{"id":581,"date":"2026-03-19T05:04:16","date_gmt":"2026-03-18T21:04:16","guid":{"rendered":"https:\/\/connectword.dpdns.org\/?p=581"},"modified":"2026-03-19T05:04:16","modified_gmt":"2026-03-18T21:04:16","slug":"tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw","status":"publish","type":"post","link":"https:\/\/connectword.dpdns.org\/?p=581","title":{"rendered":"Tsinghua and Ant Group Researchers Unveil a Five-Layer Lifecycle-Oriented Security Framework to Mitigate Autonomous LLM Agent Vulnerabilities in OpenClaw"},"content":{"rendered":"<p>Autonomous LLM agents like OpenClaw are shifting the paradigm from passive assistants to proactive entities capable of executing complex, long-horizon tasks through high-privilege system access. However, a security analysis research report from <strong><a href=\"https:\/\/pxllnk.co\/5mui2tl\" target=\"_blank\" rel=\"noreferrer noopener\">Tsinghua University and Ant Group reveals that OpenClaw\u2019s \u2018kernel-plugin\u2019 architecture\u2014anchored by a pi-coding-agent serving as the Minimal Trusted Computing Base (TCB)\u2014is vulnerable to multi-stage systemic risks that bypass traditional, isolated defenses<\/a><\/strong>. By introducing a five-layer lifecycle framework covering initialization, input, inference, decision, and execution, the research team demonstrates how compound threats like memory poisoning and skill supply chain contamination can compromise an agent\u2019s entire operational trajectory.<\/p>\n<h3 class=\"wp-block-heading\"><strong>OpenClaw Architecture: The pi-coding-agent and the TCB<\/strong><\/h3>\n<p>OpenClaw utilizes a \u2018kernel-plugin\u2019 architecture that separates core logic from extensible functionality. The system\u2019s <strong>Trusted Computing Base (TCB)<\/strong> is defined by the <strong>pi-coding-agent<\/strong>, a minimal core responsible for memory management, task planning, and execution orchestration. This TCB manages an extensible ecosystem of third-party plugins\u2014or \u2018skills\u2019\u2014that enable the agent to perform high-privilege operations such as automated software engineering and system administration. A critical architectural vulnerability identified by the research team is the dynamic loading of these plugins without strict integrity verification, which creates an ambiguous trust boundary and expands the system\u2019s attack surface.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"700\" data-attachment-id=\"78448\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-355\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-22.png\" data-orig-size=\"1380,700\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-22-300x152.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-22-1024x519.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-22.png\" alt=\"\" class=\"wp-image-78448\" \/><figcaption class=\"wp-element-caption\">Table 1: Full Lifecycle Threats and Corresponding Protections for OpenClaw \u201cLobster\u201d<br \/>\u2713 Indicates effective risk mitigation by the protection layer<br \/>\u00d7 Denotes uncovered risks by the protection layer<\/figcaption><\/figure>\n<\/div>\n<h3 class=\"wp-block-heading\"><strong>A Lifecycle-Oriented Threat Taxonomy<\/strong><\/h3>\n<p>The research team systematizes the threat landscape across five operational stages that align with the agent\u2019s functional pipeline:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Stage I (Initialization):<\/strong> The agent establishes its operational environment and trust boundaries by loading system prompts, security configurations, and plugins.<\/li>\n<li><strong>Stage II (Input):<\/strong> Multi-modal data is ingested, requiring the agent to differentiate between trusted user instructions and untrusted external data sources.<\/li>\n<li><strong>Stage III (Inference):<\/strong> The agent reasoning process utilizes techniques such as <strong>Chain-of-Thought (CoT)<\/strong> prompting while maintaining contextual memory and retrieving external knowledge via retrieval-augmented generation.<\/li>\n<li><strong>Stage IV (Decision):<\/strong> The agent selects appropriate tools and generates execution parameters through planning frameworks such as <strong>ReAct<\/strong>.<\/li>\n<li><strong>Stage V (Execution):<\/strong> High-level plans are converted into privileged system actions, requiring strict sandboxing and access-control mechanisms to manage operations.<\/li>\n<\/ul>\n<p>This structured approach highlights that autonomous agents face multi-stage systemic risks that extend beyond isolated prompt injection attacks.<\/p>\n<h3 class=\"wp-block-heading\"><strong>Technical Case Studies in Agent Compromise<\/strong><\/h3>\n<h4 class=\"wp-block-heading\"><strong>1. Skill Poisoning (Initialization Stage)<\/strong><\/h4>\n<p>Skill poisoning targets the agent before a task even begins. Adversaries can introduce malicious skills that exploit the capability routing interface.