tool 2026

ClawTrap: A MITM-Based Red-Teaming Framework for Real-World OpenClaw Security Evaluation

Haochen Zhao 1, Shaoyang Cui 2

1 National University of Singapore

2 Tsinghua University

0 citations
α

Published on arXiv

2603.18762

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Weaker models trust tampered observations and produce unsafe outputs, while stronger models demonstrate better anomaly attribution and safer fallback strategies under MITM attacks

ClawTrap

Novel technique introduced

Autonomous web agents such as \textbf{OpenClaw} are rapidly moving into high-impact real-world workflows, but their security robustness under live network threats remains insufficiently evaluated. Existing benchmarks mainly focus on static sandbox settings and content-level prompt attacks, which leaves a practical gap for network-layer security testing. In this paper, we present \textbf{ClawTrap}, a \textbf{MITM-based red-teaming framework for real-world OpenClaw security evaluation}. ClawTrap supports diverse and customizable attack forms, including \textit{Static HTML Replacement}, \textit{Iframe Popup Injection}, and \textit{Dynamic Content Modification}, and provides a reproducible pipeline for rule-driven interception, transformation, and auditing. This design lays the foundation for future research to construct richer, customizable MITM attacks and to perform systematic security testing across agent frameworks and model backbones. Our empirical study shows clear model stratification: weaker models are more likely to trust tampered observations and produce unsafe outputs, while stronger models demonstrate better anomaly attribution and safer fallback strategies. These findings indicate that reliable OpenClaw security evaluation should explicitly incorporate dynamic real-world MITM conditions rather than relying only on static sandbox protocols.

Key Contributions

  • MITM-based red-teaming framework (ClawTrap) for real-world security evaluation of autonomous web agents
  • Supports diverse attack patterns: static HTML replacement, iframe popup injection, and dynamic content modification
  • Empirical study revealing model stratification in MITM robustness — stronger models show better anomaly detection and safer fallback behavior

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Applications
autonomous web agentsagentic workflowsbrowser automation
Read PDF arXiv Code

Similar Papers

tool

AgentSight: System-Level Observability for AI Agents Using eBPF

2025 0 cit.
100%
tool

DREAM: Dynamic Red-teaming across Environments for AI Models

2025 0 cit.
100%
tool

AJAR: Adaptive Jailbreak Architecture for Red-teaming

2026 0 cit.
100%
tool

"Your AI, My Shell": Demystifying Prompt Injection Attacks on Agentic AI Coding Editors

2025 1 cit.
92%
tool

LAAF: Logic-layer Automated Attack Framework A Systematic Red-Teaming Methodology for LPCI Vulnerabilities in Agentic Large Language Model Systems

2026 0 cit.
92%
tool

MUZZLE: Adaptive Agentic Red-Teaming of Web Agents Against Indirect Prompt Injection Attacks

2026 0 cit.
92%
defense

AgentArmor: Enforcing Program Analysis on Agent Runtime Trace to Defend Against Prompt Injection

2025 0 cit.
85%
benchmark

Mind the GAP: Text Safety Does Not Transfer to Tool-Call Safety in LLM Agents

2026 0 cit.
85%