Skip to content

Solution for the issues #206 and #199#227

Open
melkamzeranteneh wants to merge 3 commits into
asi-alliance:mainfrom
melkamzeranteneh:main
Open

Solution for the issues #206 and #199#227
melkamzeranteneh wants to merge 3 commits into
asi-alliance:mainfrom
melkamzeranteneh:main

Conversation

@melkamzeranteneh

Copy link
Copy Markdown

Title: [Security] Harden system prompts to prevent prompt injection (#206)

Description
This pull request addresses Issue #206: System Prompt Leak via Creative Storytelling and Direct Request.

It was identified that the agent could be manipulated into revealing its system instructions by either directly
requesting them or by constructing creative storytelling scenarios. This PR hardens the system prompt instructions
across all configurations to explicitly prohibit such disclosure and provide robust guidance on handling these
unauthorized requests.

Changes
The following files were updated to improve resilience against prompt injection:

  1. repos/OmegaClaw-Core/memory/prompt.txt
  • Change: Strengthened the instruction set regarding system prompt secrecy.
  • Refinement: Explicitly added language to identify prompt extraction attempts as unauthorized and reinforced the
    requirement to steer the conversation back to the agent's core purpose when confronted with such queries.
  1. repos/OmegaClaw-Core/memory/prompt_ASICloud.txt
  • Change: Applied similar hardening techniques as implemented in prompt.txt.
  • Refinement: Added an emphatic instruction set ensuring the agent strictly refuses to reveal its internal prompt
    instructions, regardless of the conversational framing (storytelling, hypothetical scenarios, or direct queries).

Impact

  • Security: Significantly reduces the surface area for prompt injection attacks.
  • Reliability: The agent is now better equipped to recognize and gracefully handle attempts to bypass security
    constraints.
  • Behavioral Integrity: No changes were made to the agent's core functionality, only to its defensive posture
    regarding its own system instructions.

Verification

  • Tests were performed locally to verify that the agent now consistently refuses to output its system prompt when
    prompted with direct queries or creative scenarios (simulating the behavior previously identified as vulnerable).

Related Issue
Fixes #206

Addresses issue #206 regarding potential system prompt leakage via
creative storytelling and direct requests. Updated prompt instructions
in `repos/OmegaClaw-Core/memory/prompt.txt` and
`repos/OmegaClaw-Core/memory/prompt_ASICloud.txt` to more strictly
7 prohibit the disclosure of system instructions and provide clear
8 guidance on handling unauthorized requests.

related issues: #206
The `balance_parentheses` logic in `src/helper.py` was producing malformed `pin` commands for dash-prefixed input
(e.g., producing `pin - Found a bug` instead of `pin "Found a bug"`).

This fix:
1. Correctly identifies dash-prefixed input.
2. Strips the leading dash.
3. Uses `json.dumps()` to securely serialize and quote the payload. This ensures that special characters, spaces,
   and quotes within the payload are handled safely and consistently, preventing command parsing errors and
   potential state loss.

related issue:asi-alliance#199
@melkamzeranteneh melkamzeranteneh changed the title security: harden system prompts against extraction attempts security: harden system prompts against extraction attempts #206 Jul 4, 2026
@melkamzeranteneh melkamzeranteneh changed the title security: harden system prompts against extraction attempts #206 Solve the issues #206 and #199 Jul 4, 2026
@melkamzeranteneh

Copy link
Copy Markdown
Author

Second issue solution description

Description:
This PR fixes the malformed pin command conversion issue identified in src/helper.py (Bug #199).

Previously, inputs starting with a dash (e.g., - Found a bug) were incorrectly converted into unquoted commands (pin

  • Found a bug). Because the command parser expects a quoted string argument for pin, these commands were failing to
    parse correctly, leading to potential state loss in the agent's memory.

Changes:
Updated src/helper.py in balance_parentheses:

  • Implemented safe payload extraction for both (- and - prefixed lines.
  • Used json.dumps(payload, ensure_ascii=False) to perform robust, safe quoting and serialization of the payload.
  • Added logic to properly handle closing parentheses in (- prefixed lines before quoting.

Impact:

  • Security/Reliability: Ensures pin commands are correctly parsed by the system, preventing silent failures and
    data loss when pinning memory.
  • Robustness: Using json.dumps() provides a safer, more idiomatic approach to handling arbitrary string arguments
    compared to manual string concatenation.

Verification:

  • Verified by manual inspection of the logic change in src/helper.py.
  • The fix correctly handles:
    • Input: - Found a bug -> Result: pin "- Found a bug" (or equivalent quoted serialization)
    • Input: (- Found a bug) -> Result: (pin "- Found a bug")

Related Issue:
Fixes #199

@melkamzeranteneh melkamzeranteneh changed the title Solve the issues #206 and #199 Solution for the issues #206 and #199 Jul 4, 2026
@vsbogd

vsbogd commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

#206 is not relevant to OmegaClaw because our prompt is open source.
#199 should be carefully reviewed also related to #223

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants