Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

When Convenience Becomes Risk: A Semantic View of Under-Specification in Host-Acting Agents

Di Lu, Yongzhi Liao, Xutong Mu, Lele Zheng, Ke Cheng, Xuewen Dong, Yulong Shen, Jianfeng Ma

Abstract

Host-acting agents promise a convenient interaction model in which users specify goals and the system determines how to realize them. We argue that this convenience introduces a distinct security problem: semantic under-specification in goal specification. User instructions are typically goal-oriented, yet they often leave process constraints, safety boundaries, persistence, and exposure insufficiently specified. As a result, the agent must complete missing execution semantics before acting, and this completion can produce risky host-side plans even when the user-stated goal is benign. In this paper, we develop a semantic threat model, present a taxonomy of semantic-induced risky completion patterns, and study the phenomenon through an OpenClaw-centered case study and execution-trace analysis. We further derive defense design principles for making execution boundaries explicit and constraining risky completion. These findings suggest that securing host-acting agents requires governing not only which actions are allowed at execution time, but also how goal-only instructions are translated into executable plans.

When Convenience Becomes Risk: A Semantic View of Under-Specification in Host-Acting Agents

Abstract

Host-acting agents promise a convenient interaction model in which users specify goals and the system determines how to realize them. We argue that this convenience introduces a distinct security problem: semantic under-specification in goal specification. User instructions are typically goal-oriented, yet they often leave process constraints, safety boundaries, persistence, and exposure insufficiently specified. As a result, the agent must complete missing execution semantics before acting, and this completion can produce risky host-side plans even when the user-stated goal is benign. In this paper, we develop a semantic threat model, present a taxonomy of semantic-induced risky completion patterns, and study the phenomenon through an OpenClaw-centered case study and execution-trace analysis. We further derive defense design principles for making execution boundaries explicit and constraining risky completion. These findings suggest that securing host-acting agents requires governing not only which actions are allowed at execution time, but also how goal-only instructions are translated into executable plans.
Paper Structure (20 sections, 3 figures, 2 tables)

This paper contains 20 sections, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Semantic Threat Model
  4. Scope and Assumptions
  5. Core Concepts
  6. Threat Statement
  7. Taxonomy of Semantic-Induced Risks in HAAs
  8. Case Study and Qualitative Analysis
  9. Study Setup
  10. Scenario A: Environment Setup
  11. Scenario B: Service Exposure
  12. Scenario C: Fault Repair
  13. Synthesis
  14. Defense Design and Feasibility Discussion
  15. Design Principles
  16. ...and 5 more sections

Figures (3)

  • Figure 1: OpenClaw experimental deployment boundary. Most actions execute inside a Debian/Bookworm container, but security-relevant effects persist through mounted state/workspace directories and published gateway ports.
  • Figure 2: Semantic under-specification pipeline. Missing boundary information expands the candidate plan space and allows security-divergent plans to emerge before execution.
  • Figure 3: Trace summary from the OpenClaw case study. More explicit locality cues narrow repair/setup plans, but exposure-oriented goals still push completion toward broader deployment and access distribution.