{"id":"https://openalex.org/W7160992961","doi":"https://doi.org/10.48550/arxiv.2605.11047","title":"Red-Teaming Agent Execution Contexts: Open-World Security Evaluation on OpenClaw","display_name":"Red-Teaming Agent Execution Contexts: Open-World Security Evaluation on OpenClaw","publication_year":2026,"publication_date":"2026-05-11","ids":{"openalex":"https://openalex.org/W7160992961","doi":"https://doi.org/10.48550/arxiv.2605.11047"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.11047","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.11047","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.11047","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5136076195","display_name":"Hongwei Yao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yao, Hongwei","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136029100","display_name":"Yiming Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Yiming","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136078216","display_name":"Yiling He","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"He, Yiling","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5136061971","display_name":"Bingrun Yang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yang, Bingrun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.33480000495910645,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.33480000495910645,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.1543000042438507,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.14030000567436218,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.7409999966621399},{"id":"https://openalex.org/keywords/construct","display_name":"Construct (python library)","score":0.5615000128746033},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.5374000072479248},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.5108000040054321},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5008000135421753},{"id":"https://openalex.org/keywords/computer-security-model","display_name":"Computer security model","score":0.46149998903274536},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.41850000619888306},{"id":"https://openalex.org/keywords/compromise","display_name":"Compromise","score":0.4075999855995178},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.3716999888420105}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7447999715805054},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.7409999966621399},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.5615000128746033},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5493999719619751},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.5374000072479248},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.5108000040054321},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5008000135421753},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.46149998903274536},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.41850000619888306},{"id":"https://openalex.org/C46355384","wikidata":"https://www.wikidata.org/wiki/Q726686","display_name":"Compromise","level":2,"score":0.4075999855995178},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.3716999888420105},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.36419999599456787},{"id":"https://openalex.org/C2777286243","wikidata":"https://www.wikidata.org/wiki/Q5591926","display_name":"Grading (engineering)","level":2,"score":0.3517000079154968},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3479999899864197},{"id":"https://openalex.org/C71611378","wikidata":"https://www.wikidata.org/wiki/Q5165191","display_name":"Contextual design","level":3,"score":0.3467999994754791},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.34220001101493835},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3151000142097473},{"id":"https://openalex.org/C12174686","wikidata":"https://www.wikidata.org/wiki/Q1058438","display_name":"Risk assessment","level":2,"score":0.3098999857902527},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.298799991607666},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.2946999967098236},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.2935999929904938},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.29249998927116394},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.27390000224113464},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.2605000138282776},{"id":"https://openalex.org/C183322885","wikidata":"https://www.wikidata.org/wiki/Q17007702","display_name":"Context model","level":3,"score":0.2567000091075897},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.2558000087738037}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.11047","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.11047","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.11047","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.11047","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.6425079107284546}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Agentic":[0],"language-model":[1],"systems":[2],"increasingly":[3],"rely":[4],"on":[5],"mutable":[6],"execution":[7],"contexts,":[8],"including":[9],"files,":[10],"memory,":[11],"tools,":[12],"skills,":[13],"and":[14,54,66,84,88,95],"auxiliary":[15],"artifacts,":[16],"creating":[17],"security":[18,127],"risks":[19],"beyond":[20],"explicit":[21],"user":[22],"prompts.":[23],"This":[24],"paper":[25],"presents":[26],"DeepTrap,":[27],"an":[28],"automated":[29],"framework":[30],"for":[31,125],"discovering":[32],"contextual":[33,102],"vulnerabilities":[34],"in":[35],"OpenClaw.":[36],"DeepTrap":[37],"formulates":[38],"adversarial":[39],"context":[40],"manipulation":[41],"as":[42],"a":[43,77],"black-box":[44],"trajectory-level":[45],"optimization":[46],"problem":[47],"that":[48,101,115],"balances":[49],"risk":[50],"realization,":[51],"benign-task":[52],"preservation,":[53],"stealth.":[55],"It":[56],"combines":[57],"risk-conditioned":[58],"evaluation,":[59],"multi-objective":[60],"trajectory":[61],"scoring,":[62],"reward-guided":[63],"beam":[64],"search,":[65],"reflection-based":[67],"deep":[68],"probing":[69],"to":[70],"identify":[71],"high-value":[72],"compromised":[73],"contexts.":[74],"We":[75],"construct":[76],"42-case":[78],"benchmark":[79],"spanning":[80],"six":[81],"vulnerability":[82],"classes":[83],"seven":[85],"operational":[86],"scenarios,":[87],"evaluate":[89],"nine":[90],"target":[91],"models":[92],"using":[93],"attack":[94],"utility":[96],"grading":[97],"scores.":[98],"Results":[99],"show":[100],"compromise":[103],"can":[104],"induce":[105],"substantial":[106],"unsafe":[107],"behavior":[108],"while":[109],"preserving":[110],"user-facing":[111],"task":[112],"completion,":[113],"demonstrating":[114],"final-response":[116],"evaluation":[117,128],"is":[118,135],"insufficient.":[119],"The":[120],"findings":[121],"highlight":[122],"the":[123],"need":[124],"execution-centric":[126],"of":[129],"agentic":[130],"AI":[131],"systems.":[132],"Our":[133],"code":[134],"released":[136],"at:":[137],"https://github.com/ZJUICSR/DeepTrap":[138]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-05-14T00:00:00"}
