Detection Patterns
Anthropic uses token/phrase matching to detect OpenClaw system prompts. These triggers are found by binary searching the prompt against Claude’s API.
Confirmed triggers
These six string replacements live in scrubPrompt() (src/stream.ts). Three of them — HEARTBEAT_OK, reply_to_current, [[reply_to: — are also reversed by unscrubResponse() so the gateway sees the original tokens back in assistant output.
| Trigger | Type | Fix |
|---|---|---|
personal assistant...inside OpenClaw | Identity | Replace with personal assistant...inside GlueClaw |
HEARTBEAT_OK | Token | Replace with GLUECLAW_ACK (round-tripped back) |
reply_to_current | Reference | Replace with reply_current (round-tripped) |
[[reply_to: | Syntax | Replace with [[reply: (round-tripped) |
openclaw.inbound_meta | Schema | Replace with glueclaw.inbound_meta |
generated by OpenClaw | Context | Replace with generated by GlueClaw |
Confirmed safe
| Content | Example |
|---|---|
openclaw in file paths | .../openclaw/skills/ |
openclaw in CLI commands | openclaw gateway status |
openclaw in URLs | github.com/openclaw |
OpenClaw in doc refs | OpenClaw docs: |
NO_REPLY token | Silent reply marker |
| Runtime line format | agent=main \| host=zmac |
| Skill descriptions | OpenClaw deployments |
Quick health check
export GLUECLAW_KEY=local
openclaw agent --agent main \
--message "say pineapple" 2>&1 | tail -n 1
pineapple = working. API Error: 400 = new trigger added.
Cron monitoring
0 9 * * * GLUECLAW_KEY=local openclaw agent \
--agent main --message "say pineapple" 2>&1 \
| grep -q "pineapple" \
|| echo "GlueClaw blocked" \
| mail -s "GlueClaw alert" you@example.com
If blocked again
- Dump the live prompt: add
require("fs").writeFileSync("/tmp/gc-prompt.txt", cleanPrompt)tosrc/stream.tsafter the scrub chain - Trigger the failing path (TUI, agent, and Telegram get different prompts)
- Binary search: test first half vs second half with
claude --system-prompt-file - Narrow to exact lines
- Add new
.replace()to the scrub chain - Update this file
Timeline
2026-04-05 23:00 EDT
"personal assistant running inside OpenClaw"triggers block- File paths, CLI commands, URLs with “openclaw” are safe
2026-04-06 01:00 EDT
- Full aggressive
/openclaw/giscrub works - TUI + Telegram working
2026-04-06 01:30 EDT
- Case-sensitive scrub fails, case-insensitive passes
2026-04-06 02:30 EDT
- Surgical scrub (identity phrase only) works initially
2026-04-06 13:30 EDT
HEARTBEAT_OKin heartbeat paragraph found as new triggerGLUECLAW_ACKreplacement fixes agent path- TUI still fails
2026-04-06 ~14:00 EDT
- TUI prompt has Reply Tags section as additional trigger
- Stripping section + replacing related tokens fixes TUI
openclaw.inbound_metaandgenerated by OpenClawalso scrubbed