{"id":"https://openalex.org/W7135053558","doi":"https://doi.org/10.48550/arxiv.2603.10387","title":"Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw","display_name":"Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw","publication_year":2026,"publication_date":"2026-03-11","ids":{"openalex":"https://openalex.org/W7135053558","doi":"https://doi.org/10.48550/arxiv.2603.10387"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.10387","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.10387","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.10387","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5040865271","display_name":"Zhengyang Shan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shan, Zhengyang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5023375557","display_name":"Jiayun Xin","orcid":"https://orcid.org/0000-0001-5862-6717"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xin, Jiayun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128842443","display_name":"Yue Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Yue","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5128873714","display_name":"Minghui Xu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xu, Minghui","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.5792999863624573,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.5792999863624573,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.19910000264644623,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.05009999871253967,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/sandbox","display_name":"Sandbox (software development)","score":0.8996999859809875},{"id":"https://openalex.org/keywords/resilience","display_name":"Resilience (materials science)","score":0.5871000289916992},{"id":"https://openalex.org/keywords/baseline","display_name":"Baseline (sea)","score":0.46059998869895935},{"id":"https://openalex.org/keywords/security-analysis","display_name":"Security analysis","score":0.40230000019073486},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.40139999985694885},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.3903999924659729},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.3806000053882599},{"id":"https://openalex.org/keywords/computer-security-model","display_name":"Computer security model","score":0.36980000138282776}],"concepts":[{"id":"https://openalex.org/C167981075","wikidata":"https://www.wikidata.org/wiki/Q2667186","display_name":"Sandbox (software development)","level":2,"score":0.8996999859809875},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.647599995136261},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6320000290870667},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.5871000289916992},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.46059998869895935},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.40230000019073486},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.40139999985694885},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.3903999924659729},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3806000053882599},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.36980000138282776},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.352400004863739},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.3208000063896179},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.29919999837875366},{"id":"https://openalex.org/C2778227311","wikidata":"https://www.wikidata.org/wiki/Q2575688","display_name":"Militarization","level":3,"score":0.28859999775886536},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.2840999960899353},{"id":"https://openalex.org/C123657996","wikidata":"https://www.wikidata.org/wiki/Q12271","display_name":"Architecture","level":2,"score":0.263700008392334},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.26179999113082886},{"id":"https://openalex.org/C2777929537","wikidata":"https://www.wikidata.org/wiki/Q1225329","display_name":"Rubble","level":2,"score":0.2524000108242035},{"id":"https://openalex.org/C31139447","wikidata":"https://www.wikidata.org/wiki/Q5380386","display_name":"Enterprise information security architecture","level":2,"score":0.25049999356269836},{"id":"https://openalex.org/C204323151","wikidata":"https://www.wikidata.org/wiki/Q905424","display_name":"Range (aeronautics)","level":2,"score":0.25049999356269836}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.10387","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.10387","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.10387","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.10387","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Code":[0],"agents":[1,221],"powered":[2],"by":[3],"large":[4,46],"language":[5,47],"models":[6],"can":[7,40],"execute":[8],"shell":[9],"commands":[10],"on":[11,109],"behalf":[12],"of":[13,26,113,130,206,218,227],"users,":[14],"introducing":[15],"severe":[16,182],"security":[17,24,55,104,111,137],"vulnerabilities.":[18,67],"This":[19],"paper":[20],"presents":[21],"a":[22,143,151,204],"two-phase":[23],"analysis":[25],"the":[27,90,110,114,157,169,175,198,215,225],"OpenClaw":[28,39,100],"platform.":[29],"As":[30],"an":[31,60,126],"open-source":[32],"AI":[33],"agent":[34,66],"framework":[35,154],"that":[36,99,168,184],"operates":[37],"locally,":[38],"be":[41],"integrated":[42],"with":[43,125,159,194],"various":[44],"commercial":[45],"models.":[48],"Because":[49],"its":[50],"native":[51,73,188,192],"architecture":[52],"lacks":[53],"built-in":[54],"constraints,":[56],"it":[57],"serves":[58],"as":[59],"ideal":[61],"subject":[62],"for":[63],"evaluating":[64],"baseline":[65],"First,":[68],"we":[69,96,139],"systematically":[70],"evaluate":[71,156],"OpenClaw's":[72,187],"resilience":[74],"against":[75],"malicious":[76],"instructions.":[77],"By":[78,190],"testing":[79,153],"47":[80],"adversarial":[81],"scenarios":[82],"across":[83],"six":[84],"major":[85],"attack":[86],"categories":[87],"derived":[88],"from":[89],"MITRE":[91],"ATLAS":[92],"and":[93,117,141,160],"ATT\\&amp;CK":[94],"frameworks,":[95],"have":[97],"demonstrated":[98],"exhibits":[101],"significant":[102],"inherent":[103],"issues.":[105],"It":[106],"primarily":[107],"relies":[108],"capabilities":[112,193],"backend":[115],"LLM":[116],"is":[118],"highly":[119],"susceptible":[120],"to":[121,155,180,203,208],"sandbox":[122],"escape":[123],"attacks,":[124],"average":[127],"defense":[128,147,200,230],"rate":[129,201],"only":[131,213],"17\\%.":[132],"To":[133],"mitigate":[134],"these":[135],"critical":[136],"gaps,":[138],"propose":[140],"implement":[142],"novel":[144],"Human-in-the-Loop":[145],"(HITL)":[146],"layer.":[148],"We":[149],"utilize":[150],"dual-mode":[152],"system":[158],"without":[161],"our":[162,195],"proposed":[163],"intervention.":[164],"Our":[165,210],"findings":[166],"show":[167],"introduced":[170],"HITL":[171,196],"layer":[172],"significantly":[173],"hardens":[174],"system,":[176],"successfully":[177],"intercepting":[178],"up":[179],"8":[181],"attacks":[183],"completely":[185],"bypassed":[186],"defenses.":[189],"combining":[191],"approach,":[197],"overall":[199],"improves":[202],"range":[205],"19\\%":[207],"92\\%.":[209],"study":[211],"not":[212],"exposes":[214],"intrinsic":[216],"limitations":[217],"current":[219],"code":[220],"but":[222],"also":[223],"demonstrates":[224],"effectiveness":[226],"human-agent":[228],"collaborative":[229],"strategies.":[231]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-03-13T00:00:00"}
