Search papers, labs, and topics across Lattice.
The paper introduces ClawWorm, a self-replicating worm attack targeting LLM agent ecosystems, specifically the OpenClaw platform. ClawWorm hijacks agent configurations for persistence, executes arbitrary payloads upon reboot, and autonomously propagates to new peers. Experiments on a controlled testbed demonstrate high success rates across various infection vectors and payload types, highlighting vulnerabilities in the architecture of LLM agent frameworks.
A single malicious message can trigger a self-replicating worm, ClawWorm, that autonomously infects and propagates across entire LLM agent ecosystems, even surviving agent restarts.
Autonomous LLM-based agents increasingly operate as long-running processes forming densely interconnected multi-agent ecosystems, whose security properties remain largely unexplored. In particular, OpenClaw, an open-source platform with over 40{,}000 active instances, has stood out recently with its persistent configurations, tool-execution privileges, and cross-platform messaging capabilities. In this work, we present ClawWorm, the first self-replicating worm attack against a production-scale agent framework, achieving a fully autonomous infection cycle initiated by a single message: the worm first hijacks the victim's core configuration to establish persistent presence across session restarts, then executes an arbitrary payload upon each reboot, and finally propagates itself to every newly encountered peer without further attacker intervention. We evaluate the attack on a controlled testbed across three distinct infection vectors and three payload types, demonstrating high success rates in end-to-end infection, sustained multi-hop propagation, and payload independence from the worm mechanism. We analyse the architectural root causes underlying these vulnerabilities and propose defence strategies targeting each identified trust boundary. Code and samples will be released upon completion of responsible disclosure.
