When Convenience Becomes Risk: A Semantic View of Under-Specification in Host-Acting Agents

Di Lu, Yongzhi Liao, Xutong Mu

¹School of Computer Science and Technology, Xidian University, Xi'an, Shaanxi 710071, China

and Shaanxi Key Laboratory of Network and System Security, Xi'an, Shaanxi 710071, China

²School of Cyber Engineering, Shaanxi Key Lab of Network and System Security, Xidian University, Xi'an, China

*Corresponding author

Host-acting agents promise a convenient interaction model in which users specify goals and the system determines how to realize them. We argue that this convenience introduces a distinct security problem: semantic under-specification in goal specification. User instructions are typically goal-oriented, yet they often leave process constraints, safety boundaries, persistence, and exposure insufficiently specified. As a result, the agent must complete missing execution semantics before acting, and this completion can produce risky host-side plans even when the user-stated goal is benign. In this paper, we develop a semantic threat model, present a taxonomy of semantic-induced risky completion patterns, and study the phenomenon through an OpenClaw-centered case study and execution-trace analysis. We further derive defense design principles for making execution boundaries explicit and constraining risky completion. These findings suggest that securing host-acting agents requires governing not only which actions are allowed at execution time, but also how goal-only instructions are translated into executable plans.

Host-acting agents, computer-use agents, semantic under-specification, agent security, semantic threat model

Yangfan Xu, Bao Gui (2026). When Convenience Becomes Risk: A Semantic View of Under-Specification in Host-Acting Agents. Journal of Networking and Network Applications, Volume 6, Issue 2, pp. 47–54. https://doi.org/10.33969/J-NaNA.2026.060201.

[1] OpenAI, “Computer-Using Agent: Introducing a universal interface for AI to interact with the digital world,” 2025. [Online]. Available: https: //openai.com/index/computer-using-agent/

[2] Anthropic, “Computer use tool,” Anthropic Documentation. [Online]. Available: https://docs.anthropic.com/en/docs/agents-and-tools/tool-use/computer-use-tool. Accessed: Mar. 22, 2026.

[3] Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz, “Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection,” arXiv:2302.12173, 2023.

[4] Qiusi Zhan, Zhixiang Liang, Zifan Ying, and Daniel Kang, “InjecA-gent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents,” arXiv:2403.02691, 2024.

[5] Edoardo Debenedetti, Jie Zhang, Mislav Balunovi´c, Luca Beurer-Kellner, Marc Fischer, and Florian Tram`er, “AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents,” arXiv:2406.13352, 2024.

[6] Shuyan Zhou, Frank F. Xu, Hao Zhu, Xuhui Zhou, Robert Lo, Abishek Sridhar, Xianyi Cheng, Tianyue Ou, Yonatan Bisk, Daniel Fried, Uri Alon, and Graham Neubig, “WebArena: A Realistic Web Environment for Building Autonomous Agents,” arXiv:2307.13854, 2023.

[7] Alexandre Drouin, Maxime Gasse, Massimo Caccia, Issam H. Laradji, Manuel Del Verme, Tom Marty, L´eo Boisvert, Megh Thakkar, Quentin Cappart, David Vazquez, Nicolas Chapados, and Alexandre Lacoste, “WorkArena: How Capable Are Web Agents at Solving Common Knowledge Work Tasks?” arXiv:2403.07718, 2024.

[8] Christopher Rawles, Sarah Clinckemaillie, Yifan Chang, Jonathan Waltz, Gabrielle Lau, Marybeth Fair, Alice Li, William Bishop, Wei Li, Folawiyo Campbell-Ajala, Daniel Toyama, Robert Berry, Divya Tyamagundlu, Timothy Lillicrap, and Oriana Riva, “AndroidWorld: A Dynamic Benchmarking Environment for Autonomous Agents,” arXiv:2405.14573, 2024.

