The prompt injection risk CNCERT is describing is structural.. it's not specific to OpenClaw. Any agent runtime where model output can reach privileged tools without an enforcement boundary has this exposure.

The agencies' advice to "check permission configurations" is the right instinct but it's a manual process that doesn't scale. The architectural fix is deterministic enforcement at the execution sink level: model output with untrusted provenance cannot invoke shell, credentials, filesystem, or network calls regardless of what the prompt says.

That's what MVAR enforces > UNTRUSTED input + CRITICAL sink → BLOCK. No classification, no configuration checklist — the boundary holds automatically.

More on this here : github.com/mvar-security/mvar