Paper Detail

Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw

Zijun Wang, Haoqin Tu, Letian Zhang, Hardy Chen, Juncheng Wu, Xiangyan Liu, Zhenlong Yuan, Tianyu Pang, Michael Qizhe Shieh, Fengze Liu, Zeyu Zheng, Huaxiu Yao, Yuyin Zhou, Cihang Xie

Browse

Workflow Queues

huggingface Score 7.0

Published 2026-04-06 · First seen 2026-04-07

General AI

Open paper source

Abstract

OpenClaw, the most widely deployed personal AI agent in early 2026, operates with full local system access and integrates with sensitive services such as Gmail, Stripe, and the filesystem. While these broad privileges enable high levels of automation and powerful personalization, they also expose a substantial attack surface that existing sandboxed evaluations fail to capture. To address this gap, we present the first real-world safety evaluation of OpenClaw and introduce the CIK taxonomy, which unifies an agent's persistent state into three dimensions, i.e., Capability, Identity, and Knowledge, for safety analysis. Our evaluations cover 12 attack scenarios on a live OpenClaw instance across four backbone models (Claude Sonnet 4.5, Opus 4.6, Gemini 3.1 Pro, and GPT-5.4). The results show that poisoning any single CIK dimension increases the average attack success rate from 24.6% to 64-74%, with even the most robust model exhibiting more than a threefold increase over its baseline vulnerability. We further assess three CIK-aligned defense strategies alongside a file-protection mechanism; however, the strongest defense still yields a 63.8% success rate under Capability-targeted attacks, while file protection blocks 97% of malicious injections but also prevents legitimate updates. Taken together, these findings show that the vulnerabilities are inherent to the agent architecture, necessitating more systematic safeguards to secure personal AI agents. Our project page is https://ucsc-vlaa.github.io/CIK-Bench.

Workflow Status

Review status
pending
Role
unreviewed
Read priority
soon
Vote
Not set.
Saved
no
Collections
Not filed yet.
Next action
Not filled yet.

Reading Brief

No structured notes yet. Add `summary_sections`, `why_relevant`, `claim_impact`, or `next_action` in `papers.jsonl` to enrich this view.

Why It Surfaced

No ranking explanation is available yet.

Tags

No tags.

Similar Papers

Claw-Eval-Live: A Live Agent Benchmark for Evolving Real-World Workflows 2026-04-30 · Score 11.2 General AI ClawTrap: A MITM-Based Red-Teaming Framework for Real-World OpenClaw Security Evaluation 2026-03-19 · Score 12.0 Research Track B · General AI A Mechanistic Analysis of Looped Reasoning Language Models 2026-04-13 · Score 10.3 General AI FinSafetyBench: Evaluating LLM Safety in Real-World Financial Scenarios 2026-05-01 · Score 11.2 General AI Agent-World: Scaling Real-World Environment Synthesis for Evolving General Agent Intelligence 2026-04-20 · Score 15.5 General AI

BibTeX

@misc{wang2026your,
  title = {Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw},
  author = {Zijun Wang and Haoqin Tu and Letian Zhang and Hardy Chen and Juncheng Wu and Xiangyan Liu and Zhenlong Yuan and Tianyu Pang and Michael Qizhe Shieh and Fengze Liu and Zeyu Zheng and Huaxiu Yao and Yuyin Zhou and Cihang Xie},
  year = {2026},
  abstract = {OpenClaw, the most widely deployed personal AI agent in early 2026, operates with full local system access and integrates with sensitive services such as Gmail, Stripe, and the filesystem. While these broad privileges enable high levels of automation and powerful personalization, they also expose a substantial attack surface that existing sandboxed evaluations fail to capture. To address this gap, we present the first real-world safety evaluation of OpenClaw and introduce the CIK taxonomy, which},
  url = {https://huggingface.co/papers/2604.04759},
  keywords = {CIK taxonomy, attack success rate, personal AI agent, sandboxed evaluations, agent architecture, defense strategies, malicious injections, legitimate updates, code available, huggingface daily},
  eprint = {2604.04759},
  archiveprefix = {arXiv},
}

Metadata

{}