Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats

Autonomous Large Language Model (LLM) agents, exemplified by OpenClaw, demonstrate remarkable capabilities in executing complex, long-horizon tasks. However, their tightly coupled instant-messaging interaction paradigm and high-privilege execution capabilities substantially expand the system attack surface. In this paper, we present a comprehensive security threat analysis of OpenClaw. To structure our analysis, we introduce a five-layer lifecycle-oriented security framework that captures key stages of agent operation, i.e., initialization, input, inference, decision, and execution, and systematically examine compound threats across the agent's operational lifecycle, including indirect prompt injection, skill supply chain contamination, memory poisoning, and intent drift. Through detailed case studies on OpenClaw, we demonstrate the prevalence and severity of these threats and analyze the limitations of existing defenses. Our findings reveal critical weaknesses in current point-based defense mechanisms when addressing cross-temporal and multi-stage systemic risks, highlighting the need for holistic security architectures for autonomous LLM agents. Within this framework, we further examine representative defense strategies at each lifecycle stage, including plugin vetting frameworks, context-aware instruction filtering, memory integrity validation protocols, intent verification mechanisms, and capability enforcement architectures.

"Are You Sure?": An Empirical Study of Human Perception Vulnerability in LLM-Driven Agentic Systems

Large language model (LLM) agents are rapidly becoming trusted copilots in high-stakes domains like software development and healthcare. However, this deepening trust introduces a novel attack surface: Agent-Mediated Deception (AMD), where compromised agents are weaponized against their human users. While extensive research focuses on agent-centric threats, human susceptibility to deception by a compromised agent remains unexplored. We present the first large-scale empirical study with 303 participants to measure human susceptibility to AMD. This is based on HAT-Lab (Human-Agent Trust Laboratory), a high-fidelity research platform we develop, featuring nine carefully crafted scenarios spanning everyday and professional domains (e.g., healthcare, software development, human resources). Our 10 key findings reveal significant vulnerabilities and provide future defense perspectives. Specifically, only 8.6% of participants perceive AMD attacks, while domain experts show increased susceptibility in certain scenarios. We identify six cognitive failure modes in users and find that their risk awareness often fails to translate to protective behavior. The defense analysis reveals that effective warnings should interrupt workflows with low verification costs. With experiential learning based on HAT-Lab, over 90% of users who perceive risks report increased caution against AMD. This work provides empirical evidence and a platform for human-centric agent security research.

Automating Agent Hijacking via Structural Template Injection

Agent hijacking, highlighted by OWASP as a critical threat to the Large Language Model (LLM) ecosystem, enables adversaries to manipulate execution by injecting malicious instructions into retrieved content. Most existing attacks rely on manually crafted, semantics-driven prompt manipulation, which often yields low attack success rates and limited transferability to closed-source commercial models. In this paper, we propose Phantom, an automated agent hijacking framework built upon Structured Template Injection that targets the fundamental architectural mechanisms of LLM agents. Our key insight is that agents rely on specific chat template tokens to separate system, user, assistant, and tool instructions. By injecting optimized structured templates into the retrieved context, we induce role confusion and cause the agent to misinterpret the injected content as legitimate user instructions or prior tool outputs. To enhance attack transferability against black-box agents, Phantom introduces a novel attack template search framework. We first perform multi-level template augmentation to increase structural diversity and then train a Template Autoencoder (TAE) to embed discrete templates into a continuous, searchable latent space. Subsequently, we apply Bayesian optimization to efficiently identify optimal adversarial vectors that are decoded into high-potency structured templates. Extensive experiments on Qwen, GPT, and Gemini demonstrate that our framework significantly outperforms existing baselines in both Attack Success Rate (ASR) and query efficiency. Moreover, we identified over 70 vulnerabilities in real-world commercial products that have been confirmed by vendors, underscoring the practical severity of structured template-based hijacking and providing an empirical foundation for securing next-generation agentic systems.

How Many Pinching Antennas Are Enough?

