中文

Understanding and Evaluating Claw-like Agent Security Through a Computer-Systems Lens

密码学与安全 2026-06-29 v1 人工智能

摘要

Claw-like AI agents (e.g., OpenClaw) are always-on processes with persistent access to credentials, files, tools, and external services. They take on system-level responsibilities -- installing packages, maintaining state, scheduling subtasks, and mediating I/O -- making security failures far more severe than in other agents. Yet existing benchmarks focus on model responses and tool calls, leaving cross-component failure modes largely unmeasured. We adopt a computer-system analogy: treating a Claw-like agent as an agentic computer system whose gateway runtime plays an OS-like mediation role, whose Skills resemble user-installed applications, and whose Plugins resemble loadable extensions with runtime privileges. Each component has a classical counterpart whose protection mechanisms -- refined over decades of cybersecurity research -- are absent on the agent side. From this perspective, we develop SafeClawArena, a benchmark of 406 adversarial tasks across four attack surfaces (Skill Supply-Chain Integrity, Persistent State Exploitation, Cross-Boundary Data Flow, and Indirect Prompt Injection), executed in containerized replicas of real agent platforms with canary-marked credentials and evaluated via automated taint tracking across nine output channels. We evaluate three platforms (OpenClaw, NemoClaw, SeClaw) and five frontier LLMs. The highest attack success rate reaches 70%; malicious Plugins succeed in 100% of cases regardless of the LLM. SeClaw cuts GPT-5.4's attack success rate from 70% to 22%, partly through utility-security tradeoffs rather than active defenses, while Claude-Opus-4.6 already sits near a 22% floor on every platform. These results expose the inadequacy of current defenses and suggest directions for future hardening. Code and data: https://github.com/sunblaze-ucb/SafeClawArena.

引用

@article{arxiv.2606.30755,
  title  = {Understanding and Evaluating Claw-like Agent Security Through a Computer-Systems Lens},
  author = {Peizhi Niu and Wenjie Qu and Shangding Gu and Tianneng Shi and Yuankai Li and Ahmad Tawaha and Hend Alzahrani and Vincent Siu and Boyi Li and Chenguang Wang and Jiaheng Zhang and Basel Alomair and Ming Jin and Muhao Chen and Chi Wang and Costas Spanos and Dawn Song},
  journal= {arXiv preprint arXiv:2606.30755},
  year   = {2026}
}