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>The Attack:<\/strong> The research team demonstrated this by coercing OpenClaw to create a functional skill named hacked-weather.<\/li>\n<li><strong>Mechanism:<\/strong> By manipulating the skill\u2019s metadata, the attacker artificially elevated its priority over the legitimate weather tool.<\/li>\n<li><strong>Impact:<\/strong> When a user requested weather data, the agent bypassed the legitimate service and triggered the malicious replacement, yielding attacker-controlled output.<\/li>\n<li><strong>Prevalence:<\/strong> An empirical audit cited in the research report found that <strong>26% of community-contributed tools<\/strong> contain security vulnerabilities.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"483\" data-attachment-id=\"78450\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-357\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-24.png\" data-orig-size=\"1380,483\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-24-300x105.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-24-1024x358.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-24.png\" alt=\"\" class=\"wp-image-78450\" \/><figcaption class=\"wp-element-caption\">Figure\u00a02:\u00a0Poisoning\u00a0Command\u00a0Inducing\u00a0the\u00a0Compromised\u00a0\u201cLobster\u201d\u00a0to\u00a0Generate\u00a0a\u00a0Malicious\u00a0Weather\u00a0Skill\u00a0and\u00a0Elevate\u00a0Its\u00a0Priority<\/figcaption><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"1048\" data-attachment-id=\"78453\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-360\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-27.png\" data-orig-size=\"1380,1048\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-27-300x228.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-27-1024x778.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-27.png\" alt=\"\" class=\"wp-image-78453\" \/><figcaption class=\"wp-element-caption\">Figure 3: Malicious Skill Generated by Compromised \u201cLobster\u201d \u2014 Structurally Valid Yet Semantically Subverts Legitimate Weather Functionality<\/figcaption><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"455\" data-attachment-id=\"78455\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-362\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-29.png\" data-orig-size=\"1380,455\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-29-300x99.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-29-1024x338.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-29.png\" alt=\"\" class=\"wp-image-78455\" \/><figcaption class=\"wp-element-caption\">Figure\u00a04:\u00a0Normal\u00a0Weather\u00a0Request\u00a0Hijacked\u00a0by\u00a0Malicious\u00a0Skill\u00a0\u2014\u00a0Compromised\u00a0\u201cLobster\u201d\u00a0Generates\u00a0Attacker-Controlled\u00a0Output<\/figcaption><\/figure>\n<\/div>\n<h4 class=\"wp-block-heading\"><strong>2. Indirect Prompt Injection (Input Stage)<\/strong><\/h4>\n<p>Autonomous agents frequently ingest untrusted external data, making them susceptible to zero-click exploits.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>The Attack:<\/strong> Attackers embed malicious directives within external content, such as a web page.<\/li>\n<li><strong>Mechanism:<\/strong> When the agent retrieves the page to fulfill a user request, the embedded payload overrides the original objective.<\/li>\n<li><strong>Result:<\/strong> In one test, the agent ignored the user\u2019s task to output a fixed \u2018Hello World\u2019 string mandated by the malicious site.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"230\" data-attachment-id=\"78445\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-352\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-19.png\" data-orig-size=\"1380,230\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-19-300x50.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-19-1024x171.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-19.png\" alt=\"\" class=\"wp-image-78445\" \/><figcaption class=\"wp-element-caption\">Figure 5: Attacker-Designed Webpage Embedding Malicious Commands Masquerading as Benign Content<br \/><\/figcaption><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"328\" data-attachment-id=\"78457\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-364\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-31.png\" data-orig-size=\"1380,328\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-31-300x71.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-31-1024x243.