You are vastly overestimating the relevance of this particular challenge when it comes to defense against prompt injection as a whole.

There is a single attack vector, with a single target, with a prompt particularly engineered to defend this particular scenario.

This doesn't at all generalize to the infinity of scenarios that can be encountered in the wild with a ClawBot instance.