This work addresses the critical security risks faced by large language model–driven autonomous agents, which arise from the tight coupling of their open-ended capabilities with access to sensitive user data and environments. For the first time, the study systematically introduces operating system security paradigms into the domain of AI agents. Through architectural abstraction, attack surface modeling, and empirical analysis, it uncovers deep structural commonalities between agents and operating systems in resource isolation, privilege separation, and communication control. The investigation reveals that mainstream open-source agents commonly fail to defend against conventional attacks; however, most identified vulnerabilities can be effectively mitigated using well-established OS security techniques such as the principle of least privilege and robust isolation mechanisms. Building on these insights, the paper proposes a security-by-design framework tailored specifically for autonomous AI agents.

Autonomous agents based on large language models (LLMs) are rapidly emerging as a general-purpose technology, with recent systems such as OpenClaw extending their capabilities through broad tool use, third-party skills, and deeper integration into user environments. At the same time, these agentic systems introduce substantial security risks by combining unconstrained capabilities with access to sensitive user data. In this work, we investigate the security of LLM-based agents through the lens of operating systems. We argue that both face strikingly similar challenges in isolating resources, separating privileges, and mediating communication. Guided by this perspective, we survey the current landscape of open-source agents, derive a unified agent architecture, and systematically analyze potential attack vectors. To validate this analysis, we conduct a case study evaluating four widely used OpenClaw-like agents. Even under modest attacker capabilities, we find that several protection mechanisms fail in practice and that secure operation requires detailed system knowledge and careful configuration. However, we also observe that while some agentic capabilities remain insecure by design, many vulnerabilities can be mitigated using well-established techniques from operating system security. We conclude with a set of recommendations for the secure design of agentic systems.