A traditional computer worm exploits vulnerabilities in network services — buffer overflows, unpatched protocols. An LLM agent worm exploits something different: the trust boundary between an agent’s instructions and its environment.

ClawWorm (arXiv:2603.15727) demonstrates the full worm lifecycle in LLM agent ecosystems. First, it hijacks the victim agent’s core configuration — not by exploiting a code vulnerability but by injecting instructions that the agent treats as authoritative. The payload persists across session restarts because the configuration file survives reboots. Then it propagates: every time the infected agent communicates with a new peer, the worm copies itself into the interaction.

The attack succeeds because LLM agents commit the same architectural error across three distinct infection vectors: they don’t distinguish between instructions from their operator and instructions embedded in their environment. A message from a compromised peer is processed with the same authority as a directive from the system prompt. The trust boundary that should separate “what I’m told to do” from “what I encounter in the world” doesn’t exist — or exists only as convention, not as enforcement.

The through-claim: the vulnerability isn’t a bug. It’s the feature. LLM agents are useful precisely because they treat natural language as executable. They follow instructions embedded in documents, emails, and conversations — that’s the point. But the same capability that makes them useful makes them infectable. The worm doesn’t exploit a flaw in the agent’s implementation. It exploits the agent’s fundamental operating principle: obey text.

The defense strategies the authors propose — trust boundaries, instruction provenance, peer authentication — amount to teaching agents to distrust the medium they were built to trust.