{"id":"https://openalex.org/W7135231294","doi":"https://doi.org/10.48550/arxiv.2603.11619","title":"Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats","display_name":"Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats","publication_year":2026,"publication_date":"2026-03-12","ids":{"openalex":"https://openalex.org/W7135231294","doi":"https://doi.org/10.48550/arxiv.2603.11619"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.11619","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.11619","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.11619","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5128971149","display_name":"Xinhao Deng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Deng, Xinhao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128986622","display_name":"Yixiang Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Yixiang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126459609","display_name":"Jiaqing Wu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wu, Jiaqing","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5111174933","display_name":"Jiaqi Bai","orcid":"https://orcid.org/0009-0003-9792-3556"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Bai, Jiaqi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5112529653","display_name":"Sibo Yi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yi, Sibo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128944285","display_name":"Zhuoheng Zou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zou, Zhuoheng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129048699","display_name":"Yue Xiao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xiao, Yue","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128931811","display_name":"Rennai Qiu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Qiu, Rennai","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101852566","display_name":"Jianan Ma","orcid":"https://orcid.org/0009-0007-0448-1218"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ma, Jianan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101864441","display_name":"Jialuo Chen","orcid":"https://orcid.org/0000-0003-4322-4285"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Jialuo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067405541","display_name":"Xiaohu Du","orcid":"https://orcid.org/0000-0003-4455-3128"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Du, Xiaohu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129044158","display_name":"Xiaofang Yang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yang, Xiaofang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129077221","display_name":"Shiwen Cui","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Cui, Shiwen","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128930877","display_name":"Changhua Meng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Meng, Changhua","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129049400","display_name":"Weiqiang Wang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wang, Weiqiang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5129020079","display_name":"Jiaxing Song","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Song, Jiaxing","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128962350","display_name":"Ke Xu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xu, Ke","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5128964239","display_name":"Qi Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Qi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.43299999833106995,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.43299999833106995,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.26260000467300415,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.05490000173449516,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vetting","display_name":"Vetting","score":0.8025000095367432},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.5253000259399414},{"id":"https://openalex.org/keywords/enforcement","display_name":"Enforcement","score":0.4453999996185303},{"id":"https://openalex.org/keywords/attack-surface","display_name":"Attack surface","score":0.4431000053882599},{"id":"https://openalex.org/keywords/security-analysis","display_name":"Security analysis","score":0.3765999972820282},{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.35589998960494995},{"id":"https://openalex.org/keywords/security-information-and-event-management","display_name":"Security information and event management","score":0.3319000005722046},{"id":"https://openalex.org/keywords/computer-security-model","display_name":"Computer security model","score":0.33070001006126404},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.32280001044273376}],"concepts":[{"id":"https://openalex.org/C2777230681","wikidata":"https://www.wikidata.org/wiki/Q7923820","display_name":"Vetting","level":2,"score":0.8025000095367432},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7039999961853027},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6184999942779541},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.5332000255584717},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.5253000259399414},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.4453999996185303},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.4431000053882599},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.44020000100135803},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.3765999972820282},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.35589998960494995},{"id":"https://openalex.org/C103377522","wikidata":"https://www.wikidata.org/wiki/Q3493999","display_name":"Security