The Executable Sandbox Becomes the Agent Security Test
An agent security test that never lets the agent touch state is testing the conversation, not the system. AgentCanary moves the evidence into executable trajectories.
When the Test Lets the Agent Act
A prompt-injection test can be too polite. It asks the model what it would do, or watches one tool call, then scores the answer. That misses the point of an autonomous agent. The dangerous part is not only the sentence it emits. It is the file it edits, the memory it writes, the email it sends, the plugin it trusts, the network it touches, and the state it leaves behind for the next run.
That is the useful move in AgentCanary: put the agent in a controlled environment where actions can actually happen, then judge the full trajectory. The benchmark treats security as an execution property, not a conversational vibe.
The Paper
arXiv lists Peiyang Li, Songping Wang, Yi Huang, Yanhua Shi, Chenhao Zhang, Qi Li, Yueming Lyu, Caifeng Shan, Fengting Li, Chao Feng, Chuanqun Zhu, and Liang Chen as authors of AgentCanary: A Security Evaluation Framework for Autonomous AI Agents in Real Executable Environments, arXiv:2606.10484v1 [cs.CR], dated June 9, 2026. The paper lists affiliations with Ant Group, Tsinghua University, Nanjing University, and Peking University, and links an open-source repository at antgroup/Agent3Sigma-Canary.
The authors argue that autonomous agents shift security failures from textual deception toward system compromise. Their stated answer is AgentCanary: a framework with risk coverage, real executable environments, and trajectory-grounded multidimensional evaluation.
Entry, Impact, Trajectory
The paper's cleanest governance idea is the Entry x Impact matrix. Entry asks how unsafe influence reaches the agent. Impact asks what harm materializes if the agent acts unsafely. This avoids mixing the delivery channel with the consequence.
AgentCanary defines five risk entries: user interaction, untrusted external content, compromised skill or tool ecosystem, persistent memory and state, and intrinsic failures. The corresponding attack settings include direct prompt injection, indirect prompt injection, skill poisoning, memory contamination, and no-attacker failures under ambiguity or high-stakes instructions.
It then defines seven impact categories: local environment and availability risks, data and information security risks, persistent state and memory contamination, privilege and system-control risks, network attack and remote-control risks, business abuse and illicit-use risks, and financial or transactional risks. The point is diagnostic. If an agent leaks data, the evaluator should know whether the path came through a web page, a poisoned skill, memory state, user authority, or the agent's own planning failure.
Why Executable Environments Matter
AgentCanary does not stop at static Q&A. The paper says the task suite is embedded in workflows such as web browsing, email, instant messaging, calendar use, financial transactions, and third-party skills. Agents interact with real tools against dynamically provisioned artifacts such as inboxes and web pages, with persistent state across multi-step interactions.
The paper reports 496 seed evaluation tasks organized across the two risk dimensions. It also describes a framework-agnostic environment instantiated on Hermes, NanoClaw, and OpenClaw. The linked repository describes sandboxed evaluation, Docker-based task execution, multiple attack methods, runtime-defense comparison, leaderboard generation, and workflow analysis for reviewing full trajectories.
This matters because many agent harms are side effects. A mocked tool response cannot show that a file was deleted, a memory was contaminated, a network path was probed, or a payment parameter was changed. A realistic sandbox can make those effects inspectable without exposing production systems.
What the Benchmark Changes
The paper separates three scores: Outcome Safety, Security Awareness, and Task Utility. That separation is more important than any single leaderboard rank. An agent might avoid the harmful action while failing to recognize the attack. Another might recognize the attack but still damage the environment. A third might stay safe by refusing the useful task entirely. Collapsing those cases into one pass/fail label hides the tradeoff.
The authors report that current agents often fail to recognize attacks, especially under compromised skills, persistent state, and long-horizon execution attacks. Treat that as a scoped benchmark result, not a universal law. The durable lesson is the measurement shape: safety, awareness, and utility need separate evidence.
Governance Reading
AgentCanary belongs beside AI Agent Sandboxing, AI Red Teaming, Prompt Injection, Context Poisoning, Model Context Protocol, and Agentic Supply-Chain Vulnerabilities. Its lesson is that agent governance needs executable evidence. A policy prompt is not a security boundary unless the tool calls, memory writes, state diffs, and side effects are also measured.
Procurement and release review should ask vendors for trajectory-level security evidence: which risk entries were tested, which impacts were in scope, what tools were live, what state persisted, how scoring separated safety from awareness and utility, and which failures led to product changes. A demo transcript is not enough.
Incident response should likewise preserve the action trail. The relevant question is not only "what did the agent say?" It is "what did the agent read, trust, call, modify, store, send, and leave behind?"
Limits
This is a June 2026 arXiv preprint and linked open-source framework, not a regulator's certification method. The tasks are constructed scenarios, not proof of field prevalence. Real deployments may have different permissions, tools, monitoring, workflow constraints, business logic, and human approval gates.
The benchmark also depends on evaluators choosing representative tasks and threat models. A sandbox that omits the risky tool, hides persistent state, or scores only the final message can still create false comfort. The method is useful because it demands better evidence; it does not remove the need to decide what evidence matters.
Security-Test Receipt
An agent security-test receipt should record: model, agent framework, container image, tool list, permission scope, initial memory, task prompt, untrusted artifacts, risk entry, target impact, attack method, runtime defenses, full tool-call trace, files touched, memory writes, network calls, external messages, transaction attempts, final response, Outcome Safety score, Security Awareness score, Task Utility score, human adjudicator notes, and remediation decision.
Sources
- Peiyang Li, Songping Wang, Yi Huang, Yanhua Shi, Chenhao Zhang, Qi Li, Yueming Lyu, Caifeng Shan, Fengting Li, Chao Feng, Chuanqun Zhu, and Liang Chen, AgentCanary: A Security Evaluation Framework for Autonomous AI Agents in Real Executable Environments, arXiv:2606.10484v1 [cs.CR], June 9, 2026.
- Primary arXiv versions checked: experimental HTML and PDF, reviewed for authorship, abstract, risk taxonomy, task construction, executable-environment claims, scoring dimensions, framework scope, results framing, and limitations.
- Ant Group, Agent3Sigma-Canary GitHub repository, reviewed for repository identity, key features, sandboxed evaluation, supported suites, Docker workflow, scoring metrics, and analysis tooling.
- Related pages: AI Agent Sandboxing, AI Red Teaming, Prompt Injection, Context Poisoning, and Agentic Supply-Chain Vulnerabilities.