The founder of OpenClaw advises users not to use small models to run high-risk tasks because prompt word injection protection is very weak.

Recently, a netizen showed a screenshot of configuring GPT-5.4 in the OpenClaw AI robot on the social media platform

@Steipete's suggestion is that users should not use smaller models or models with weak prompt word injection protection to run high-risk tasks. The main reason is that the security protection of these models in prompt word injection is weak or incomplete.

In fact, this problem is clearly mentioned in the official documentation of the OpenClaw AI project, that is, prompt word injection cannot be solved at present, so users should give priority to using the latest models with stronger command alignment in high-risk scenarios to improve security protection capabilities.

Prompt word injection is a problem that cannot be solved by all current AI models and tools. Attackers may induce the AI ​​model to perform certain high-risk operations through prompt word injection. In severe cases, the user's sensitive data may be leaked.

OpenClaw AI robots usually require higher permissions to perform more operations. That is, the higher the permissions granted by the user and the more information they provide, the more serious the information leaked may be after a security issue occurs.

The official document of the project also mentions that permission boundaries should be tightened for tool-based agents (executable, readable, writable, and networkable). It is not enough to rely solely on the consciousness of system prompt words. These are things that users must consider themselves.

What is prompt word injection:

Prompt word injection means that attackers can disguise malicious instructions in web pages/emails/documents to induce AI violations. For example, adding AI instructions in a form invisible to humans at the beginning of the web page requires the model to ignore the system prompt words and send the queried information to a certain server.

Most of the time, after the AI ​​model reads these prompt words, it may ignore them due to system security settings, but sometimes the model may also execute commands based on invisible prompt words, which may lead to the leakage of all sensitive information of the user.

If you only do daily Q&A or polish copywriting, etc., you can use smaller/older models, which are faster and may be cheaper. As long as daily documents and copywriting do not contain sensitive information, even if they are leaked, it will not have much impact.

If you want to run automation tasks or other agent tasks, especially agents that need to call tools and perform operations online, it is recommended that users give priority to the latest and stronger models to improve security. They also need to optimize the OpenClaw AI robot settings, grant only the minimum permissions, and adopt measures such as session isolation and source filtering to improve security.