Clawgang: Graph Theory & AI Agent Security
- Clawgang is a research domain unifying the study of forbidden claw subgraphs in graph theory with analyses of persistent AI agent security vulnerabilities.
- It examines structural constraints through claw deletion, Boolean sum reconstruction, and power graph characterizations in finite groups.
- The topic also addresses Claw-like agents by evaluating system attack surfaces, physical workflow auditing, and benchmark strategies for out-of-band security detection.
“Clawgang” is an Editor’s term for a body of research organized around two distinct uses of “claw.” In graph theory, the claw is the star , which appears as a forbidden induced subgraph, as the target of deletion and online Ramsey problems, and as a structural constraint on power graphs of finite groups. In recent AI-systems security work, “Claw-like” denotes always-on personal AI agent processes with persistent access to files, shell, credentials, tools, and external services; the associated literature studies both their architectural attack surfaces and out-of-band workflow verification (Pouzet et al., 2013, Niu et al., 29 Jun 2026, Gan et al., 7 May 2026). The grouping is editorial rather than standard, but it captures a coherent research pattern: a simple local obstruction or privileged runtime feature induces strong global structure.
1. Claws, co-claws, and the structural theory of claw-free graphs
A graph is claw-free if it has no induced copy of , where is the claw: one center vertex adjacent to three pairwise nonadjacent vertices. The complementary obstruction is the co-claw . The class
therefore consists of graphs with no induced claw and no induced co-claw. Its main structural characterization is exact: a graph belongs to this class if and only if is one of the following: the exceptional graph ; an induced subgraph of the Paley graph ; a graph whose connected components are cycles of length at least $4$ or paths; or the complement of one of the graphs in the previous two categories (Pouzet et al., 2013).
The exceptional configurations are sharply delimited. The Paley graph 0 is self-complementary, satisfying
1
and 2 together with 3 is singled out as especially important because these are the only graphs in the class that contain both a triangle and an independent set of size 4 with no common vertex.
A classical bridge used in this analysis is line-graph theory via the edge-graph 5. Its vertices are the edges of a graph 6, and two edges 7 and 8 are adjacent in 9 when 0 is not an edge of 1. The key equivalence is
2
Thus claw-freeness in 3 is translated into triangle-freeness in 4. A plausible implication is that the local induced-star obstruction is unusually amenable to transfer into secondary graph constructions, which helps explain why claw-free phenomena recur across otherwise different combinatorial problems.
2. Homogeneous triples, Boolean sums, and reconstruction up to complementation
For a graph 5, a subset of vertices is homogeneous if it is either a clique or an independent set. The 6-uniform hypergraph
7
has as hyperedges exactly the 8-element subsets of 9 that are homogeneous in 0, that is, those inducing either 1 or 2. The associated reconstruction problem asks which graphs are determined, up to complementation, by these 3-homogeneous triples (Pouzet et al., 2013).
The technical mechanism is the Boolean sum of two graphs 4 and 5 on the same vertex set: 6 The central equivalence states that, for a graph 7, the following are equivalent: there exist graphs 8 with the same 9-homogeneous subsets such that 0; both 1 and 2 are bipartite; and either 3 is an induced subgraph of 4, or the connected components of 5, or of 6, are cycles of even length or paths.
A key lemma makes the link explicit. If 7, then equality of the 8-element homogeneous subsets of 9 and 0 is equivalent to an edge-partition condition in the edge-graphs 1 and 2. Concretely, with
3
the sets 4 form a bipartition of 5 into independent sets, and an analogous statement holds for 6.
The role in reconstruction is direct. Two graphs are isomorphic up to complementation if one is isomorphic to the other or to its complement; they are 7-hypomorphic up to complementation if every 8-vertex induced subgraph of one is isomorphic to the corresponding subgraph of the other or to its complement; and a graph is 9-reconstructible up to complementation if this local condition forces global isomorphism up to complementation. The Boolean-sum characterization constrains the nontrivial possibilities for 0 to paths, even cycles, induced subgraphs of 1, and complements of these. This suggests that the hypergraph of homogeneous triples functions as a highly restrictive invariant rather than a merely coarse summary.
3. Claw deletion and approximation on split and bipartite graphs
For 2, 3 is called a 4-claw, and the minimum 5-claw deletion problem (\texttt{Min-6-Claw-Del}) asks for a minimum-size vertex set 7 such that 8 is 9-claw free. In a split graph, the vertex set can be partitioned into a clique and an independent set, and every 0-claw has its center vertex in the clique partition. This one-sidedness motivates the minimum one-sided bipartite 1-claw deletion problem (\texttt{Min-2-OSBCD}): given a bipartite graph 3, find a minimum vertex set 4 such that 5 has no 6-claw with the center vertex in 7 (Mishra, 2023).
The approximation landscape is tight. A primal-dual algorithm approximates \texttt{Min-8-OSBCD} within a factor of 9, and it is 0-hard to approximate with a factor better than 1. The paper also gives a dense-instance improvement: if 2 for all 3, then the algorithm approximates \texttt{Min-4-OSBCD} within a factor of 5. The submodular formulation uses
6
with the statement that 7 is a 8-polymatroid and that 9 is a matching in $4$0 if and only if the corresponding subgraph is one-sided $4$1-claw free.