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-31.png\" alt=\"\" class=\"wp-image-78457\" \/><figcaption class=\"wp-element-caption\">Figure 6: Compromised \u201cLobster\u201d Executes Embedded Commands When Accessing Webpage \u2014 Generates Attacker-Controlled Content Instead of Fulfilling User Requests<\/figcaption><\/figure>\n<\/div>\n<h4 class=\"wp-block-heading\"><strong>3. Memory Poisoning (Inference Stage)<\/strong><\/h4>\n<p>Because OpenClaw maintains a persistent state, it is vulnerable to long-term behavioral manipulation.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Mechanism:<\/strong> An attacker uses a transient injection to modify the agent\u2019s MEMORY.md file.<\/li>\n<li><strong>The Attack:<\/strong> A fabricated rule was added instructing the agent to refuse any query containing the term \u2018C++\u2019.<\/li>\n<li><strong>Impact:<\/strong> This \u2018poison\u2019 persisted across sessions; subsequent benign requests for C++ programming were rejected by the agent, even after the initial attack interaction had ended.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"550\" data-attachment-id=\"78447\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-354\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-21.png\" data-orig-size=\"1380,550\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-21-300x120.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-21-1024x408.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-21.png\" alt=\"\" class=\"wp-image-78447\" \/><figcaption class=\"wp-element-caption\">Figure\u00a07:\u00a0Attacker\u00a0Appends\u00a0Forged\u00a0Rules\u00a0to\u00a0Compromised\u00a0\u201cLobster\u201d\u2018s\u00a0Persistent\u00a0Memory\u00a0\u2014\u00a0Converts\u00a0Transient\u00a0Attack\u00a0Inputs\u00a0into\u00a0Long-Term\u00a0Behavioral\u00a0Contro<\/figcaption><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"353\" data-attachment-id=\"78459\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-366\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-33.png\" data-orig-size=\"1380,353\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-33-300x77.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-33-1024x262.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-33.png\" alt=\"\" class=\"wp-image-78459\" \/><figcaption class=\"wp-element-caption\">Figure\u00a08:\u00a0Compromised\u00a0\u201cLobster\u201d\u00a0Rejects\u00a0Benign\u00a0C++\u00a0Programming\u00a0Requests\u00a0After\u00a0Malicious\u00a0Rule\u00a0Storage\u00a0\u2014\u00a0Adheres\u00a0to\u00a0Attacker-Defined\u00a0Behaviors\u00a0Overriding\u00a0User\u00a0Intent<\/figcaption><\/figure>\n<\/div>\n<h4 class=\"wp-block-heading\"><strong>4. Intent Drift (Decision Stage)<\/strong><\/h4>\n<p>Intent drift occurs when a sequence of locally justifiable tool calls leads to a globally destructive outcome.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>The Scenario:<\/strong> A user issued a diagnostic request to eliminate a \u2018suspicious crawler IP\u2019.<\/li>\n<li><strong>The Escalation:<\/strong> The agent autonomously identified IP connections and attempted to modify the system firewall via iptables.<\/li>\n<li><strong>System Failure:<\/strong> After several failed attempts to modify configuration files outside its workspace, the agent terminated the running process to attempt a manual restart. This rendered the WebUI inaccessible and resulted in a complete system outage.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"860\" data-attachment-id=\"78451\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-358\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-25.png\" data-orig-size=\"1380,860\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-25-300x187.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-25-1024x638.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-25.png\" alt=\"\" class=\"wp-image-78451\" \/><figcaption class=\"wp-element-caption\">Figure\u00a09:\u00a0Compromised\u00a0\u201cLobster\u201d\u00a0Deviates\u00a0from\u00a0Crawler\u00a0IP\u00a0Resolution\u00a0Task\u00a0Upon\u00a0User\u00a0Command\u00a0\u2014\u00a0Executes\u00a0Self-Termination\u00a0Protocol\u00a0Overriding\u00a0Operational\u00a0Objectives<\/figcaption><\/figure>\n<\/div>\n<h4 class=\"wp-block-heading\"><strong>5. High-Risk Command Execution (Execution Stage)<\/strong><\/h4>\n<p>This represents the final realization of an attack where earlier compromises propagate into concrete system impact.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>The Attack:<\/strong> An attacker decomposed a <strong>Fork Bomb<\/strong> attack into four individually benign file-write steps to bypass static filters.<\/li>\n<li><strong>Mechanism:<\/strong> Using Base64 encoding and sed to strip junk characters, the attacker assembled a latent execution chain in trigger.sh.<\/li>\n<li><strong>Impact:<\/strong> Once triggered, the script caused a sharp CPU utilization surge to near 100% saturation, effectively launching a denial-of-service attack against the host infrastructure.