ML Security PapersUncovering Security Threats and Architecting Defenses in Autonomous Agents: A Case Study of OpenClaw
Zonghao Ying 1, Xiao Yang 1, Siyang Wu 2, Yumeng Song 1, Yang Qu 1, Hainan Li 3, Tianlin Li 1, Jiakai Wang 2, Aishan Liu 1, Xianglong Liu 1,2
Published on arXiv
2603.12644
AI Supply Chain Attacks
OWASP ML Top 10 — ML06
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Excessive Agency
OWASP LLM Top 10 — LLM08
Key Finding
Identifies that traditional content-filtering defenses are obsolete for autonomous agents with OS-level permissions, requiring architectural defense paradigm shift
FASA
Novel technique introduced
The rapid evolution of Large Language Models (LLMs) into autonomous, tool-calling agents has fundamentally altered the cybersecurity landscape. Frameworks like OpenClaw grant AI systems operating-system-level permissions and the autonomy to execute complex workflows. This level of access creates unprecedented security challenges. Consequently, traditional content-filtering defenses have become obsolete. This report presents a comprehensive security analysis of the OpenClaw ecosystem. We systematically investigate its current threat landscape, highlighting critical vulnerabilities such as prompt injection-driven Remote Code Execution (RCE), sequential tool attack chains, context amnesia, and supply chain contamination. To systematically contextualize these threats, we propose a novel tri-layered risk taxonomy for autonomous Agents, categorizing vulnerabilities across AI Cognitive, Software Execution, and Information System dimensions. To address these systemic architectural flaws, we introduce the Full-Lifecycle Agent Security Architecture (FASA). This theoretical defense blueprint advocates for zero-trust agentic execution, dynamic intent verification, and cross-layer reasoning-action correlation. Building on this framework, we present Project ClawGuard, our ongoing engineering initiative. This project aims to implement the FASA paradigm and transition autonomous agents from high-risk experimental utilities into trustworthy systems. Our code and dataset are available at https://github.com/NY1024/ClawGuard.
Key Contributions
- Tri-layered risk taxonomy for autonomous agents categorizing vulnerabilities across AI Cognitive, Software Execution, and Information System dimensions
- Full-Lifecycle Agent Security Architecture (FASA) proposing zero-trust agentic execution, dynamic intent verification, and cross-layer reasoning-action correlation
- Systematic threat landscape analysis of OpenClaw revealing prompt injection-driven RCE, sequential tool attack chains, context amnesia, and supply chain contamination
🛡️ Threat Analysis
Paper explicitly addresses supply chain contamination in the OpenClaw ecosystem, including trojaned/poisoned tools and malicious third-party integrations distributed through the agent framework supply chain.