The biggest story over the last couple of weeks is ClawdBot—or OpenClaw, as it's now known after Anthropic weighed in. OpenClaw is an example of a desktop native agent which you primarily interact with through email or messaging platforms. It has generated so much interest that it triggered a run on Mac Minis as the preferred hosting platform. This hype has been rapidly followed by a slew of security concerns as people point out the risks of an autonomous system having access to your file system, data, and connected services. In one example, an email containing an embedded prompt injection was sent to the bot, which then promptly provided a private SSH key in response.

This is an example of semantic privilege escalation, which is closely related to but distinct from prompt injection. Prompt injection happens at the input layer: malicious content in a document or email hijacks the model's behavior. Semantic privilege escalation happens downstream, at the action layer: the agent uses its legitimate access to email, files, or connected devices in ways that violate the spirit of the task, even while following the letter of its permissions.

Intent Hijacking: A New Challenge

Prompt injection and semantic privilege escalation hijack the intent of the request passed to the agent and use the capabilities it was given to achieve malicious intent. It reminds me of a social engineering attack on a support desk worker to obtain credentials.

This differs from traditional privilege escalation protections, where the focus clarifies what somebody can do (respond to email). It now requires that we protect the intent of the original request by answering the question: Is this action appropriate for the given task? This requires a change in thinking. Modeling intent as an object with scoped goals, resource constraints, and allowed actions may become part of the overall threat modeling process. "Structured intent" could be an emerging best practice when designing agent flows. Extending an insider threat program to include agents would also help to provide context and focus for an enterprise scale mitigation strategy.

Dig Deeper

Clawdbot and Semantic Privilege Escalation

In Other News