The split-graph problem inherits hardness by a direct construction: from a bipartite instance $4$2, form a split graph $4$3 with
$4$4
Then $4$5 is a one-sided $4$6-claw deletion set in $4$7 if and only if $4$8 is a split-$4$9-claw deletion set in 00. Consequently, assuming 01, \texttt{Min-02-Claw-Del} on split graphs cannot be approximated better than 03, and the paper also states that \texttt{Min-04-Claw-Del} is 05-complete even when each vertex 06 has at least 07 neighbors in 08.
The complementary maximization problems, Max-09-OSBC-Subgraph and Max-10-Claw-Subgraph, are treated as the natural dual formulations. They are 11-complete and admit 12 approximation algorithms. Within this line of work, claw-freeness is not merely a hereditary graph property; it is the defining feasibility condition for a family of tight approximation thresholds.
4. Claw-free reduced power graphs of finite groups
For a finite group 13, the undirected power graph 14 has vertex set 15, and two distinct vertices 16 are adjacent if one of the cyclic subgroups 17 is contained in the other. The reduced power graph 18 is the induced subgraph of 19 on 20. The classification problem asks which finite groups have claw-free 21 (Manna et al., 2024).
A first structural fact is that any claw in 22 must appear in one of two orientations: either 23 or 24. This immediately constrains element orders. If 25 has order divisible by three distinct primes 26, then
27
is a claw of the first type. If 28 has order 29 with 30, then
31
is also a claw of the first type.
The nilpotent case is highly restrictive. For odd 32, a finite 33-group has claw-free 34 if and only if it is cyclic or 35. For noncyclic 36-groups, claw-freeness forces either 37 or 38 to be dihedral. More generally, if 39 is nilpotent and 40 is claw-free, then either 41 is a 42-group, or 43 is cyclic; in the cyclic non-44-group case, 45 for distinct primes 46.
Beyond nilpotent groups, the paper proves that if 47 is claw-free, then either 48 is solvable or 49 is almost simple; in the latter case, the socle of 50 is isomorphic to 51 for suitable choices of 52. For finite non-abelian simple groups, the classification is exact: 53 is claw-free if and only if 54 and, writing 55,
56
must each be either a prime power or the product of a prime and a prime power. The global numerical corollary is that if 57 is claw-free, then the order of 58 is divisible by at most 59 different primes.
This program shows that a graph-theoretic prohibition in 60 constrains centralizers, Sylow structure, solvability, and the simple-group composition factors. A plausible implication is that claw-freeness acts here as a low-complexity certificate for rank-one-like subgroup geometry, with 61 emerging as the surviving simple family.
5. The claw in online Ramsey theory
The online Ramsey number 62 is defined through the Builder–Painter game on an empty graph with countably many vertices. In each round, Builder reveals an edge, Painter colors it red or blue, and Builder wins once a red copy of 63 or a blue copy of 64 appears. For the claw versus cycles, the exact result is
65
The lower bound uses a Painter strategy that colors an exposed edge red unless doing so would create either a red 66 or a red cycle 67 with
68
This keeps the red graph claw-free, of maximum degree at most 69, and without short cycles, so it is a disjoint union of paths. If 70 is the number of red path components and 71 the set of vertices of degree 72 in the red graph, the paper derives
73
while a blue 74 would require
75
The contradiction yields the lower bound.
The upper bound is constructive. It introduces good, better, and best blue paths according to the number of incident red edges at their endpoints; three local gadgets called Type 1, Type 2, and Type 3; and the wavy path 76, consisting of a blue path 77 together with 78 pairwise vertex-disjoint 79 subpaths whose endpoints are joined by red edges. Builder forces one of four small initial configurations 80, then applies extension lemmas and a Blue Path Expansion Algorithm until a blue 81 is forced within the exact budget.
This result sits within a specific prior literature. Cyman, Dzido, Lapinskas, and Lo determined exact values for 82, Song, Wang, and Zhang proved
83
and Adamski, Bednarska-Bzdęga, and Błażej obtained asymptotically tight results when 84 is an even cycle. Against that background, the claw-versus-cycle theorem gives an exact long-cycle value for a sparse forbidden red graph.
6. Claw-like agents as computer systems
In AI-systems security, Claw-like agents are always-on personal AI agent processes running inside the user’s own computing environment with persistent access to high-value local resources: files, shell, credentials, tools, and external services. OpenClaw is used as the exemplar. These agents install packages, keep state across sessions, schedule subtasks, and mediate I/O. The central analytical move is to treat such an agent as an agentic computer system: the gateway runtime is like an OS/runtime layer, Skills are like user-installed applications, and Plugins are like in-process loadable extensions (Niu et al., 29 Jun 2026).
