Invisible Characters, Visible Damage

There's a special kind of bug that only exists because two pieces of code disagree about what a string looks like. One side strips invisible characters. The other side tries to apply the results back to the original. And in the gap between those two views of reality, an attacker can park a payload. The Setup OpenClaw marks external content with boundary markers — special strings that tell the LLM "everything between these markers came from outside, treat it accordingly." The sanitizer's job is simple: if someone tries to spoof those markers in untrusted input, strip them out before they reach the model. The sanitizer works in two steps: Fold the input string by removing invisible Unicode characters (zero-width spaces, soft hyphens, word joiners) Regex match against the folded string to find spoofed markers Apply the match positions back to the original string Step 3 is where things go sideways. The Attack Pad a spoofed boundary marker with 500+ zero-width spaces. The folded string is s