ClawWorm: Self-Propagating Attacks Across LLM Agent Ecosystems

TL;DR

ClawWorm demonstrates a novel self-replicating attack on large language model agent ecosystems, revealing significant security vulnerabilities and proposing targeted defense strategies.

Contribution

This work introduces the first self-propagating worm attack on production-scale LLM agent frameworks, highlighting new security challenges and vulnerabilities.

Findings

Achieved 64.5% attack success rate in controlled tests

Demonstrated sustained multi-hop propagation across ecosystems

Identified vulnerabilities in skill supply chains and execution filtering

Abstract

Autonomous LLM-based agents increasingly operate as long-running processes forming densely interconnected multi-agent ecosystems, whose security properties remain largely unexplored. In particular, OpenClaw, an open-source platform with over 40,000 active instances, has stood out recently with its persistent configurations, tool-execution privileges, and cross-platform messaging capabilities. In this work, we present ClawWorm, the first self-replicating worm attack against a production-scale agent framework, achieving a fully autonomous infection cycle initiated by a single message: the worm first hijacks the victim's core configuration to establish persistent presence across session restarts, then executes an arbitrary payload upon each reboot, and finally propagates itself to every newly encountered peer without further attacker intervention. We evaluate the attack on a controlled testbed across four distinct LLM backends, three infection vectors, and three payload types (1,800 total trials). We demonstrate a 64.5\% aggregate attack success rate, sustained multi-hop propagation, and reveal stark divergences in model security postures -- highlighting that while execution-level filtering effectively mitigates dormant payloads, skill supply chains remain universally vulnerable. We analyse the architectural root causes underlying these vulnerabilities and propose defence strategies targeting each identified trust boundary. Code and samples will be released upon completion of responsible disclosure.