Clawed and Dangerous: Can We Trust Open Agentic Systems?

TL;DR

This paper analyzes the security challenges of open agentic systems combining LLMs with external capabilities, proposing a taxonomy and evaluation framework to improve their governance and resilience.

Contribution

It introduces a six-dimensional taxonomy and synthesis of 50 papers, providing a reference doctrine and scorecard for secure, governable agent platforms.

Findings

Literature is mature in attack characterization and benchmarks.

Weaknesses identified in deployment controls and operational governance.

Gaps highlight the need for resilient, auditable agent ecosystems.

Abstract

Open agentic systems combine LLM-based planning with external capabilities, persistent memory, and privileged execution. They are used in coding assistants, browser copilots, and enterprise automation. OpenClaw is a visible instance of this broader class. Without much attention yet, their security challenge is fundamentally different from that of traditional software that relies on predictable execution and well-defined control flow. In open agentic systems, everything is ''probabilistic'': plans are generated at runtime, key decisions may be shaped by untrusted natural-language inputs and tool outputs, execution unfolds in uncertain environments, and actions are taken under authority delegated by human users. The central challenge is therefore not merely robustness against individual attacks, but the governance of agentic behavior under persistent uncertainty. This paper systematizes the area through a software engineering lens. We introduce a six-dimensional analytical taxonomy and synthesize 50 papers spanning attacks, benchmarks, defenses, audits, and adjacent engineering foundations. From this synthesis, we derive a reference doctrine for secure-by-construction agent platforms, together with an evaluation scorecard for assessing platform security posture. Our review shows that the literature is relatively mature in attack characterization and benchmark construction, but remains weak in deployment controls, operational governance, persistent-memory integrity, and capability revocation. These gaps define a concrete engineering agenda for building agent ecosystems that are governable, auditable, and resilient under compromise.