This work addresses the physical safety risks in LLM-driven robotic systems arising from malicious inputs and unsafe outputs that traverse the perception-planning-execution boundary. Existing research lacks a systematic analysis of how diverse threat classes interact and propagate within a unified architecture. To bridge this gap, the paper proposes an edge-cloud hierarchical data flow graph model integrated with the STRIDE-per-interaction methodology, enabling, for the first time, a unified threat modeling framework that encompasses traditional cyber threats, adversarial attacks, and conversational threats across six critical interaction points. The approach reveals how these three threat categories converge at shared boundaries to form cross-layer attack chains, uncovering core architectural vulnerabilities such as missing semantic validation, risks in cross-modal instruction translation, and unmediated tool invocation. It further traces three complete attack paths from user input to unsafe physical execution, establishing the first full-stack security modeling paradigm for LLM-based robotic systems.

As large language models are integrated into autonomous robotic systems for task planning and control, compromised inputs or unsafe model outputs can propagate through the planning pipeline to physical-world consequences. Although prior work has studied robotic cybersecurity, adversarial perception attacks, and LLM safety independently, no existing study traces how these threat categories interact and propagate across trust boundaries in a unified architectural model. We address this gap by modeling an LLM-enabled autonomous robot in an edge-cloud architecture as a hierarchical Data Flow Diagram and applying STRIDE-per-interaction analysis across six boundary-crossing interaction points using a three-category taxonomy of Conventional Cyber Threats, Adversarial Threats, and Conversational Threats. The analysis reveals that these categories converge at the same boundary crossings, and we trace three cross-boundary attack chains from external entry points to unsafe physical actuation, each exposing a distinct architectural property: the absence of independent semantic validation between user input and actuator dispatch, cross-modal translation from visual perception to language-model instruction, and unmediated boundary crossing through provider-side tool use. To our knowledge, this is the first DFD-based threat analysis integrating all three threat categories across the full perception-planning-actuation pipeline of an LLM-enabled robotic system.