vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-28 01:21:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: refresh untrusted file wrapper refs

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-04 19:39:09 +01:00
parent eaef4ee1b1
commit b1279b0db3
4 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/gateway/openresponses-http-api.md
View File

@@ -164,6 +164,12 @@ Current behavior:
so it stays ephemeral (not persisted in session history).
- Decoded file text is wrapped as **untrusted external content** before it is added,
so file bytes are treated as data, not trusted instructions.
- The injected block uses explicit boundary markers like
`<<<EXTERNAL_UNTRUSTED_CONTENT id="...">>>` /
`<<<END_EXTERNAL_UNTRUSTED_CONTENT id="...">>>` and includes a
`Source: External` metadata line.
- This file-input path intentionally omits the long `SECURITY NOTICE:` banner to
preserve prompt budget; the boundary markers and metadata still stay in place.
- PDFs are parsed for text first. If little text is found, the first pages are
rasterized into images and passed to the model, and the injected file block uses
the placeholder `[PDF content rendered to images]`.

6
docs/gateway/security/index.md
View File

@@ -696,7 +696,11 @@ tool calls. Reduce the blast radius by:
if you want to disable URL fetching entirely.
- For OpenResponses file inputs, decoded `input_file` text is still injected as
**untrusted external content**. Do not rely on file text being trusted just because
the Gateway decoded it locally.
the Gateway decoded it locally. The injected block still carries explicit
`<<<EXTERNAL_UNTRUSTED_CONTENT ...>>>` boundary markers plus `Source: External`
metadata, even though this path omits the longer `SECURITY NOTICE:` banner.
- The same marker-based wrapping is applied when media-understanding extracts text
from attached documents before appending that text to the media prompt.
- Enabling sandboxing and strict tool allowlists for any agent that touches untrusted input.
- Keeping secrets out of prompts; pass them via env/config on the gateway host instead.

3
docs/help/faq.md
View File

@@ -2998,6 +2998,9 @@ Related: [/concepts/oauth](/concepts/oauth) (OAuth flows, token storage, multi-a
- using a read-only or tool-disabled "reader" agent to summarize untrusted content
- keeping `web_search` / `web_fetch` / `browser` off for tool-enabled agents
- treating decoded file/document text as untrusted too: OpenResponses
`input_file` and media-attachment extraction both wrap extracted text in
explicit external-content boundary markers instead of passing raw file text
- sandboxing and strict tool allowlists
Details: [Security](/gateway/security).

7
docs/nodes/media-understanding.md
View File

@@ -249,6 +249,13 @@ File-attachment extraction behavior:
- Extracted file text is wrapped as **untrusted external content** before it is
appended to the media prompt.
- The injected block uses explicit boundary markers like
`<<<EXTERNAL_UNTRUSTED_CONTENT id="...">>>` /
`<<<END_EXTERNAL_UNTRUSTED_CONTENT id="...">>>` and includes a
`Source: External` metadata line.
- This attachment-extraction path intentionally omits the long
`SECURITY NOTICE:` banner to avoid bloating the media prompt; the boundary
markers and metadata still remain.
- If a file has no extractable text, OpenClaw injects `[No extractable text]`.
- If a PDF falls back to rendered page images in this path, the media prompt keeps
the placeholder `[PDF content rendered to images; images not forwarded to model]`