[9] Tianbao Xie, Danyang Zhang, Jixuan Chen, Xiaochuan Li, Siheng Zhao, Ruisheng Cao, Toh Jing Hua, Zhoujun Cheng, Dongchan Shin, Fangyu Lei, Yitao Liu, Yiheng Xu, Shuyan Zhou, Silvio Savarese, Caiming Xiong, Victor Zhong, and Tao Yu, “OSWorld: Benchmarking Multi-modal Agents for Open-Ended Tasks in Real Computer Environments,” arXiv:2404.07972, 2024.

[10] Hanna Foerster, Tom Blanchard, Kristina Nikoli´c, Ilia Shumailov, Cheng Zhang, Robert Mullins, Nicolas Papernot, Florian Tram`er, and Yiren Zhao, “CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents,” arXiv:2601.09923, 2026.

[11] Ada Chen, Yongjiang Wu, Junyuan Zhang, Jingyu Xiao, Shu Yang, Jen-tse Huang, Kun Wang, Wenxuan Wang, and Shuai Wang, “A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron?” arXiv:2505.10924, 2025.

[12] Xueyu Hu, Tao Xiong, Biao Yi, Zishu Wei, Ruixuan Xiao, Yurun Chen, Jiasheng Ye, Meiling Tao, Xiangxin Zhou, Ziyu Zhao, Yuhuai Li, Shengze Xu, Shenzhi Wang, Xinchen Xu, Shuofei Qiao, Zhaokai Wang, Kun Kuang, Tieyong Zeng, Liang Wang, Jiwei Li, Yuchen Eleanor Jiang, Wangchunshu Zhou, Guoyin Wang, Keting Yin, Zhou Zhao, Hongxia Yang, Fan Wu, Shengyu Zhang, and Fei Wu, “OS Agents: A Survey on MLLM-based Agents for General Computing Devices Use,” arXiv:2508.04482, 2025.

[13] Aaron Xuxiang Tian, Ruofan Zhang, Janet Tang, Ji Wang, Tianyu Shi, and Jiaxin Wen, “Measuring Harmfulness of Computer-Using Agents,” arXiv:2508.00935, 2025.

[14] Haitao Hu, Peng Chen, Yanpeng Zhao, and Yuqi Chen, “AgentSen-tinel: An End-to-End and Real-Time Security Defense Framework for Computer-Use Agents,” arXiv:2509.07764, 2025.

[15] Haochen Gong, Chenxiao Li, Rui Chang, and Wenbo Shen, “Secure and Efficient Access Control for Computer-Use Agents via Context Space,” arXiv:2509.22256, 2025.

[16] Ruoyao Wen, Hao Li, Chaowei Xiao, and Ning Zhang, “AgentSys: Se-cure and Dynamic LLM Agents Through Explicit Hierarchical Memory Management,” arXiv:2602.07398, 2026.

[17] Qianshan Wei, Tengchao Yang, Yaochen Wang, Xinfeng Li, Lijun Li, Zhenfei Yin, Yi Zhan, Thorsten Holz, Zhiqiang Lin, and XiaoFeng Wang, “A-MemGuard: A Proactive Defense Framework for LLM-Based Agent Memory,” arXiv:2510.02373, 2025.

[18] Xianglin Yang, Yufei He, Shuo Ji, Bryan Hooi, and Jin Song Dong, “Zombie Agents: Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections,” arXiv:2602.15654, 2026.

[19] Zhenlin Xu, Xiaogang Zhu, Yu Yao, Minhui Xue, and Yiliao Song, “From Storage to Steering: Memory Control Flow Attacks on LLM Agents,” arXiv:2603.15125, 2026.

[20] Zhengyang Shan, Jiayun Xin, Yue Zhang, and Minghui Xu, “Don’t Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw,” arXiv:2603.10387, 2026.

[21] Zonghao Ying, Xiao Yang, Siyang Wu, Yumeng Song, Yang Qu, Hainan Li, Tianlin Li, Jiakai Wang, Aishan Liu, and Xianglong Liu, “Uncovering Security Threats and Architecting Defenses in Autonomous Agents: A Case Study of OpenClaw,” arXiv:2603.12644, 2026.

[22] Frank Li, “OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents,” arXiv:2603.11853, 2026.