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"765\" data-attachment-id=\"78449\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-356\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-23.png\" data-orig-size=\"1380,765\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-23-300x166.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-23-1024x568.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-23.png\" alt=\"\" class=\"wp-image-78449\" \/><figcaption class=\"wp-element-caption\">Figure\u00a010:\u00a0Attacker\u00a0Initiates\u00a0Sequential\u00a0Command\u00a0Injection\u00a0Through\u00a0File\u00a0Write\u00a0Operations\u00a0\u2014\u00a0Establishes\u00a0Covert\u00a0Execution\u00a0Foothold\u00a0in\u00a0System\u00a0Scheduler<\/figcaption><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"545\" data-attachment-id=\"78446\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-353\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-20.png\" data-orig-size=\"1380,545\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-20-300x118.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-20-1024x404.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-20.png\" alt=\"\" class=\"wp-image-78446\" \/><figcaption class=\"wp-element-caption\">Figure\u00a011:\u00a0Attacker\u00a0Triggers\u00a0Compromised\u00a0\u201cLobster\u201d\u00a0to\u00a0Execute\u00a0Malicious\u00a0Payload\u00a0\u2014\u00a0Induces\u00a0System\u00a0Paralysis\u00a0Leading\u00a0to\u00a0Critical\u00a0Infrastructure\u00a0Implosion<\/figcaption><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1380\" height=\"563\" data-attachment-id=\"78444\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-351\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-18.png\" data-orig-size=\"1380,563\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-18-300x122.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-18-1024x418.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-18.png\" alt=\"\" class=\"wp-image-78444\" \/><figcaption class=\"wp-element-caption\">Figure\u00a012:\u00a0Compromised\u00a0\u201cLobster\u201d\u00a0Triggers\u00a0Host\u00a0Server\u00a0Resource\u00a0Exhaustion\u00a0Surge\u00a0\u2014\u00a0Implements\u00a0Stealthy\u00a0Denial-of-Service\u00a0Siege\u00a0Against\u00a0Critical\u00a0Computing\u00a0Backbone<\/figcaption><\/figure>\n<\/div>\n<h3 class=\"wp-block-heading\"><strong>The Five-Layer Defense Architecture<\/strong><\/h3>\n<p>The research team evaluated current defenses as<a href=\"https:\/\/pxllnk.co\/5mui2tl\" target=\"_blank\" rel=\"noreferrer noopener\"> \u2018fragmented\u2019 point solutions and proposed a holistic, lifecycle-aware architecture<\/a>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"1143\" data-attachment-id=\"78452\" data-permalink=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/image-359\/\" data-orig-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-26.png\" data-orig-size=\"1600,1143\" data-comments-opened=\"1\" data-image-meta='{\"aperture\":\"0\",\"credit\":\"\",\"camera\":\"\",\"caption\":\"\",\"created_timestamp\":\"0\",\"copyright\":\"\",\"focal_length\":\"0\",\"iso\":\"0\",\"shutter_speed\":\"0\",\"title\":\"\",\"orientation\":\"0\"}' data-image-title=\"image\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-26-300x214.png\" data-large-file=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-26-1024x732.png\" src=\"https:\/\/www.marktechpost.com\/wp-content\/uploads\/2026\/03\/image-26.png\" alt=\"\" class=\"wp-image-78452\" \/><\/figure>\n<\/div>\n<h4 class=\"wp-block-heading\"><strong>(1) Foundational Base Layer<\/strong>:\u00a0<\/h4>\n<p>Establishes a verifiable root of trust during the startup phase. It utilizes <strong>Static\/Dynamic Analysis (ASTs)<\/strong> to detect unauthorized code and <strong>Cryptographic Signatures (SBOMs)<\/strong> to verify skill provenance.<\/p>\n<h4 class=\"wp-block-heading\"><strong>(2) Input Perception Layer:\u00a0<\/strong><\/h4>\n<p>Acts as a gateway to prevent external data from hijacking the agent\u2019s control flow. It enforces an <strong>Instruction Hierarchy<\/strong> via cryptographic token tagging to prioritize developer prompts over untrusted external content.<\/p>\n<h4 class=\"wp-block-heading\"><strong>(3) Cognitive State Layer:<\/strong><\/h4>\n<p>Protects internal memory and reasoning from corruption. It employs <strong>Merkle-tree Structures<\/strong> for state snapshotting and rollbacks, alongside <strong>Cross-encoders<\/strong> to measure semantic distance and detect context drift.<\/p>\n<h4 class=\"wp-block-heading\"><strong>(4) Decision Alignment Layer:\u00a0<\/strong><\/h4>\n<p>Ensures synthesized plans align with user objectives before any action is taken. It includes <strong>Formal Verification<\/strong> using symbolic solvers to prove that proposed sequences do not violate safety invariants.