Trojan's Whisper: Stealthy Manipulation of OpenClaw through Injected Bootstrapped Guidance

TL;DR

This paper uncovers a stealthy attack method called guidance injection that manipulates autonomous coding agents by embedding harmful narratives into their bootstrap guidance, enabling malicious actions without detection.

Contribution

It introduces guidance injection as a novel attack vector in autonomous agents, demonstrating its effectiveness and evasion against existing detection methods.

Findings

Guidance injection successfully manipulates agent behavior in 16-64% of cases.

94% of malicious skills evade current detection tools.

Developed ORE-Bench to evaluate attack success in realistic scenarios.

Abstract

Autonomous coding agents are increasingly integrated into software development workflows, offering capabilities that extend beyond code suggestion to active system interaction and environment management. OpenClaw, a representative platform in this emerging paradigm, introduces an extensible skill ecosystem that allows third-party developers to inject behavioral guidance through lifecycle hooks during agent initialization. While this design enhances automation and customization, it also opens a novel and unexplored attack surface. In this paper, we identify and systematically characterize guidance injection, a stealthy attack vector that embeds adversarial operational narratives into bootstrap guidance files. Unlike traditional prompt injection, which relies on explicit malicious instructions, guidance injection manipulates the agent's reasoning context by framing harmful actions as routine best practices. These narratives are automatically incorporated into the agent's interpretive framework and influence future task execution without raising suspicion.We construct 26 malicious skills spanning 13 attack categories including credential exfiltration, workspace destruction, privilege escalation, and persistent backdoor installation. We evaluate them using ORE-Bench, a realistic developer workspace benchmark we developed. Across 52 natural user prompts and six state-of-the-art LLM backends, our attacks achieve success rates from 16.0% to 64.2%, with the majority of malicious actions executed autonomously without user confirmation. Furthermore, 94% of our malicious skills evade detection by existing static and LLM-based scanners. Our findings reveal fundamental tensions in the design of autonomous agent ecosystems and underscore the urgent need for defenses based on capability isolation, runtime policy enforcement, and transparent guidance provenance.