CONTRA: Red-Teaming Configurations of Personalizable Agents

📅 2026-07-03
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses a critical security gap in configurable agents: while such agents enhance personalization, seemingly benign configuration combinations can inadvertently trigger malicious behaviors that evade existing safety mechanisms. To tackle this challenge, the authors propose CONTRA, the first framework to systematically integrate red-teaming into the safety evaluation of configurable agents. CONTRA leverages large language model–guided tree search over the configuration space, an agent simulation environment, and skill-to-malicious-behavior mapping analysis. Evaluated on a large-scale dataset comprising 473 popular skills, experiments reveal that 75.1% of skills admit configurations capable of inducing malicious behavior—most undetected by current tools. CONTRA successfully identifies harmful configurations in 39.2% of test cases, exposing previously hidden vulnerabilities inherent in personalization mechanisms.
📝 Abstract
Recent tools such as OpenClaw have extended the capabilities of LLM-based agents from simple dialog-based systems to fully autonomous agents. These systems allow personalization of the agent through modifiable internal files and the installation of skills. While this enables deployment in a wide range of settings and the automation of diverse tasks, greater capability and autonomy increases the risk of malicious actions being executed unintentionally. In this work, we explore the interplay between agent configuration and the risk of executing dangerous actions without explicit instruction. To this end, we propose CONfiguration Tree-search for Red-teaming Agents (CONTRA), an LLM-assisted tree-search algorithm that discovers agent configurations resulting in the execution of malicious actions. CONTRA works by reasoning about benign yet dangerous configurations and evaluating them in a simulated environment. We construct a dataset of the 473 most popular skills from a public repository, along with 2-5 corresponding malicious target actions per skill. In a large-scale analysis, we find that 75.1% of skills have at least one configuration resulting in the execution of a malicious action, most of which have not been detected as containing malicious content by existing scans. Overall, CONTRA successfully identifies a configuration leading to the execution of the target action in 39.2% of all tested cases. Our findings demonstrate that current agents provide insufficient safety with respect to personalization.
Problem

Research questions and friction points this paper is trying to address.

personalizable agents
agent configuration
malicious actions
autonomous agents
safety
Innovation

Methods, ideas, or system contributions that make the work stand out.

red-teaming
agent configuration
LLM-based agents
tree search
personalizable agents