510f2e768824f50ad0613c654 --- .openclaw-sync/source.json | 4 ++-- docs/gateway/security/index.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 7443fe468..20b0867df 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "c500e8704f4efc723758dd75f1b6689727832a0b", - "syncedAt": "2026-04-28T19:38:42.046Z" + "sha": "98f5fd12dfccab9510f2e768824f50ad0613c654", + "syncedAt": "2026-04-28T19:40:24.728Z" } diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 8d50041a2..add1748f2 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -608,7 +608,7 @@ Why: - OpenAI-compatible backends that front self-hosted models sometimes preserve special tokens that appear in user text, instead of masking them. An attacker who can write into inbound external content (a fetched page, an email body, a file contents tool output) could otherwise inject a synthetic `assistant` or `system` role boundary and escape the wrapped-content guardrails. - Sanitization happens at the external-content wrapping layer, so it applies uniformly across fetch/read tools and inbound channel content rather than being per-provider. -- Outbound model responses already have a separate sanitizer that strips leaked ``, ``, and similar scaffolding from user-visible replies. The external-content sanitizer is the inbound counterpart. +- Outbound model responses already have a separate sanitizer that strips leaked ``, ``, ``, ``, and similar internal runtime scaffolding from user-visible replies at the final channel delivery boundary. The external-content sanitizer is the inbound counterpart. This does not replace the other hardening on this page — `dmPolicy`, allowlists, exec approvals, sandboxing, and `contextVisibility` still do the primary work. It closes one specific tokenizer-layer bypass against self-hosted stacks that forward user text with special tokens intact.