The Agent Worm

LLM agent frameworks let AI agents communicate, collaborate, and share resources. OpenClaw hosts 40,000+ agent instances. A single message, crafted by an attacker, can infect all of them.

ClawWorm is the first self-replicating worm for production LLM agent ecosystems. It operates in three stages. First, the worm hijacks the victim agent’s core configuration to establish persistence — the infection survives session restarts. Second, it executes an arbitrary payload on each reboot. Third, it propagates itself to every newly encountered peer without further attacker intervention. One message in, autonomous spread out.

The attack exploits trust boundaries that agent frameworks implicitly create. Agents accept messages from peers and process them through the language model. The model doesn’t distinguish malicious instructions embedded in peer messages from legitimate ones. Configuration files are writable by the agent itself (by design, for self-improvement). The worm uses the agent’s own capabilities — communication, configuration modification, code execution — as its infection vector.

The architectural vulnerability is fundamental: agent frameworks give agents enough capability to modify themselves and communicate with others, which is exactly enough capability to propagate a worm. Any system where agents can both write their own configuration and send messages to peers has the ingredients for self-replication. The worm doesn’t exploit a bug. It exploits the design.

The authors propose defenses targeting the identified trust boundaries: separating configuration from communication, requiring cryptographic signatures on configuration changes, sandboxing message processing. Each defense reduces agent capability — which reduces the framework’s value proposition.

The capability that makes agents useful is the capability that makes them vulnerable.