DeepTrap uncovers contextual vulnerabilities in OpenClaw agents

DeepTrap, a new automated red‑teaming framework published on arXiv, targets execution contexts in OpenClaw agent systems and reports attacks that compromise safety without breaking user‑visible task completion. The paper describes DeepTrap's black‑box, trajectory‑level optimization approach and presents a 42‑case benchmark plus code to reproduce experiments.

Rather than manipulating explicit prompts, DeepTrap searches for sequences of context edits - to files, memory, tools or auxiliary artifacts - that maximize realized risk while preserving the original task's utility and remaining stealthy. The framework combines risk‑conditioned evaluation, multi‑objective trajectory scoring, reward‑guided beam search, and reflection‑based deep probing to identify high‑value compromised contexts. The authors used this setup to evaluate nine target models across six vulnerability classes and seven operational scenarios.

Reported outcomes show contextual compromise can induce unsafe behavior while maintaining user‑facing task completion, indicating that final‑response checks alone can miss execution‑level threats. The project includes a 42‑case benchmark and the team's code release on GitHub, allowing other researchers and practitioners to rerun attacks and extend the evaluation to different models or deployments: https://github.com/ZJUICSR/DeepTrap.

The paper's contribution is operational: it supplies a repeatable method and dataset for execution‑centric security testing of agentic systems. Key uncertainties include how well the specific attacks generalize beyond OpenClaw and the unnamed models tested, and whether practical mitigations will emerge quickly. Readers building or operating agents should consider adding execution‑context tests to their red‑team and CI workflows and watch for follow‑on work that benchmarks defenses using the DeepTrap assets.