SoK: Security of Autonomous LLM Agents in Agentic Commerce

Abstract: Autonomous LLM agents such as OpenClaw are pushing agentic commerce from human-supervised assistance toward machine actors that can negotiate, purchase services, manage digital assets, and execute transactions across on-chain and off-chain environments. Protocols such as the Trustless Agents standard (ERC-8004), Agent Payments Protocol (AP2), the HTTP 402-based payment protocol (x402), Agent Commerce Protocol (ACP), the Agentic Commerce standard (ERC-8183), and Machine Payments Protocol (MPP) enable this transition, but they also create an attack surface that existing security frameworks do not capture well. This Systematization of Knowledge (SoK) develops a unified security framework for autonomous LLM agents in commerce and finance. We organize threats along five dimensions: agent integrity, transaction authorization, inter-agent trust, market manipulation, and regulatory compliance. From a systematically curated public corpus of academic papers, protocol documents, industry reports, and incident evidence, we derive 12 cross-layer attack vectors and show how failures propagate from reasoning and tooling layers into custody, settlement, market harm, and compliance exposure. We then propose a layered defense architecture addressing authorization gaps left by current agent-payment protocols. Overall, our analysis shows that securing agentic commerce is inherently a cross-layer problem that requires coordinated controls across LLM safety, protocol design, identity, market structure, and regulation. We conclude with a research roadmap and a benchmark agenda for secure autonomous commerce.

• The paper introduces a five-dimensional threat taxonomy that unifies and operationalizes security risks for autonomous LLM agents in financial environments.
• It details 12 cross-layer attack vectors, such as prompt-to-transaction and collusion-to-escrow, illustrating how vulnerabilities propagate across systems.
• The study emphasizes layered defense strategies integrating protocol, agent, and market controls to mitigate the expanded attack surface in agentic commerce.

Systematization of Security in Autonomous LLM Agents for Agentic Commerce

Introduction

The analyzed work, "SoK: Security of Autonomous LLM Agents in Agentic Commerce" (2604.15367), formalizes and systematizes the security challenges unique to the confluence of autonomous LLM agents and financial automation. The paper delineates how the rapidly maturing technical stack—spanning open-source agent frameworks, machine-to-machine payment protocols, and cross-chain settlement architectures—substantially expands the attack surface beyond that observed in traditional AI- or finance-only deployments. Critically, this SoK unifies and operationalizes threats, characterizing the multidimensional adversarial landscape facing autonomous LLM-based agents executing financially consequential actions without continuous human oversight. It introduces a five-dimensional threat taxonomy, derives and evidences 12 cross-layer attack vectors, and positions defense strategies in terms of protocol, agent, and market controls. The implications for AI deployment in regulated, adversarial, and high-value agentic economies are both immediate and profound.

Multidimensional Threat Taxonomy

A core contribution of the paper is the organization of agentic financial security into five orthogonal but deeply interlinked dimensions: agent integrity, transaction authorization, inter-agent trust, market manipulation, and regulatory compliance. This taxonomy captures attack and failure modes regardless of whether an agent is operating in a blockchain-native, API-driven, or hybrid environment.

Figure 1: Five-dimensional threat taxonomy spans agent integrity, authorization, inter-agent trust, market manipulation, and compliance for autonomous financial agents.

Agent integrity is increasingly stressed by LLM-specific prompt injection vectors, model poisoning, tool supply-chain compromise, and persistent memory attacks. These attacks exploit complex interfaces and multi-channel data ingest pipelines, impacting agent state, transaction proposals, and future decision trajectories—especially dangerous when financial irreversibility is present.

Transaction authorization must now handle not just traditional key management and policy constraints, but also LLM-induced intent drift, prompt-induced credential misuse, and verification at multiple protocol layers (e.g., ERC-8004, AP2, x402, MPP). Existing proposals for capability-bounded credentials, intent-action binding, and runtime verification are positioned as necessary but insufficient, with multi-signature and atomic settlement offering only partial mitigation.

