DistributedApps.ai applied the CSA MAESTRO framework to OpenClaw’s codebase (Feb 18 review). Of the assessed threats: 34% fully mitigated, 37% partially mitigated, 29% still open. Mitigations include untrusted content wrapping with Unicode sanitization, suspicious pattern detection, and context overflow blocking. Key gaps: injection detection only logs but doesn’t block; no semantic-based detection; no system prompt re-injection during long conversations. Recommended fixes include a promptInjectionPolicy config option (log/warn/block) and periodic system prompt re-assertion every N turns. Via Agentic AI on Substack. Read more