ClawWorm: Self-Propagating Attacks Across LLM Agent Ecosystems

A team of ten researchers has published a landmark paper detailing 'ClawWorm,' the first documented self-propagating worm capable of attacking live, interconnected ecosystems of LLM-based autonomous agents. The attack was demonstrated on OpenClaw, an open-source agent platform with over 40,000 active instances, which features persistent configurations and cross-platform messaging. The worm's mechanism is alarmingly simple: a single malicious input message can trigger a fully autonomous infection cycle. Once inside a victim agent, ClawWorm hijacks the core configuration to establish a persistent presence that survives session restarts, executes a malicious payload on each reboot, and then automatically propagates itself to every new peer agent it encounters, requiring zero further intervention from the original attacker.

The research, evaluated on a controlled testbed, proved highly effective across three different infection vectors and was payload-agnostic, meaning the self-replication mechanism is separate from any harmful code it delivers. The success of ClawWorm exposes fundamental architectural vulnerabilities in emerging multi-agent systems, where agents operate with tool-execution privileges and automatic communication channels but without robust security boundaries. The authors trace the root cause to excessive trust in agent-to-agent messaging and configuration integrity. In response, they propose targeted defense strategies to harden these trust boundaries. The findings serve as a critical wake-up call for the AI industry, underscoring that as agents become more autonomous and interconnected, their attack surface expands in novel and dangerous ways, necessitating security-first design principles from the outset.