<\/p>\n<h4 class=\"wp-block-heading\"><strong>(5) Execution Control Layer:<\/strong>\u00a0<\/h4>\n<p>Serves as the final enforcement boundary using an \u2018assume breach\u2019 paradigm. It provides isolation through <strong>Kernel-Level Sandboxing<\/strong> utilizing <strong>eBPF<\/strong> and <strong>seccomp<\/strong> to intercept unauthorized system calls at the OS level<\/p>\n<h3 class=\"wp-block-heading\"><strong>Key Takeaways<\/strong><\/h3>\n<ul class=\"wp-block-list\">\n<li><strong>Autonomous agents expand the attack surface through high-privilege execution and persistent memory.<\/strong> Unlike stateless LLM applications, agents like OpenClaw rely on cross-system integration and long-term memory to execute complex, long-horizon tasks. This proactive nature introduces unique multi-stage systemic risks that span the entire operational lifecycle, from initialization to execution.<\/li>\n<li><strong>Skill ecosystems face significant supply chain risks.<\/strong> Approximately <strong>26% of community-contributed tools<\/strong> in agent skill ecosystems contain security vulnerabilities. Attackers can use \u2018skill poisoning\u2019 to inject malicious tools that appear legitimate but contain hidden priority overrides, allowing them to silently hijack user requests and produce attacker-controlled outputs.<\/li>\n<li><strong>Memory is a persistent and dangerous attack vector.<\/strong> Persistent memory allows transient adversarial inputs to be transformed into long-term behavioral control. Through memory poisoning, an attacker can implant fabricated policy rules into an agent\u2019s memory (e.g., MEMORY.md), causing the agent to persistently reject benign requests even after the initial attack session has ended.<\/li>\n<li><strong>Ambiguous instructions lead to destructive \u2018Intent Drift.\u2019<\/strong> Even without explicit malicious manipulation, agents can experience intent drift, where a sequence of locally justifiable tool calls leads to globally destructive outcomes. In documented cases, basic diagnostic security requests escalated into unauthorized firewall modifications and service terminations that rendered the entire system inaccessible.<\/li>\n<li><strong>Effective protection requires a lifecycle-aware, defense-in-depth architecture.<\/strong> Existing point-based defenses\u2014such as simple input filters\u2014are insufficient against cross-temporal, multi-stage attacks. A robust defense must be integrated across all five layers of the agent lifecycle: <strong>Foundational Base<\/strong> (plugin vetting), <strong>Input Perception<\/strong> (instruction hierarchy), <strong>Cognitive State<\/strong> (memory integrity), <strong>Decision Alignment<\/strong> (plan verification), and <strong>Execution Control<\/strong> (kernel-level sandboxing via eBPF).<\/li>\n<\/ul>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n<p>Check out\u00a0<strong><a href=\"https:\/\/pxllnk.co\/5mui2tl\" target=\"_blank\" rel=\"noreferrer noopener\">Paper<\/a>.\u00a0<\/strong>Also,\u00a0feel free to follow us on\u00a0<strong><a href=\"https:\/\/x.com\/intent\/follow?screen_name=marktechpost\" target=\"_blank\" rel=\"noreferrer noopener\"><mark>Twitter<\/mark><\/a><\/strong>\u00a0and don\u2019t forget to join our\u00a0<strong><a href=\"https:\/\/www.reddit.com\/r\/machinelearningnews\/\" target=\"_blank\" rel=\"noreferrer noopener\">120k+ ML SubReddit<\/a><\/strong>\u00a0and Subscribe to\u00a0<strong><a href=\"https:\/\/www.aidevsignals.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">our Newsletter<\/a><\/strong>. Wait! are you on telegram?\u00a0<strong><a href=\"https:\/\/t.me\/machinelearningresearchnews\" target=\"_blank\" rel=\"noreferrer noopener\">now you can join us on telegram as well.<\/a><\/strong><\/p>\n\n<p><em><sub>Note: This article is supported and provided by Ant Research<\/sub><\/em><\/p>\n<p>The post <a href=\"https:\/\/www.marktechpost.com\/2026\/03\/18\/tsinghua-and-ant-group-researchers-unveil-a-five-layer-lifecycle-oriented-security-framework-to-mitigate-autonomous-llm-agent-vulnerabilities-in-openclaw\/\">Tsinghua and Ant Group Researchers Unveil a Five-Layer Lifecycle-Oriented Security Framework to Mitigate Autonomous LLM Agent Vulnerabilities in OpenClaw<\/a> appeared first on <a href=\"https:\/\/www.marktechpost.com\/\">MarkTechPost<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Autonomous LLM agents like Ope&hellip;<\/p>\n","protected":false},"author":1,"featured_media":582,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-581","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/posts\/581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=581"}],"version-history":[{"count":0,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/posts\/581\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/media\/582"}],"wp:attachment":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}