Paper: https://arxiv.org/abs/2604.04759
This OpenClaw paper is one of the clearest signals so far that agent risk is architectural, not just model quality.
A few results stood out:
- poisoning Capability / Identity / Knowledge pushes attack success from ~24.6% to ~64–74%
- even the strongest model still jumps to more than 3x its baseline vulnerability
- the strongest defense still leaves Capability-targeted attacks at ~63.8%
- file protection blocks ~97% of attacks… but also blocks legitimate updates at almost the same rate
The key point for me is not just that agents can be poisoned.
It’s that execution is still reachable after state is compromised.
That’s where current defenses feel incomplete:
- prompts shape behavior
- monitoring tells you what happened
- file protection freezes the system
But none of these define a hard boundary for whether an action can execute.
This paper basically shows:
if compromised state can still reach execution,
attacks remain viable.
Feels like the missing layer is:
proposal -> authorization -> execution
with a deterministic decision:
(intent, state, policy) -> ALLOW / DENY
and if there’s no valid authorization:
no execution path at all.
Curious how others read this paper.
Do you see this mainly as:
a memory/state poisoning problem
a capability isolation problem
or evidence that agents need an execution-time authorization layer?
[link] [comments]