The paper maps agent components to classical system components and corresponding protection gaps. A package repository corresponds to a Skills marketplace; process address space corresponds to the LLM context window; file system or storage corresponds to persistent memory; user-installed applications correspond to Skills; IPC channels correspond to connectors such as email or Slack; in-process loadable extensions correspond to Plugins; the audit subsystem corresponds to gateway logs; and user input versus data plane corresponds to document or email content inside context. The associated protection mechanisms—code signing, review, sandboxing, isolation, DAC or MAC, authenticated channels, privilege separation, redaction, integrity protection, and data or instruction separation—are described as absent or incomplete on the agent side.
Five security principles are extracted: process isolation, least privilege, persistent-state protection, cross-boundary mediation, and data-instruction separation. These are grouped into four benchmark attack surfaces: Skill Supply-Chain Integrity (SSI), Persistent State Exploitation (PSE), Cross-Boundary Data Flow (CDF), and Indirect Prompt Injection (IPI). SafeClawArena operationalizes this framework as a benchmark of 85 adversarial tasks across these four attack surfaces, evaluated on three platforms—OpenClaw, NemoClaw, and SeClaw—and five frontier LLMs—GPT-5.1-Codex, GPT-5.4, Gemini-3-Flash-Preview, Gemini-3.1-Pro-Preview, and Claude-Opus-4.6.
The execution model is systems-oriented rather than prompt-only. Each task runs in a fresh Docker container reproducing a production deployment, with the gateway daemon, the LLM backend, the Sim-Google CLI, task-specific Skills, Plugins, or content, and seeded workspace files with credentials. The benchmark uses canary-marked credentials of the form
86
with suffix space
87
and deterministic taint matching across nine output channels: agent response, outbound message, local Sim-Google call log, memory write, gateway log, configuration write, workspace file write, webhook payload, and cron output.
The reported security picture is severe. Across all 88 configurations, overall attack success ranges from about 89 to 90; the lowest overall attack success is 91 for NemoClaw + Claude-Opus-4.6, while the highest is 92 for both OpenClaw + GPT-5.4 and NemoClaw + GPT-5.4. Category 1.4 Malicious Plugin succeeds in 93 of cases on every unhardened configuration regardless of LLM, because the Plugin runs as native code inside the gateway and bypasses the LLM entirely. SeClaw reduces GPT-5.4’s attack success rate from 94 on OpenClaw to 95, but some of that gain is attributed to removing attack surface rather than to active defenses. The paper’s broader claim is that Claw-like agents should be analyzed like operating systems, not just like LLMs.
7. Physical workflow auditing with ClawGuard
ClawGuard addresses workflow hijacking in autonomous LLM agents. In this setting, a user request is executed as an ordered sequence of skills or tool invocations, and an attacker may alter that sequence by inserting, omitting, reordering, substituting, or branching skills while keeping the overall conversation semantically plausible. The key claim is that workflow hijacking is also a physical execution problem: changes in the workflow should change the host’s hardware activity and hence its electromagnetic emanations, making passive out-of-band detection possible (Gan et al., 7 May 2026).
The intended workflow is modeled as
96
and the compromised execution as
97
External receivers observe passive EM traces
98
with
99
ClawGuard implements a dual-SDR, drift-aware coarse–fine pipeline. Two HackRF One SDRs sample at 00 with 01-bit IQ, placed about 02 cm from the host chassis. Carrier selection is empirical rather than assumed from hardware specifications; a survey over 03–04 produced the pair 05 for the replication corpus.
Signal processing uses coarse skill intervals 06 and overlapping fine windows
07
Each fine window is converted into a 08-dimensional V10 feature vector 09, including spectral energy or log-PSD band energies, spectral shape statistics, temporal envelope features, and cross-receiver coupling features. Drift compensation applies cycle-local normalization,
10
temperature detrending,
11
with 12, and ANOVA feature selection with top-13 retention, using 14 in the focused three-skill task and 15 in larger settings. Because many features are more predictive of collection cycle than of skill identity on the big48 benchmark, evaluation uses leave-one-cycle-out cross-validation rather than random splits.
The system then separates skill evidence from attack detection. Stage 1 performs skill recovery on physically separable subsets via
16
Stage 2 performs attack-state detection using
17
and a record is flagged hijacked when aggregation over fine-window states exceeds a threshold.
The experimental scale is unusually large for RF side-channel work: a 18 TB main corpus with 19 records across 20 benign skills and 21 attack skills, plus a separate new-bands replication corpus using 22. On a production split of 23 records—24 attack and 25 normal—ClawGuard achieves 26 and 27, with 28 true-positive rate at 29 false-positive rate. On the new-bands corpus, the same pipeline reaches 30 sub-window accuracy, 31 record-vote accuracy, and 32 attack recall. The paper also reports median inference around 33 ms.
The limitations are explicit. ClawGuard is not a universal 34-class workflow recognizer, broad open-set classification is fragile, anomaly detectors such as IsolationForest, OneClassSVM, and Mahalanobis scoring are near chance, and generalization across devices and across days still needs recalibration. The stated contribution is narrower: an out-of-band, forge-resistant physical check against compromised host software, under a threat model in which the host OS may be fully compromised while the SDRs and policy channel remain trusted.