benchmark 2026

ClawSafety: "Safe" LLMs, Unsafe Agents

Bowen Wei 1, Yunbei Zhang 2, Jinhao Pan 1, Kai Mei 3, Xiao Wang 4, Jihun Hamm 2, Ziwei Zhu 1, Yingqiang Ge 3

1 George Mason University

2 Tulane University

3 Rutgers University

4 Oak Ridge National Laboratory

0 citations
α

Published on arXiv

2604.01438

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Sonnet 4.6 achieves 40% ASR with 0% success on credential/destructive actions, while other models reach 55-75% ASR; scaffold choice shifts ASR by 8.6pp

ClawSafety

Novel technique introduced

Personal AI agents like OpenClaw run with elevated privileges on users' local machines, where a single successful prompt injection can leak credentials, redirect financial transactions, or destroy files. This threat goes well beyond conventional text-level jailbreaks, yet existing safety evaluations fall short: most test models in isolated chat settings, rely on synthetic environments, and do not account for how the agent framework itself shapes safety outcomes. We introduce CLAWSAFETY, a benchmark of 120 adversarial test scenarios organized along three dimensions (harm domain, attack vector, and harmful action type) and grounded in realistic, high-privilege professional workspaces spanning software engineering, finance, healthcare, law, and DevOps. Each test case embeds adversarial content in one of three channels the agent encounters during normal work: workspace skill files, emails from trusted senders, and web pages. We evaluate five frontier LLMs as agent backbones, running 2,520 sandboxed trials across all configurations. Attack success rates (ASR) range from 40\% to 75\% across models and vary sharply by injection vector, with skill instructions (highest trust) consistently more dangerous than email or web content. Action-trace analysis reveals that the strongest model maintains hard boundaries against credential forwarding and destructive actions, while weaker models permit both. Cross-scaffold experiments on three agent frameworks further demonstrate that safety is not determined by the backbone model alone but depends on the full deployment stack, calling for safety evaluation that treats model and framework as joint variables.

Key Contributions

  • 120-scenario benchmark organized by harm domain, attack vector, and task domain across realistic high-privilege workspaces
  • Evaluation of 5 frontier LLMs across 2,520 trials revealing ASR 40%-75% with skill injection most dangerous
  • Cross-scaffold experiments showing safety depends on model-framework pair, with 8.6pp ASR variation across frameworks

🛡️ Threat Analysis

Details

Domains
nlpmultimodal
Model Types
llm
Threat Tags
black_boxinference_timetargeted
Datasets
ClawSafety
Applications
personal ai agentssoftware engineeringfinancehealthcarelawdevops
Read PDF arXiv

Similar Papers

benchmark

How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition

2026 0 cit.
100%
benchmark

Beyond Model Jailbreak: Systematic Dissection of the "Ten DeadlySins" in Embodied Intelligence

2025 0 cit.
93%
benchmark

$α^3$-SecBench: A Large-Scale Evaluation Suite of Security, Resilience, and Trust for LLM-based UAV Agents over 6G Networks

2026 1 cit.
88%
attack

ScamAgents: How AI Agents Can Simulate Human-Level Scam Calls

2025 0 cit.
88%
benchmark

Code Agent can be an End-to-end System Hacker: Benchmarking Real-world Threats of Computer-use Agent

2025 4 cit.
88%
benchmark

SecureWebArena: A Holistic Security Evaluation Benchmark for LVLM-based Web Agents

2025 5 cit.
88%
benchmark

PEAR: Planner-Executor Agent Robustness Benchmark

2025 0 cit.
87%
benchmark

You Told Me to Do It: Measuring Instructional Text-induced Private Data Leakage in LLM Agents

2026 0 cit.
87%