๐ฆ
OpenClaw Academy
๐ Progress JSON
All Modules
โบ
Security Model
โบ
Quiz
๐ Module 6 Quiz: Security Model
7 questions ยท Passing score: 70%
1
Which trust level carries the highest authority in OpenClaw's trust hierarchy?
User messages โ the user is the operator
External content โ it comes from authoritative web sources
The system prompt (composed from workspace files) โ controlled by the gateway owner
LLM responses โ the model makes the final decision
2
What is the EXTERNAL_UNTRUSTED_CONTENT XML wrapper used for?
Encrypting external content before it's stored in the session transcript
Tagging content fetched from the web or email as untrusted, so the model treats it as data rather than instructions
Filtering out malicious content before it reaches the agent
Marking content that requires user approval before the agent can read it
3
An agent has exec in its tool deny list. An attacker sends a carefully crafted prompt injection through a fetched webpage instructing the agent to 'run rm -rf ~/Documents'. What happens?
The agent might follow the instruction if the injection is clever enough
The exec tool is unavailable โ the injection cannot call it regardless of what the model wants
The Gateway logs the attempt and alerts the owner, but the command runs
The sandbox intercepts the command and runs it safely in Docker
4
You set sandbox mode to 'non-main'. Your agent runs in a Telegram group chat. Is that session sandboxed?
No โ Telegram is a first-party channel and is always trusted
No โ 'non-main' only affects Discord and Slack channels
Yes โ group chat sessions use their own session keys, which are not the main session key
Only if the group is not in the allowlist
5
What is the DM pairing policy 'pairing' (the default) designed to prevent?
The agent from calling tools when talking to unknown senders
Unknown strangers from reaching the agent until the owner explicitly approves them
Multiple people from sharing the same session context
The agent from using exec in DM conversations
6
Prompt injection can only succeed if strangers can message your bot directly.
True โ only inbound messages can contain injection attempts
False โ any content the agent reads can carry injections (web pages, emails, files, search results)
True โ the pairing system blocks all injection attempts from external sources
False โ only attachments can carry injections, not text content
7
What does the 'elevated full' exec mode do that 'elevated on' does not?
It grants access to additional tools beyond exec
It runs exec on the host AND bypasses exec approval prompts for the session
It enables the sandbox to mount the full host filesystem
It allows the agent to modify gateway configuration and tool policies
Submit Answers โ