Clawed and Dangerous: Can We Trust Open Agentic Systems?
In recent years, open agentic systems have gained significant traction, leveraging large language model (LLM) based planning combined with external capabilities, persistent memory, and privileged execution. These systems are increasingly utilized in various applications, including coding assistants, browser copilots, and enterprise automation solutions. However, as these technologies evolve, they also introduce unique security challenges that require careful examination.
The Nature of Open Agentic Systems
Open agentic systems, such as OpenClaw, represent a new class of software that operates under a fundamentally different paradigm than traditional applications. Unlike conventional software that relies on predictable execution and well-defined control flows, open agentic systems are characterized by their probabilistic nature. This inherent uncertainty manifests in several ways:
- Plans are generated dynamically at runtime, making their outcomes less predictable.
- Key decisions may be influenced by untrusted natural-language inputs and tool outputs.
- Execution occurs in uncertain environments, adding layers of complexity to the decision-making process.
- Actions are taken under authority delegated by human users, raising concerns about accountability.
The Security Challenge
The central challenge posed by open agentic systems extends beyond mere robustness against individual attacks. Instead, it revolves around the governance of agentic behavior in the face of persistent uncertainty. This necessitates a shift in focus from traditional security measures to a more comprehensive understanding of how to manage agentic systems effectively.
Systematizing the Area
To address these challenges, recent research has sought to systematize the field through a software engineering lens. A comprehensive review has introduced a six-dimensional analytical taxonomy, synthesizing findings from 50 papers that explore a range of topics including:
- Attacks on open agentic systems
- Benchmark construction for evaluating system performance
- Defensive strategies to mitigate risks
- Audit mechanisms for ensuring accountability
- Adjacent engineering foundations relevant to agentic systems
Key Findings
This synthesis has led to the development of a reference doctrine for secure-by-construction agent platforms. Additionally, an evaluation scorecard has been created to assess the security posture of these platforms. Key findings from this review reveal:
- The literature is relatively mature in terms of attack characterization and benchmark construction.
- There are significant weaknesses in deployment controls and operational governance.
- Persistent-memory integrity remains a critical concern.
- Capability revocation mechanisms are underdeveloped.
Future Directions
These identified gaps highlight a concrete engineering agenda aimed at building agent ecosystems that are governable, auditable, and resilient against potential compromises. As open agentic systems continue to evolve and integrate into various sectors, addressing these challenges will be paramount to ensuring their safe and effective deployment.
In conclusion, while open agentic systems hold great promise for the future of technology, their unique security challenges necessitate a reevaluation of our approach to software governance and risk management. Only through comprehensive research and targeted improvements can we hope to trust these systems in real-world applications.