Programmable wireless environments (PWEs) have emerged as a key paradigm for next-generation communication networks, aiming to transform wireless propagation from an uncontrollable phenomenon into a reconfigurable process that can adapt to diverse service requirements. In this framework, pinching-antenna systems (PASs) have recently been proposed as a promising enabling technology, as they allow the radiation location and effective propagation distance to be adjusted by selectively exciting radiating points along a dielectric waveguide. However, most existing studies on PASs rely on the idealized assumption that pinching-antenna (PA) positions can be continuously adjusted along the waveguide, while realistically only a finite set of pinching locations is available. Motivated by this, this paper analyzes the performance of two-state PASs, where the PA positions are fixed and only their activation state can be controlled. By explicitly accounting for the spatial discreteness of the available pinching points, closed-form analytical expressions for the outage probability and the ergodic achievable data rate are derived. In addition, we introduce the pinching discretization efficiency to quantify the performance gap between discrete and continuous pinching configurations, enabling a direct assessment of the number of PAs required to approximate the ideal continuous case. Finally, numerical results validate the analytical framework and show that near-continuous performance can be achieved with a limited number of PAs, offering useful insights for the design and deployment of PASs in PWEs.

Two-Dimensional Pinching-Antenna Systems: Modeling and Beamforming Design

Recently, the pinching-antenna system (PASS) has emerged as a promising architecture owing to its ability to reconfigure large-scale path loss and signal phase by activating radiation points along a dielectric waveguide. However, existing studies mainly focus on line-shaped PASS architectures, whose limited spatial flexibility constrains their applicability in multiuser and indoor scenarios. In this paper, we propose a novel two-dimensional (2D) pinching-antenna system (2D-PASS) that extends the conventional line-shaped structure into a continuous dielectric waveguide plane, thereby forming a reconfigurable radiating plane capable of dynamic beam adaptation across a 2D spatial domain. An optimization framework is developed to maximize the minimum received signal-to-noise ratio (SNR) among user equipments (UEs) by adaptively adjusting the spatial configuration of pinching antennas (PAs), serving as an analog beamforming mechanism for dynamic spatial control. For the continuous-position scenario, a particle swarm optimization (PSO)-based algorithm is proposed to efficiently explore the nonconvex search space, while a discrete variant is introduced to accommodate practical hardware constraints with limited PA placement resolution. Simulation results demonstrate that the proposed 2D-PASS substantially improves the minimum SNR compared with conventional line-shaped PASS and fixed-position antenna (FPA) benchmarks, while maintaining robustness under varying user distributions and distances.

Pinching-Antenna-Assisted Index Modulation: Channel Modeling, Transceiver Design, and Performance Analysis

In this paper, a novel pinching-antenna assisted index modulation (PA-IM) scheme is proposed for improving the spectral efficiency without increasing the hardware complexity, where the information bits are conveyed not only by the conventional M-ary quadrature amplitude modulation (QAM) symbols but also by the indices of pinching antenna (PA) position patterns. To realize the full potential of this scheme, this paper focuses on the comprehensive transceiver design, addressing key challenges in signal detection at the receiver and performance optimization at thetransmitter. First, a comprehensive channel model is formulated for this architecture, which sophisticatedly integrates the deterministic in-waveguide propagation effects with the stochastic nature of wireless channels, including both largescale path loss and small-scale fading. Next, to overcome the prohibitive complexity of optimal maximum likelihood (ML) detection, a low-complexity box-optimized sphere decoding (BOSD) algorithm is designed, which adaptively prunes the search space whilst preserving optimal ML performance. Furthermore, an analytical upper bound on the bit error rate (BER) is derived and validated by the simulations. Moreover, a new transmit precoding method is designed using manifold optimization, which minimizes the BER by jointly optimizing the complex-valued precoding coefficients across the waveguides for the sake of maximizing the minimum Euclidean distance of all received signal points. Finally, the simulation results demonstrate that the proposed PA-IM scheme attains a significant performance gain over its conventional counterparts and that the overall BER of the pinching-antenna system is substantially improved by the proposed precoding design.

Fluid Aerial Networks: UAV Rotation for Inter-Cell Interference Mitigation

With the rapid development of aerial infrastructure, unmanned aerial vehicles (UAVs) that function as aerial base stations (ABSs) extend terrestrial network services into the sky, enabling on-demand connectivity and enhancing emergency communication capabilities in cellular networks by leveraging the flexibility and mobility of UAVs. In such a UAV-assisted network, this paper investigates position-based beamforming between ABSs and ground users (GUs). To mitigate inter-cell interference, we propose a novel fluid aerial network that leverages ABS rotation to increase multi-cell capacity and overall network efficiency. Specifically, considering the line-of-sight channel model, the spatial beamforming weights are determined by the orientation angles of the GUs. In this direction, we examine the beamforming gain of a two-dimensional multiple-input multiple-output (MIMO) array at various ground positions, revealing that ABS rotation significantly affects multi-user channel correlation and inter-cell interference. Based on these findings, we propose an alternative low-complexity algorithm to design the optimal rotation angle for ABSs, aiming to reduce inter-cell interference and thus maximize the sum rate of multi-cell systems. In simulations, exhaustive search serves as a benchmark to validate the optimization performance of the proposed sequential ABS rotation scheme. Moreover, simulation results demonstrate that, in interference-limited regions, the proposed ABS rotation paradigm can significantly reduce inter-cell interference in terrestrial networks and improve the multi-cell sum rate by approximately 10\% compared to fixed-direction ABSs without rotation.

