{"ID":5439444,"CreatedAt":"2026-07-01T01:17:58.482524686Z","UpdatedAt":"2026-07-02T17:27:15.704513176Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2606.30755","arxiv_id":"2606.30755","title":"Understanding and Evaluating Claw-like Agent Security Through a Computer-Systems Lens","abstract":"Claw-like AI agents (e.g., OpenClaw) are always-on processes with persistent access to credentials, files, tools, and external services. They take on system-level responsibilities -- installing packages, maintaining state, scheduling subtasks, and mediating I/O -- making security failures far more severe than in other agents. Yet existing benchmarks focus on model responses and tool calls, leaving cross-component failure modes largely unmeasured. We adopt a computer-system analogy: treating a Claw-like agent as an agentic computer system whose gateway runtime plays an OS-like mediation role, whose Skills resemble user-installed applications, and whose Plugins resemble loadable extensions with runtime privileges. Each component has a classical counterpart whose protection mechanisms -- refined over decades of cybersecurity research -- are absent on the agent side. From this perspective, we develop SafeClawArena, a benchmark of 406 adversarial tasks across four attack surfaces (Skill Supply-Chain Integrity, Persistent State Exploitation, Cross-Boundary Data Flow, and Indirect Prompt Injection), executed in containerized replicas of real agent platforms with canary-marked credentials and evaluated via automated taint tracking across nine output channels. We evaluate three platforms (OpenClaw, NemoClaw, SeClaw) and five frontier LLMs. The highest attack success rate reaches 70%; malicious Plugins succeed in 100% of cases regardless of the LLM. SeClaw cuts GPT-5.4's attack success rate from 70% to 22%, partly through utility-security tradeoffs rather than active defenses, while Claude-Opus-4.6 already sits near a 22% floor on every platform. These results expose the inadequacy of current defenses and suggest directions for future hardening. Code and data: https://github.com/sunblaze-ucb/SafeClawArena.","short_abstract":"Claw-like AI agents (e.g., OpenClaw) are always-on processes with persistent access to credentials, files, tools, and external services. They take on system-level responsibilities -- installing packages, maintaining state, scheduling subtasks, and mediating I/O -- making security failures far more severe than in other...","url_abs":"https://arxiv.org/abs/2606.30755","url_pdf":"https://arxiv.org/pdf/2606.30755v1","authors":"[\"Peizhi Niu\",\"Wenjie Qu\",\"Shangding Gu\",\"Tianneng Shi\",\"Yuankai Li\",\"Ahmad Tawaha\",\"Hend Alzahrani\",\"Vincent Siu\",\"Boyi Li\",\"Chenguang Wang\",\"Jiaheng Zhang\",\"Basel Alomair\",\"Ming Jin\",\"Muhao Chen\",\"Chi Wang\",\"Costas Spanos\",\"Dawn Song\"]","published":"2026-06-29T18:00:45Z","proceeding":"cs.CR","tasks":"[\"cs.CR\",\"cs.AI\"]","methods":"[\"Large Language Model\"]","has_code":false,"code_links":[{"ID":613792,"CreatedAt":"2026-07-01T01:17:58.482524686Z","UpdatedAt":"2026-07-01T01:17:58.482524686Z","DeletedAt":null,"paper_id":5439444,"paper_url":"https://arxiv.org/abs/2606.30755","paper_title":"Understanding and Evaluating Claw-like Agent Security Through a Computer-Systems Lens","repo_url":"https://github.com/sunblaze-ucb/SafeClawArena","is_official":false,"mentioned_in_paper":false,"mentioned_in_github":true,"github_stars":0}]}
