Clawed and Dangerous: Can We Trust Open Agentic Systems? | Signal Canvas | ScienceToStartup

Clawed and Dangerous: Can We Trust Open Agentic Systems? | Signal Canvas | ScienceToStartup

Page Freshness

Signal Canvas proof surface

Canonical route: /signal-canvas/clawed-and-dangerous-can-we-trust-open-agentic-systems

stale

Proof freshness: stale
Proof status: unverified
Display score: 4/10
Last proof check: 2026-03-30
Score updated: 2026-04-02
Score fresh until: 2026-05-02
References: 94
Source count: 3
Coverage: 50%

This page is showing the last landed evidence receipt and score bundle because the latest proof data is outside the freshness window.

Agent Handoff

Clawed and Dangerous: Can We Trust Open Agentic Systems?

Canonical ID clawed-and-dangerous-can-we-trust-open-agentic-systems | Route /signal-canvas/clawed-and-dangerous-can-we-trust-open-agentic-systems

REST example

curl https://sciencetostartup.com/api/v1/agent-handoff/signal-canvas/clawed-and-dangerous-can-we-trust-open-agentic-systems

MCP example

{
  "tool": "search_signal_canvas",
  "arguments": {
    "mode": "paper",
    "paper_ref": "clawed-and-dangerous-can-we-trust-open-agentic-systems",
    "query_text": "Summarize Clawed and Dangerous: Can We Trust Open Agentic Systems?"
  }
}

source_context

{
  "surface": "signal_canvas",
  "mode": "paper",
  "query": "Clawed and Dangerous: Can We Trust Open Agentic Systems?",
  "normalized_query": "2603.26221",
  "route": "/signal-canvas/clawed-and-dangerous-can-we-trust-open-agentic-systems",
  "paper_ref": "clawed-and-dangerous-can-we-trust-open-agentic-systems",
  "topic_slug": null,
  "benchmark_ref": null,
  "dataset_ref": null
}

Evidence Receipt

Route status: building

Claims: 8

References: 94

Proof: Verification pending

Freshness state: computing

Source paper: Clawed and Dangerous: Can We Trust Open Agentic Systems?

PDF: https://arxiv.org/pdf/2603.26221v1

Source count: 3

Coverage: 50%

Last proof check: 2026-03-30T21:58:49.399Z

Signal Canvas receipt window

Not build-ready: Clawed and Dangerous: Can We Trust Open Agentic Systems?

/buildability/clawed-and-dangerous-can-we-trust-open-agentic-systems

Ignoreblocked

Subject: Clawed and Dangerous: Can We Trust Open Agentic Systems?

Verdict

Ignore

Verdict is Ignore because current viability and proof state do not clear the buildability gate.

Time to first demo

Preparing verified analysis

GitHub Code Pulse

No public code linked for this paper yet.

Claim map

Strong 8Mixed 0Weak 0

Evidencepartial
Open agentic systems combine LLM-based planning with external capabilities, persistent memory, and privileged execution.
Implicationpartial
This is a direct definition provided in the abstract.
Verificationpartial
partial
Evidencepartial
Without much attention yet, their security challenge is fundamentally different from that of traditional software that relies on predictable execution and well-defined control flow. In open agentic systems, everything is ''probabilistic'': plans are generated at runtime, key decisions may be shaped by untrusted natural-language inputs and tool outputs, execution unfolds in uncertain environments, and actions are taken under authority delegated by human users.
Implicationpartial
The abstract explicitly states this difference and elaborates on the reasons.
Verificationpartial
partial
Evidencepartial
Our review shows that the literature is relatively mature in attack characterization and benchmark construction, but remains weak in deployment controls, operational governance, persistent-memory integrity, and capability revocation.
Implicationpartial
The abstract explicitly states this finding from their synthesis.
Verificationpartial
partial
Evidencepartial
Our review shows that the literature is relatively mature in attack characterization and benchmark construction, but remains weak in deployment controls, operational governance, persistent-memory integrity, and capability revocation.
Implicationpartial
The abstract explicitly states this finding from their synthesis.
Verificationpartial
partial
Evidencepartial
limitation becomes especially visible in the defense coverage analy- sis below: memory integrity is completely absent, and
Implicationpartial
The text explicitly states this absence in the defense coverage analysis.
Verificationpartial
partial
Evidencepartial
Capability Overreach Rate(COR): 0 of 10 benchmarks evaluate whether tool use exceeds declared scope, because none models per- mission manifests.
Implicationpartial
The text explicitly states this limitation of existing benchmarks.
Verificationpartial
partial
Evidencepartial
LLM outputs are context-dependent, and vulnerable to indirect prompt injection. They should be treated as proposals rather than privileged actions. The key requirement is that model-generated plans pass through deterministic policy checks and typed tool interfaces before any side-effecting operation is executed.
Implicationpartial
This is presented as a key requirement and principle derived from the literature.
Verificationpartial
partial
Evidencepartial
The requirement is to move trust checks earlier. Tool publica- tion, installation, updates, and revocation should all be treated as supply-chain events. Mature precedents already exist: Sigstore [17] supports signing and transparency, while in-toto [77] ties artifacts to verifiable build provenance. In an OpenClaw/MCP setting, clients should verify signed manifests
Implicationpartial
This is presented as a requirement for moving trust checks earlier in the process, drawing parallels to existing precedents.
Verificationpartial
partial

Author intelligence and commercialization panels stay hidden until the proof receipt is verified, cites at least 3 references, includes at least 2 sources, and clears 50% coverage. The paper narrative and citation surfaces remain public while verification is pending.