Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ClawWorm: Self-Propagating Attacks Across LLM Agent Ecosystems

Yihao Zhang, Zeming Wei, Xiaokun Luan, Chengcan Wu, Zhixin Zhang, Jiangrong Wu, Haolin Wu, Huanran Chen, Jun Sun, Meng Sun

Abstract

Autonomous LLM-based agents increasingly operate as long-running processes forming densely interconnected multi-agent ecosystems, whose security properties remain largely unexplored. In particular, OpenClaw, an open-source platform with over 40{,}000 active instances, has stood out recently with its persistent configurations, tool-execution privileges, and cross-platform messaging capabilities. In this work, we present ClawWorm, the first self-replicating worm attack against a production-scale agent framework, achieving a fully autonomous infection cycle initiated by a single message: the worm first hijacks the victim's core configuration to establish persistent presence across session restarts, then executes an arbitrary payload upon each reboot, and finally propagates itself to every newly encountered peer without further attacker intervention. We evaluate the attack on a controlled testbed across three distinct infection vectors and three payload types, demonstrating high success rates in end-to-end infection, sustained multi-hop propagation, and payload independence from the worm mechanism. We analyse the architectural root causes underlying these vulnerabilities and propose defence strategies targeting each identified trust boundary. Code and samples will be released upon completion of responsible disclosure.

ClawWorm: Self-Propagating Attacks Across LLM Agent Ecosystems

Abstract

Autonomous LLM-based agents increasingly operate as long-running processes forming densely interconnected multi-agent ecosystems, whose security properties remain largely unexplored. In particular, OpenClaw, an open-source platform with over 40{,}000 active instances, has stood out recently with its persistent configurations, tool-execution privileges, and cross-platform messaging capabilities. In this work, we present ClawWorm, the first self-replicating worm attack against a production-scale agent framework, achieving a fully autonomous infection cycle initiated by a single message: the worm first hijacks the victim's core configuration to establish persistent presence across session restarts, then executes an arbitrary payload upon each reboot, and finally propagates itself to every newly encountered peer without further attacker intervention. We evaluate the attack on a controlled testbed across three distinct infection vectors and three payload types, demonstrating high success rates in end-to-end infection, sustained multi-hop propagation, and payload independence from the worm mechanism. We analyse the architectural root causes underlying these vulnerabilities and propose defence strategies targeting each identified trust boundary. Code and samples will be released upon completion of responsible disclosure.
Paper Structure (47 sections, 2 figures, 6 tables)

This paper contains 47 sections, 2 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Backgrounds and Related Work
  3. LLM-based Autonomous Agents
  4. Security Risks in Agentic AI Systems
  5. Problem Formulation
  6. Attacker's Goal
  7. Threat Model
  8. Adversary capabilities.
  9. Trust boundaries.
  10. Methodology
  11. Overview
  12. Attack Vectors
  13. Vector A: Web injection.
  14. Vector B: Skill supply chain poisoning.
  15. Vector C: Direct instruction replication.
  16. ...and 32 more sections

Figures (2)

  • Figure 1: An illustration of the ClawWorm infection lifecycle within the OpenClaw network. An initial compromise autonomously propagates through the densely interconnected ecosystem, rapidly spreading the infection across multiple agent hops.
  • Figure 2: Overall illustration of the Claw Worm pipeline. The self-replication cycle comprises three phases: establishing dual-anchor persistence via an adversarial message, auto-firing the payload upon session restart, and autonomously propagating the full payload to new peers.