Cognitive-Radio Functionality: A Novel Configuration for STAR-RIS assisted RSMA Networks

Cognitive radio rate-splitting multiple access (CR-RSMA) has emerged as a promising multiple access framework that can efficiently manage interference and adapt dynamically to heterogeneous quality-of-service (QoS) requirements. To effectively support such demanding access schemes, programmable wireless environments have attracted considerable attention, especially through simultaneously transmitting and reflecting reconfigurable intelligent surfaces (STAR-RISs), which can enable full-space control of signal propagation in asymmetric user deployments. In this paper, we propose the cognitive radio (CR) functionality for STAR-RIS-assisted CR-RSMA systems, leveraging the unique capability of the STAR-RIS to combine element and power splitting for adaptive control of transmission and reflection in CR scenarios. Specifically, the proposed CR functionality partitions the STAR-RIS into two regions independently controlling the transmission and reflection of signals, simultaneously ensuring the required QoS for the primary user and enhancing the performance of the secondary user. To accurately characterize the system performance, we derive analytical expressions for the ergodic rate of the secondary user and the outage rate of the primary user under Nakagami-m fading. Finally, simulation results show that the proposed approach effectively manages interference, guarantees the QoS of the primary user, and significantly improves the throughput of the secondary user, highlighting STAR-RIS as an efficient solution for CR-RSMA-based services.

ACSNet: A Deep Neural Network for Compound GNSS Jamming Signal Classification

In the global navigation satellite system (GNSS), identifying not only single but also compound jamming signals is crucial for ensuring reliable navigation and positioning, particularly in future wireless communication scenarios such as the space-air-ground integrated network (SAGIN). However, conventional techniques often struggle with low recognition accuracy and high computational complexity, especially under low jamming-to-noise ratio (JNR) conditions. To overcome the challenge of accurately identifying compound jamming signals embedded within GNSS signals, we propose ACSNet, a novel convolutional neural network designed specifically for this purpose. Unlike traditional methods that tend to exhibit lower accuracy and higher computational demands, particularly in low JNR environments, ACSNet addresses these issues by integrating asymmetric convolution blocks, which enhance its sensitivity to subtle signal variations. Simulations demonstrate that ACSNet significantly improves accuracy in low JNR regions and shows robust resilience to power ratio (PR) variations, confirming its effectiveness and efficiency for practical GNSS interference management applications.

Hybrid Beamforming for RIS-Assisted Multiuser Fluid Antenna Systems

Recent advances in reconfigurable antennas have led to the new concept of the fluid antenna system (FAS) for shape and position flexibility, as another degree of freedom for wireless communication enhancement. This paper explores the integration of a transmit FAS array for hybrid beamforming (HBF) into a reconfigurable intelligent surface (RIS)-assisted communication architecture for multiuser communications in the downlink, corresponding to the downlink RIS-assisted multiuser multiple-input single-output (MISO) FAS model (Tx RIS-assisted-MISO-FAS). By considering Rician channel fading, we formulate a sum-rate maximization optimization problem to alternately optimize the HBF matrix, the RIS phase-shift matrix, and the FAS position. Due to the strong coupling of multiple optimization variables, the multi-fractional summation in the sum-rate expression, the modulus-1 limitation of analog phase shifters and RIS, and the antenna position variables appearing in the exponent, this problem is highly non-convex, which is addressed through the block coordinate descent (BCD) framework in conjunction with semidefinite relaxation (SDR) and majorization-minimization (MM) methods. To reduce the computational complexity, we then propose a low-complexity grating-lobe (GL)-based telescopic-FAS (TFA) with multiple delicately deployed RISs under the sub-connected HBF architecture and the line-of-sight (LoS)-dominant channel condition, to allow closed-form solutions for the HBF and TFA position. Our simulation results illustrate that the former optimization scheme significantly enhances the achievable rate of the proposed system, while the GL-based TFA scheme also provides a considerable gain over conventional fixed-position antenna (FPA) systems, requiring statistical channel state information (CSI) only and with low computational complexity.