This study addresses novel cross-layer attacks targeting autonomous large language model (LLM) agents in agent-based commerce—threats that existing safety frameworks are ill-equipped to handle, spanning dimensions such as integrity, authorization, trust, market manipulation, and regulatory compliance. The work introduces the first cross-layer collaborative security paradigm encompassing LLM safety, protocol design, identity management, market structure, and regulation. Through a systematic survey of knowledge (SoK) integrating academic literature, protocol specifications, industry reports, and incident data, it identifies five threat dimensions and twelve cross-layer attack vectors, elucidating how risks propagate from reasoning and tool-use layers to asset custody, settlement, and compliance layers. The paper further proposes a layered defense architecture to fill critical gaps in agent-commerce security and outlines a research roadmap alongside a benchmarking agenda.

Autonomous large language model (LLM) agents such as OpenClaw are pushing agentic commerce from human-supervised assistance toward machine actors that can negotiate, purchase services, manage digital assets, and execute transactions across on-chain and off-chain environments. Protocols such as the Trustless Agents standard (ERC-8004), Agent Payments Protocol (AP2), the HTTP 402-based payment protocol (x402), Agent Commerce Protocol (ACP), the Agentic Commerce standard (ERC-8183), and Machine Payments Protocol (MPP) enable this transition, but they also create an attack surface that existing security frameworks do not capture well. This Systematization of Knowledge (SoK) develops a unified security framework for autonomous LLM agents in commerce and finance. We organize threats along five dimensions: agent integrity, transaction authorization, inter-agent trust, market manipulation, and regulatory compliance. From a systematically curated public corpus of academic papers, protocol documents, industry reports, and incident evidence, we derive 12 cross-layer attack vectors and show how failures propagate from reasoning and tooling layers into custody, settlement, market harm, and compliance exposure. We then propose a layered defense architecture addressing authorization gaps left by current agent-payment protocols. Overall, our analysis shows that securing agentic commerce is inherently a cross-layer problem that requires coordinated controls across LLM safety, protocol design, identity, market structure, and regulation. We conclude with a research roadmap and a benchmark agenda for secure autonomous commerce.