{"id":"https://openalex.org/W7140138845","doi":"https://doi.org/10.48550/arxiv.2603.19974","title":"Trojan's Whisper: Stealthy Manipulation of OpenClaw through Injected Bootstrapped Guidance","display_name":"Trojan's Whisper: Stealthy Manipulation of OpenClaw through Injected Bootstrapped Guidance","publication_year":2026,"publication_date":"2026-03-20","ids":{"openalex":"https://openalex.org/W7140138845","doi":"https://doi.org/10.48550/arxiv.2603.19974"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.19974","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.19974","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.19974","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5130343903","display_name":"Fazhong Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Liu, Fazhong","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130331503","display_name":"Zhuoyan Chen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Zhuoyan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130351691","display_name":"Tu Lan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lan, Tu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130398033","display_name":"Haozhen Tan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tan, Haozhen","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130375642","display_name":"Zhenyu Xu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xu, Zhenyu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130381421","display_name":"Xiang Lorraine Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Xiang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100725580","display_name":"Guoxing Chen","orcid":"https://orcid.org/0000-0001-8107-5909"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Guoxing","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130350621","display_name":"Yan Meng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Meng, Yan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5123961137","display_name":"Haojin Zhu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhu, Haojin","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5130343903"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.3978999853134155,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.3978999853134155,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.14710000157356262,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.0982000008225441,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/rootkit","display_name":"Rootkit","score":0.5374000072479248},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.5015000104904175},{"id":"https://openalex.org/keywords/workflow","display_name":"Workflow","score":0.41589999198913574},{"id":"https://openalex.org/keywords/emulation","display_name":"Emulation","score":0.40459999442100525},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.36910000443458557},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.36739999055862427},{"id":"https://openalex.org/keywords/codebase","display_name":"Codebase","score":0.36340001225471497},{"id":"https://openalex.org/keywords/sandbox","display_name":"Sandbox (software development)","score":0.3628000020980835},{"id":"https://openalex.org/keywords/credential","display_name":"Credential","score":0.36160001158714294},{"id":"https://openalex.org/keywords/workspace","display_name":"Workspace","score":0.3521000146865845}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.660099983215332},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5546000003814697},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.5374000072479248},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.5015000104904175},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.4189000129699707},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.41589999198913574},{"id":"https://openalex.org/C149810388","wikidata":"https://www.wikidata.org/wiki/Q5374873","display_name":"Emulation","level":2,"score":0.40459999442100525},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.36910000443458557},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.36739999055862427},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.36390000581741333},{"id":"https://openalex.org/C51929080","wikidata":"https://www.wikidata.org/wiki/Q2425187","display_name":"Codebase","level":3,"score":0.36340001225471497},{"id":"https://openalex.org/C167981075","wikidata":"https://www.wikidata.org/wiki/Q2667186","display_name":"Sandbox (software development)","level":2,"score":0.3628000020980835},{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.36160001158714294},{"id":"https://openalex.org/C58581272","wikidata":"https://www.wikidata.org/wiki/Q12741163","display_name":"Workspace","level":3,"score":0.3521000146865845},{"id":"https://openalex.org/C13687954","wikidata":"https://www.wikidata.org/wiki/Q4826847","display_name":"Autonomous agent","level":2,"score":0.3499000072479248},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.3474999964237213},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.34450000524520874},{"id":"https://openalex.org/C169087156","wikidata":"https://www.wikidata.org/wiki/Q2131593","display_name":"Framing (construction)","level":2,"score":0.3431999981403351},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.3411000072956085},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.33489999175071716},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.3303000032901764},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.31470000743865967},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.31049999594688416},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.30820000171661377},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.30809998512268066},{"id":"https://openalex.org/C139458680","wikidata":"https://www.wikidata.org/wiki/Q12184942","display_name":"Interoperation","level":3,"score":0.3001999855041504},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.28290000557899475},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.2799000144004822},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.2743000090122223},{"id":"https://openalex.org/C31395832","wikidata":"https://www.wikidata.org/wiki/Q1318674","display_name":"Testbed","level":2,"score":0.27129998803138733},{"id":"https://openalex.org/C167221231","wikidata":"https://www.wikidata.org/wiki/Q672307","display_name":"NetLogo","level":2,"score":0.26989999413490295},{"id":"https://openalex.org/C2780138299","wikidata":"https://www.wikidata.org/wiki/Q3404265","display_name":"Privilege (computing)","level":2,"score":0.26260000467300415},{"id":"https://openalex.org/C62230096","wikidata":"https://www.wikidata.org/wiki/Q275969","display_name":"Crowdsourcing","level":2,"score":0.2621000111103058},{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.2614000141620636},{"id":"https://openalex.org/C179518139","wikidata":"https://www.wikidata.org/wiki/Q5140297","display_name":"Coding (social sciences)","level":2,"score":0.2567000091075897},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.25}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.19974","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.19974","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.19974","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.19974","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Autonomous":[0],"coding":[1],"agents":[2],"are":[3,117],"increasingly":[4],"integrated":[5],"into":[6,86,120],"software":[7],"development":[8],"workflows,":[9],"offering":[10],"capabilities":[11],"that":[12,37,81],"extend":[13],"beyond":[14],"code":[15],"suggestion":[16],"to":[17,41,181],"active":[18],"system":[19],"interaction":[20],"and":[21,56,63,72,125,148,169,205,220,234],"environment":[22],"management.":[23],"OpenClaw,":[24],"a":[25,61,77,157],"representative":[26],"platform":[27],"in":[28,213],"this":[29,52,68],"emerging":[30],"paradigm,":[31],"introduces":[32],"an":[33],"extensible":[34],"skill":[35],"ecosystem":[36],"allows":[38],"third-party":[39],"developers":[40],"inject":[42],"behavioral":[43],"guidance":[44,75,88,100,236],"through":[45],"lifecycle":[46],"hooks":[47],"during":[48],"agent":[49,218],"initialization.":[50],"While":[51],"design":[53,215],"enhances":[54],"automation":[55],"customization,":[57],"it":[58],"also":[59],"opens":[60],"novel":[62],"unexplored":[64],"attack":[65,79,139],"surface.":[66],"In":[67],"paper,":[69],"we":[70,162],"identify":[71],"systematically":[73],"characterize":[74],"injection,":[76,93],"stealthy":[78],"vector":[80],"embeds":[82],"adversarial":[83],"operational":[84],"narratives":[85,116],"bootstrap":[87],"files.":[89],"Unlike":[90],"traditional":[91],"prompt":[92],"which":[94],"relies":[95],"on":[96,228],"explicit":[97],"malicious":[98,135,187,198],"instructions,":[99],"injection":[101],"manipulates":[102],"the":[103,121,184,214,222],"agent's":[104,122],"reasoning":[105],"context":[106],"by":[107,202],"framing":[108],"harmful":[109],"actions":[110,188],"as":[111],"routine":[112],"best":[113],"practices.":[114],"These":[115],"automatically":[118],"incorporated":[119],"interpretive":[123],"framework":[124],"influence":[126],"future":[127],"task":[128],"execution":[129],"without":[130,191],"raising":[131],"suspicion.We":[132],"construct":[133],"26":[134],"skills":[136,199],"spanning":[137],"13":[138],"categories":[140],"including":[141],"credential":[142],"exfiltration,":[143],"workspace":[144,160],"destruction,":[145],"privilege":[146],"escalation,":[147],"persistent":[149],"backdoor":[150],"installation.":[151],"We":[152],"evaluate":[153],"them":[154],"using":[155],"ORE-Bench,":[156],"realistic":[158],"developer":[159],"benchmark":[161],"developed.":[163],"Across":[164],"52":[165],"natural":[166],"user":[167,192],"prompts":[168],"six":[170],"state-of-the-art":[171],"LLM":[172],"backends,":[173],"our":[174,197],"attacks":[175],"achieve":[176],"success":[177],"rates":[178],"from":[179],"16.0%":[180],"64.2%,":[182],"with":[183],"majority":[185],"of":[186,196,216],"executed":[189],"autonomously":[190],"confirmation.":[193],"Furthermore,":[194],"94%":[195],"evade":[200],"detection":[201],"existing":[203],"static":[204],"LLM-based":[206],"scanners.":[207],"Our":[208],"findings":[209],"reveal":[210],"fundamental":[211],"tensions":[212],"autonomous":[217],"ecosystems":[219],"underscore":[221],"urgent":[223],"need":[224],"for":[225],"defenses":[226],"based":[227],"capability":[229],"isolation,":[230],"runtime":[231],"policy":[232],"enforcement,":[233],"transparent":[235],"provenance.":[237]},"counts_by_year":[],"updated_date":"2026-03-24T06:04:31.470712","created_date":"2026-03-24T00:00:00"}