Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ClawTrap: A MITM-Based Red-Teaming Framework for Real-World OpenClaw Security Evaluation

Haochen Zhao, Shaoyang Cui

Abstract

Autonomous web agents such as \textbf{OpenClaw} are rapidly moving into high-impact real-world workflows, but their security robustness under live network threats remains insufficiently evaluated. Existing benchmarks mainly focus on static sandbox settings and content-level prompt attacks, which leaves a practical gap for network-layer security testing. In this paper, we present \textbf{ClawTrap}, a \textbf{MITM-based red-teaming framework for real-world OpenClaw security evaluation}. ClawTrap supports diverse and customizable attack forms, including \textit{Static HTML Replacement}, \textit{Iframe Popup Injection}, and \textit{Dynamic Content Modification}, and provides a reproducible pipeline for rule-driven interception, transformation, and auditing. This design lays the foundation for future research to construct richer, customizable MITM attacks and to perform systematic security testing across agent frameworks and model backbones. Our empirical study shows clear model stratification: weaker models are more likely to trust tampered observations and produce unsafe outputs, while stronger models demonstrate better anomaly attribution and safer fallback strategies. These findings indicate that reliable OpenClaw security evaluation should explicitly incorporate dynamic real-world MITM conditions rather than relying only on static sandbox protocols.

ClawTrap: A MITM-Based Red-Teaming Framework for Real-World OpenClaw Security Evaluation

Abstract

Autonomous web agents such as \textbf{OpenClaw} are rapidly moving into high-impact real-world workflows, but their security robustness under live network threats remains insufficiently evaluated. Existing benchmarks mainly focus on static sandbox settings and content-level prompt attacks, which leaves a practical gap for network-layer security testing. In this paper, we present \textbf{ClawTrap}, a \textbf{MITM-based red-teaming framework for real-world OpenClaw security evaluation}. ClawTrap supports diverse and customizable attack forms, including \textit{Static HTML Replacement}, \textit{Iframe Popup Injection}, and \textit{Dynamic Content Modification}, and provides a reproducible pipeline for rule-driven interception, transformation, and auditing. This design lays the foundation for future research to construct richer, customizable MITM attacks and to perform systematic security testing across agent frameworks and model backbones. Our empirical study shows clear model stratification: weaker models are more likely to trust tampered observations and produce unsafe outputs, while stronger models demonstrate better anomaly attribution and safer fallback strategies. These findings indicate that reliable OpenClaw security evaluation should explicitly incorporate dynamic real-world MITM conditions rather than relying only on static sandbox protocols.
Paper Structure (15 sections, 5 figures)

This paper contains 15 sections, 5 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Benchmarking Agent Security and Tool-Use Robustness
  4. Security Evaluation of Real-World Web Agents
  5. MITM-Centric Auditing and the Remaining Gap
  6. ClawTrap
  7. Pipeline
  8. MITM Attack-Mode Taxonomy in ClawTrap
  9. Experiments
  10. Dynamic MITM Attack Setup in Real-World Browsing
  11. HTML Replacement: Fabricated News Injection
  12. Iframe Injection: Real Page + Fake Warning Injection
  13. Conclusion
  14. Future Work
  15. Ethical Considerations

Figures (5)

  • Figure 1: The pipeline of ClawTrap MITM attack framework.
  • Figure 2: The ClawTrap MITM attack-mode taxonomy: attack forms are categorized as Static HTML Replacement, Iframe Popup Injection, and Dynamic Content Modification.
  • Figure 3: Two dynamic MITM browsing attacks in ClawTrap. Both operate on live traffic, but manipulate different perception layers: full-page content replacement (A) and warning-layer deception on a real page (B).
  • Figure 4: Model behavior under Attack A. Smaller models tend to summarize poisoned content, while stronger models show higher anomaly awareness.
  • Figure 5: Model behavior comparison under Attack B (real page with injected fake warning).