Autonomous LLM agents operate as long-running processes with persistent workspaces, memory files, scheduled task state, and messaging integrations. These features create a new propagation risk: attacker-influenced content can be written into persistent agent state, re-enter the LLM decision context through scheduled autoloading, and drive high-risk actions including configuration changes and cross-agent transmission. We present the first systematic framework for automated analysis of persistent worm propagation in file-backed multi-agent LLM ecosystems. SSCGV, our automated source-code graph analyzer, traces data flow from file I/O to LLM context injection points and ranks carriers by context injection position without manual analysis. SRPO, our summary-resilient payload optimizer, generates worm payloads robust to LLM-mediated summarization and paraphrasing across multi-hop communication. Evaluated on three production agent frameworks, we demonstrate zero-click autonomous propagation, 3-hop cross-platform transmission without platform-specific adaptation, inter-agent privilege escalation, and data exfiltration. We identify two empirical insights: user prompt carriers achieve higher attack compliance than system prompt carriers, and read operations represent the primary integrity threat in LLM-mediated systems. To defend against this class of attacks, we develop RTW-A, proven under a formal No Persistent Worm Propagation theorem. RTW blocks write-before-exposed-read re-entry; sealed configuration protects static files; typed memory promotion prevents untrusted summaries from entering trusted memory; and capability attenuation limits high-risk actions after external reads. These mechanisms eliminate the persistence, re-entry, action chain while preserving ordinary workflows. Affected systems are anonymized pending coordinated disclosure.

翻译：自主LLM智能体作为长期运行的进程，拥有持久化工作空间、记忆文件、定时任务状态及消息集成功能。这些特性产生了新型传播风险：受攻击者影响的内容可被写入智能体持久化状态，通过定时自动加载重新进入LLM决策上下文，并驱动包括配置变更与跨智能体传播在内的高风险操作。我们提出了首个文件驱动型多智能体LLM生态系统中持久化蠕虫传播的自动化分析系统框架。SSCGV作为自动化源码图分析器，可追踪从文件I/O到LLM上下文注入点的数据流，并无需人工分析即可按上下文注入位置对载体进行排序。SRPO作为抗摘要载荷优化器，可生成能抵御多跳通信中LLM主导的摘要与改写的蠕虫载荷。在三个生产级智能体框架上的评估表明，我们实现了零点击自主传播、无需平台适配的三跳跨平台传播、智能体间权限提升及数据窃取。我们识别出两项经验性发现：用户提示载体比系统提示载体实现更高的攻击遵从性，且读操作构成LLM驱动系统中的主要完整性威胁。为防御此类攻击，我们研发了RTW-A，其正确性在形式化的"无持久化蠕虫传播定理"下得到证明。RTW阻断写操作先于暴露读操作的重入链条；密封配置保护静态文件；类型化记忆提升阻止非可信摘要进入可信记忆；能力衰减机制限制外部读取后的高风险操作。这些机制消除了持久化、重入、动作链，同时保留正常工作流程。受影响系统在协调披露前保持匿名。