Constraining Host-Level Abuse in Self-Hosted Computer-Use Agents via TEE-Backed Isolation

TL;DR

This paper introduces a risk-based confinement model for self-hosted agents, leveraging TEE-backed isolation to prevent host-level abuse while maintaining functionality and providing auditability.

Contribution

It proposes an operation-centric security architecture using TEE technology to isolate and control potentially unsafe host operations in self-hosted agents.

Findings

The design effectively blocks unsafe operations before execution.

It preserves normal functionality for allowed tasks.

It provides auditable evidence with manageable overhead.

Abstract

Self-hosted computer-use agents (SHCUAs), such as OpenClaw, combine natural-language interaction with direct access to host-side resources, including browsers, files, scripts, system commands, and external communication channels. While useful for automating real tasks, this capability also creates a host-level abuse surface: a legitimately deployed agent may be steered toward unsafe operations through malicious messages, indirect prompt injection, unsafe skills, or tampering along the host-side control path. We argue that such risks cannot be addressed by ad hoc blocking rules alone, because the security criticality of an operation depends jointly on its action type, target object, execution context, and potential effect. This paper presents an operation-centric model for risk-based confinement of SHCUA operations. The proposed design keeps ordinary functionality on the constrained REE path, while protecting security-critical classification, authorization, binding, evidence generation, and selected execution-control decisions inside a cloud-native TEE-backed trusted operation plane. We instantiate the architecture on OpenClaw using Intel TDX as the primary trusted backend, with remote terminal-side trusted components verifying TDX-audited commands before constrained local execution. The evaluation shows that the design can block unsafe or policy-disallowed operations before execution, preserve ordinary functionality for allowed workloads, and provide auditable evidence with deployment-dependent overhead.