OpenClaw safety study reveals structural agent vulnerabilities

The paper argues that current agent safety is overly reliant on prompt-level alignment, which fails once an agent's "state" is compromised. We need a deterministic execution-time control layer, not just better monitoring.

• –CIK poisoning (Capability, Identity, Knowledge) is a devastatingly effective attack vector for persistent agents.
• –Even the strongest models (Claude Opus 4.6, GPT-5.4) see vulnerability increases of 3x+ under state compromise.
• –Proposed "proposal -> authorization -> execution" model moves security from probabilistic alignment to deterministic policy.
• –Baseline success rates for attacks on OpenClaw are already alarmingly high (~10–37%) even without poisoning.
• –File-level protection is too restrictive for practical use, blocking 97% of attacks but also 97% of legitimate updates.