Skip to content
Sagan

Paper

Red-Teaming Agent Execution Contexts: Open-World Security Evaluation on OpenClaw

Unreadunread

AI summary

DeepTrap is an automated framework for discovering security vulnerabilities in agent execution contexts—the files, memory, tools, and artifacts an agent operates on, not just the user prompt. It formulates adversarial context manipulation as a trajectory-level optimization problem that balances triggering unsafe behavior, preserving normal task completion, and remaining stealthy. Testing on 42 cases across six vulnerability classes shows that compromised contexts can induce substantial unsafe behavior while the agent still completes user-facing tasks correctly, demonstrating that evaluating only final responses is insufficient.

Main takeaways:

  • Security risks come from the agent's mutable execution context (files it reads, tools it has access to, memory state) not just from adversarial user prompts
  • Compromised contexts can trigger unsafe behavior while preserving apparent task success—the agent looks like it's working correctly from the user's perspective
  • DeepTrap uses reward-guided beam search and reflection-based probing to find high-value context manipulations that are effective, stealthy, and don't break benign functionality
  • Final-response evaluation misses these context-driven attacks; you need execution-centric security evaluation that monitors the agent's entire operational environment