information and event management","level":4,"score":0.3319000005722046},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.33070001006126404},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.32280001044273376},{"id":"https://openalex.org/C13687954","wikidata":"https://www.wikidata.org/wiki/Q4826847","display_name":"Autonomous agent","level":2,"score":0.31060001254081726},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.2944999933242798},{"id":"https://openalex.org/C114869243","wikidata":"https://www.wikidata.org/wiki/Q133735","display_name":"Security through obscurity","level":5,"score":0.2939999997615814},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.2912999987602234},{"id":"https://openalex.org/C145804949","wikidata":"https://www.wikidata.org/wiki/Q478123","display_name":"Situation awareness","level":2,"score":0.2906000018119812},{"id":"https://openalex.org/C4924752","wikidata":"https://www.wikidata.org/wiki/Q184148","display_name":"Plug-in","level":2,"score":0.2816999852657318},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.27959999442100525},{"id":"https://openalex.org/C2780262971","wikidata":"https://www.wikidata.org/wiki/Q44554","display_name":"Law enforcement","level":2,"score":0.2671999931335449},{"id":"https://openalex.org/C39389867","wikidata":"https://www.wikidata.org/wiki/Q380767","display_name":"Corporate governance","level":2,"score":0.2653000056743622},{"id":"https://openalex.org/C4438859","wikidata":"https://www.wikidata.org/wiki/Q186117","display_name":"Timeline","level":2,"score":0.2639000117778778},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.26030001044273376},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.2599000036716461},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.25850000977516174},{"id":"https://openalex.org/C56739046","wikidata":"https://www.wikidata.org/wiki/Q192060","display_name":"Knowledge management","level":1,"score":0.2583000063896179},{"id":"https://openalex.org/C2780264999","wikidata":"https://www.wikidata.org/wiki/Q7445032","display_name":"Security domain","level":2,"score":0.2563000023365021},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.25279998779296875},{"id":"https://openalex.org/C191267431","wikidata":"https://www.wikidata.org/wiki/Q911932","display_name":"Honeypot","level":2,"score":0.2524000108242035}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.11619","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.11619","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.11619","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.11619","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"score":0.7232599854469299,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Autonomous":[0],"Large":[1],"Language":[2],"Model":[3],"(LLM)":[4],"agents,":[5],"exemplified":[6],"by":[7],"OpenClaw,":[8,99],"demonstrate":[9,101],"remarkable":[10],"capabilities":[11,27],"in":[12,121],"executing":[13],"complex,":[14],"long-horizon":[15],"tasks.":[16],"However,":[17],"their":[18],"tightly":[19],"coupled":[20],"instant-messaging":[21],"interaction":[22],"paradigm":[23],"and":[24,69,71,91,104,109,129,171],"high-privilege":[25],"execution":[26],"substantially":[28],"expand":[29],"the":[30,77,102,111,134],"system":[31],"attack":[32],"surface.":[33],"In":[34],"this":[35,145],"paper,":[36],"we":[37,50,100,147],"present":[38],"a":[39,52],"comprehensive":[40],"security":[41,55,138],"threat":[42],"analysis":[43],"of":[44,61,106,113],"OpenClaw.":[45],"To":[46],"structure":[47],"our":[48],"analysis,":[49],"introduce":[51],"five-layer":[53],"lifecycle-oriented":[54],"framework":[56],"that":[57],"captures":[58],"key":[59],"stages":[60],"agent":[62],"operation,":[63],"i.e.,":[64],"initialization,":[65],"input,":[66],"inference,":[67],"decision,":[68],"execution,":[70],"systematically":[72],"examine":[73,149],"compound":[74],"threats":[75,108],"across":[76],"agent's":[78],"operational":[79],"lifecycle,":[80],"including":[81,157],"indirect":[82],"prompt":[83],"injection,":[84],"skill":[85],"supply":[86],"chain":[87],"contamination,":[88],"memory":[89,164],"poisoning,":[90],"intent":[92,168],"drift.":[93],"Through":[94],"detailed":[95],"case":[96],"studies":[97],"on":[98],"prevalence":[103],"severity":[105],"these":[107],"analyze":[110],"limitations":[112],"existing":[114],"defenses.":[115],"Our":[116],"findings":[117],"reveal":[118],"critical":[119],"weaknesses":[120],"current":[122],"point-based":[123],"defense":[124,151],"mechanisms":[125],"when":[126],"addressing":[127],"cross-temporal":[128],"multi-stage":[130],"systemic":[131],"risks,":[132],"highlighting":[133],"need":[135],"for":[136,140],"holistic":[137],"architectures":[139],"autonomous":[141],"LLM":[142],"agents.":[143],"Within":[144],"framework,":[146],"further":[148],"representative":[150],"strategies":[152],"at":[153],"each":[154],"lifecycle":[155],"stage,":[156],"plugin":[158],"vetting":[159],"frameworks,":[160],"context-aware":[161],"instruction":[162],"filtering,":[163],"integrity":[165],"validation":[166],"protocols,":[167],"verification":[169],"mechanisms,":[170],"capability":[172],"enforcement":[173],"architectures.":[174]},"counts_by_year":[],"updated_date":"2026-07-01T08:55:40.977307","created_date":"2026-03-14T00:00:00"}
