Saved in:
Bibliographic Details
Main Authors: Wang, Haoyu, Xiao, Zibo, Zhang, Yedi, Poskitt, Christopher M., Sun, Jun
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.28807
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911555701964800
author Wang, Haoyu
Xiao, Zibo
Zhang, Yedi
Poskitt, Christopher M.
Sun, Jun
author_facet Wang, Haoyu
Xiao, Zibo
Zhang, Yedi
Poskitt, Christopher M.
Sun, Jun
contents LLM-based multi-agent systems (MASs) are transforming personal productivity by autonomously executing complex, cross-platform tasks. Frameworks such as OpenClaw demonstrate the potential of locally deployed agents integrated with personal data and services, but this autonomy introduces significant safety and security risks. Unintended actions from LLM reasoning failures can cause irreversible harm, while prompt injection attacks may exfiltrate credentials or compromise the system. Our analysis shows that 36.4% of OpenClaw's built-in skills pose high or critical risks. Existing approaches, including static guardrails and LLM-as-a-Judge, lack reliable real-time enforcement and consistent authority in MAS settings. To address this, we propose SafeClaw-R, a framework that enforces safety as a system-level invariant over the execution graph by ensuring that actions are mediated prior to execution, and systematically augments skills with safe counterparts. We evaluate SafeClaw-R across three representative domains: productivity platforms, third-party skill ecosystems, and code execution environments. SafeClaw-R achieves 95.2% accuracy in Google Workspace scenarios, significantly outperforming regex baselines (61.6%), detects 97.8% of malicious third-party skill patterns, and achieves 100% detection accuracy in our adversarial code execution benchmark. These results demonstrate that SafeClaw-R enables practical runtime enforcement for autonomous MASs.
format Preprint
id arxiv_https___arxiv_org_abs_2603_28807
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SafeClaw-R: Towards Safe and Secure Multi-Agent Personal Assistants
Wang, Haoyu
Xiao, Zibo
Zhang, Yedi
Poskitt, Christopher M.
Sun, Jun
Cryptography and Security
LLM-based multi-agent systems (MASs) are transforming personal productivity by autonomously executing complex, cross-platform tasks. Frameworks such as OpenClaw demonstrate the potential of locally deployed agents integrated with personal data and services, but this autonomy introduces significant safety and security risks. Unintended actions from LLM reasoning failures can cause irreversible harm, while prompt injection attacks may exfiltrate credentials or compromise the system. Our analysis shows that 36.4% of OpenClaw's built-in skills pose high or critical risks. Existing approaches, including static guardrails and LLM-as-a-Judge, lack reliable real-time enforcement and consistent authority in MAS settings. To address this, we propose SafeClaw-R, a framework that enforces safety as a system-level invariant over the execution graph by ensuring that actions are mediated prior to execution, and systematically augments skills with safe counterparts. We evaluate SafeClaw-R across three representative domains: productivity platforms, third-party skill ecosystems, and code execution environments. SafeClaw-R achieves 95.2% accuracy in Google Workspace scenarios, significantly outperforming regex baselines (61.6%), detects 97.8% of malicious third-party skill patterns, and achieves 100% detection accuracy in our adversarial code execution benchmark. These results demonstrate that SafeClaw-R enables practical runtime enforcement for autonomous MASs.
title SafeClaw-R: Towards Safe and Secure Multi-Agent Personal Assistants
topic Cryptography and Security
url https://arxiv.org/abs/2603.28807