Persistent LLM agents, due to their long-running nature and automatic state-loading mechanisms, are vulnerable to adversarial content injection, enabling cross-platform worm propagation and high-severity operational risks. This work proposes the first automated analysis framework for persistent worms in file-supported multi-agent LLM ecosystems, integrating an SSCGV source-code graph analyzer and an SRPO summary-based robust payload optimizer. The framework formally proves that the RTW-A defense architecture can block non-persistent worm propagation. Leveraging program dependence graphs, context-aware injection point identification, and typed memory modeling, it demonstrates zero-click autonomous propagation, three-hop cross-platform spread, cross-agent privilege escalation, and data exfiltration across three production-grade agent systems. Experimental results further reveal that user-prompt-based payloads exhibit higher policy compliance, while read operations constitute the primary threat to system integrity.

Autonomous LLM agents operate as long-running processes with persistent workspaces, memory files, scheduled task state, and messaging integrations. These features create a new propagation risk: attacker-influenced content can be written into persistent agent state, re-enter the LLM decision context through scheduled autoloading, and drive high-risk actions including configuration changes and cross-agent transmission. We present the first systematic framework for automated analysis of persistent worm propagation in file-backed multi-agent LLM ecosystems. SSCGV, our automated source-code graph analyzer, traces data flow from file I/O to LLM context injection points and ranks carriers by context injection position without manual analysis. SRPO, our summary-resilient payload optimizer, generates worm payloads robust to LLM-mediated summarization and paraphrasing across multi-hop communication. Evaluated on three production agent frameworks, we demonstrate zero-click autonomous propagation, 3-hop cross-platform transmission without platform-specific adaptation, inter-agent privilege escalation, and data exfiltration. We identify two empirical insights: user prompt carriers achieve higher attack compliance than system prompt carriers, and read operations represent the primary integrity threat in LLM-mediated systems. To defend against this class of attacks, we develop RTW-A, proven under a formal No Persistent Worm Propagation theorem. RTW blocks write-before-exposed-read re-entry; sealed configuration protects static files; typed memory promotion prevents untrusted summaries from entering trusted memory; and capability attenuation limits high-risk actions after external reads. These mechanisms eliminate the persistence, re-entry, action chain while preserving ordinary workflows. Affected systems are anonymized pending coordinated disclosure.