OpenClaw Incident Response Framework
Even with robust security controls, incidents can occur. This guide provides a structured incident response plan specifically designed for AI agent security events — from prompt injection attempts to unauthorized data access.
Severity Levels
| Level | Description | Response Time |
|---|---|---|
| P1 Critical | Agent executing unauthorized commands on production systems | Immediate |
| P2 High | Data exfiltration attempt detected, agent accessing sensitive files | Within 1 hour |
| P3 Medium | Prompt injection attempt detected but blocked by defenses | Within 24 hours |
| P4 Low | Unusual but benign agent behavior, false positive alerts | Next business day |
Immediate Response Steps
- Isolate: Run
openclaw emergency-stopto immediately halt all agent operations - Preserve: Export logs with
openclaw logs export --since 24hbefore any cleanup - Assess: Review the audit trail to determine scope — what commands were executed, what data was accessed
- Contain: Revoke any compromised API keys, rotate credentials, and block the attack vector
- Remediate: Update allowlists, tighten approval gates, and patch the vulnerability
- Document: Create a post-incident report with root cause analysis and preventive measures
Post-Incident Hardening
After every incident, review and update your security configuration. Consider enabling stricter allowlists, adding more approval gates, and increasing logging verbosity.
Prompt Guardian
Protect your AI agent from prompt injection and malicious commands.