This work addresses the security governance challenges posed by uncertainty in planning, execution, and permission delegation within open agent systems—challenges to which traditional software security models are ill-suited. From a software engineering perspective, the paper proposes the first six-dimensional security analysis framework tailored for open agent systems, synthesizing insights from 50 studies to systematically identify critical vulnerabilities, including deployment control, runtime governance, persistent memory integrity, and capability revocation. Building on this framework, the authors develop a reference architecture for agent platforms that is governable, auditable, and resilient to penetration, complemented by a security assessment card and design guidelines. Together, these contributions offer a clear engineering roadmap toward realizing trustworthy agent ecosystems.

Open agentic systems combine LLM-based planning with external capabilities, persistent memory, and privileged execution. They are used in coding assistants, browser copilots, and enterprise automation. OpenClaw is a visible instance of this broader class. Without much attention yet, their security challenge is fundamentally different from that of traditional software that relies on predictable execution and well-defined control flow. In open agentic systems, everything is ''probabilistic'': plans are generated at runtime, key decisions may be shaped by untrusted natural-language inputs and tool outputs, execution unfolds in uncertain environments, and actions are taken under authority delegated by human users. The central challenge is therefore not merely robustness against individual attacks, but the governance of agentic behavior under persistent uncertainty. This paper systematizes the area through a software engineering lens. We introduce a six-dimensional analytical taxonomy and synthesize 50 papers spanning attacks, benchmarks, defenses, audits, and adjacent engineering foundations. From this synthesis, we derive a reference doctrine for secure-by-construction agent platforms, together with an evaluation scorecard for assessing platform security posture. Our review shows that the literature is relatively mature in attack characterization and benchmark construction, but remains weak in deployment controls, operational governance, persistent-memory integrity, and capability revocation. These gaps define a concrete engineering agenda for building agent ecosystems that are governable, auditable, and resilient under compromise.