SafeClawBench: Separating Semantic, Audit-Evidence, and Sandbox Harm in Tool-Using LLM Agents

πŸ“… 2026-06-16
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
This work addresses the limitations of current safety evaluations for large language model–based agent tool use, which often rely solely on attack success rates and fail to distinguish between semantic compliance, auditable evidence of harm, and actual sandbox-observable damage. To overcome this, we introduce SafeClawBench, a novel benchmark that decouples safety assessment into three dimensions: semantic acceptance, auditable harmful evidence, and sandbox-observable harm. The benchmark comprises 600 adversarial tasks spanning six attack categories. Leveraging adversarial task design, a multi-endpoint evaluation protocol, an executable sandbox environment, and four prompting strategies, we conduct systematic experiments across five mainstream agent models. Results reveal semantic failure rates ranging from 9.0% to 44.2%, with 291 out of 347 sandbox harms occurring in cases that passed semantic checks, thereby validating the necessity and effectiveness of the proposed tripartite evaluation framework.
πŸ“ Abstract
Tool-using language-model agents introduce security failures that go beyond unsafe text: they can disclose protected objects, write persistent memory, send messages, modify databases, or trigger harmful code and tool effects. Existing evaluations often collapse these stages into a single attack success rate, making it difficult to tell whether a model merely agreed with an attacker or actually produced observable harm. We introduce SafeClawBench, a staged benchmark for tool-using agent security with 600 controlled adversarial tasks across six attack families: direct and indirect prompt injection, tool-return injection, memory poisoning, memory extraction, and ambiguity-driven unsafe inference. SafeClawBench reports three separate endpoints: semantic attack acceptance, audit-visible harm evidence, and sandbox-observed tool/state harm. Evaluating five agent endpoints under four prompt-level policies, we find that these endpoints capture different failure modes. Without additional prompt protection, semantic failure rates vary widely across models, from 9.0% to 44.2%. Audited harm evidence is narrower than semantic failure, and under a separate executable protocol some matched task identities produce sandbox harm despite passing the Semantic Core call: in a 12,000-row matched analysis, 291 of 347 observed sandbox harms occur in rows that pass the semantic check. Prompt policies change endpoint outcomes, but their effects depend on both model and protocol. SafeClawBench provides a reproducible framework for comparing agent models and prompt-policy conditions without conflating textual compliance, evidence-supported harm, and executable state changes. The open-source dataset is available at https://huggingface.co/datasets/sairights/safeclawbench.
Problem

Research questions and friction points this paper is trying to address.

tool-using LLM agents
security evaluation
semantic harm
audit-evidence harm
sandbox harm
Innovation

Methods, ideas, or system contributions that make the work stand out.

tool-using LLM agents
staged security benchmark
semantic vs. executable harm
audit-evidence separation
adversarial evaluation
πŸ”Ž Similar Papers