Agent SafetyOutlineDraft

Defensive Prompt Engineering: Hardening Against Injection

Infrastructure cannot save you if the model treats untrusted text as instructions. Sanitize and dual-model extract before reason.

Series draft — Part 14 of 15 in Hardened Agentic Stack. Outline only; expand before un-drafting.

Phase 5: Human-in-the-Loop — Defense in Depth

The Problem

Prompt injection via READMEs, bug reports, or telemetry still steers tool use.

The Infrastructure Fix

Instruction filter / scrubber before the reasoning phase; ATR still enforces tool calls.

The Architecture Pattern

Sanitized Input Layer — external data is untrusted until extracted as data, not instructions.

Planned sections

  1. The “Oh No” moment — concrete incident or near-miss that makes the risk visceral.
  2. ClawQL context — how this control protects a high-privilege local/edge agent.
  3. Technical how-to — concrete configs, policies, or snippets a builder can apply.
  4. Safety check — what “trusted enough” looks like once this layer is in place.

Key visuals

  • Untrusted source → scrubber → reasoner → Panguard

Source modules (docs.clawql.com)

Rule of Three (keep on publish)

LayerTakeaway
ProblemPrompt injection via READMEs, bug reports, or telemetry still steers tool use.
Infrastructure fixInstruction filter / scrubber before the reasoning phase; ATR still enforces tool calls.
Architecture patternSanitized Input Layer — external data is untrusted until extracted as data, not instructions.

About the author

Daniel Smith builds ClawQL, an agent operating system for token-efficient discovery and execution over APIs — with observability, hardened tool boundaries, and production routing for LLM workloads. He writes here about the systems problems behind shipping agents.