Inter-agent trust transcends classical digital signature and escrow patterns: LLM agents are susceptible to cognitive and negotiation manipulation, evaluator collusion, sybilization around reputation and escrow, and message-layer self-replicating attacks (such as prompt infection). DID adoption and on-chain reputation are recognized as brittle without robust evaluator selection, provenance, and anomaly monitoring.

Market manipulation is amplified by the mass deployment of strategy-homogenized agents, adversarial herding, correlated behavioral drift, and automation of wash trading or sandwich attacks—each catalyzed by LLM ampliative properties.

Regulatory compliance is re-problematized by ambiguity over beneficial ownership, principal-agent mappings, audit trail integrity, transaction attribution, SAR/CTR thresholds, and VASP (Virtual Asset Service Provider) status, especially as agent autonomy increases and multi-layer handoff points obscure intent and liability.

Cross-layer Attack Vectors

The work identifies 12 empirically- or conceptually-evidenced cross-layer attack vectors that illustrate the non-locality of agentic financial risk. These include prompt-to-transaction (P2T), tool-to-reasoning (T2R), collusion-to-escrow (C2E), and oracle-to-position (O2P), among others. Rather than localized buffer overflow or input sanitation classes, these vectors explicitly involve adversarial propagation through reasoning, tool, custody, protocol, and compliance interfaces, demonstrating that seemingly robust controls in one subsystem are often entirely bypassed by upstream or downstream compromise.

Notably, P2T attacks—where prompt injection leads directly to irreversible transactions—are validated in prior work, illustrating that simple LLM data source compromise can have direct financial effect. C2E details systemic risk introduced by evaluator agent collusion in ACP/ERC-8183-like protocols, showing how novel trust primitives can themselves become new attack surfaces. N2C exposes how cross-protocol negotiation can enable AML evasion, while S2I makes explicit the threat from plugin or toolchain supply-chain poisoning.

Defense Architecture and Protocol Assessment

The paper articulates a layered defense strategy, characterizing attack coverage and gaps across controls that include input/tool sanitation, output validation, context binding, intent verification, custody isolation, DID, evaluator selection, circuit-breakers, and market-level monitoring.

Specifically, protocol analysis demonstrates:

• Payment and settlement protocols like ERC-8004, AP2, ACP/ERC-8183, and x402/MPP primarily address authorization, escrows, and inter-agent settlement, but leave LLM-layer reasoning and tool integrity as persistent risk points.
• Execution interfaces like MCP provide some isolation and auditability for toolchains, but their security is functionally ruled by protocol and registry design, not model or agent code alone.
• Market-facing risk (correlated manipulation, adversarial herding) and compliance posture (SAR/CTR triggers, VASP implications) require monitoring and controls fundamentally external to the agent or protocol stack.

There is a bold claim that no existing protocol or agentic system offers complete coverage across all five security dimensions; defense is necessarily a composition, not a monolithic mechanism.

Implications and Future Research Directions

Practically, the deployment of autonomous agentic financial agents as described exposes the financial system to new classes of systemic, cross-layer risks. Point-wise or domain-specific security practices (e.g., prompt injection mitigation, smart contract audits, credential sandboxing) are insufficient. The systematization insists on the necessity for defense-in-depth and cross-domain coordination between agent frameworks, protocol developers, market engineers, and regulatory technologists.

Theoretically, the work forces a reconsideration of principal-agent relationships, liability, and trust in AI-mediated commerce, emphasizing that human intervention, prompt-level guards, or on-chain consensus are increasingly inadequate as primary lines of defense.

For future research, the paper prioritizes (1) benchmark environments that capture the unique adversarial, irreversible properties of financial agents, (2) cumulative and longitudinal metrics for herding and market abuse, (3) evaluator and reputation system governance, and (4) nuanced compliance and identity frameworks appropriate for non-human actors.

Conclusion

This SoK establishes that securing autonomous agentic commerce is an inherently cross-layer, multi-disciplinary challenge. Its five-dimensional framework, cross-layer attack vectorization, and analysis of defense architectures collectively show that neither financial security nor LLM safety techniques, in isolation, suffice for robust agentic deployments. The work calls for a re-examination of protocol, agent, and market controls in a convergent adversarial landscape, and positions its taxonomy and agenda as a foundational resource for both practitioners and theorists in agentic AI security.