arxiv: 2604.27267 · v2 · submitted 2026-04-29 · 💻 cs.CR · cs.AI· cs.RO

Recognition: unknown

From Prompt to Physical Actuation: Holistic Threat Modeling of LLM-Enabled Robotic Systems

Carlo R. da Cunha, Hayretdin Bahsi, Neha Nagaraja

Pith reviewed 2026-05-07 09:39 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.RO

keywords LLM-enabled roboticsthreat modelingdata flow diagramsSTRIDE analysisphysical actuation risksboundary crossing attackscyber threatsadversarial perception

0 comments

The pith

LLM-enabled robots let cyber threats, adversarial inputs, and conversational prompts converge at the same six trust boundaries and propagate to unsafe physical actuation.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper constructs a hierarchical data flow diagram of an edge-cloud LLM-controlled robot that covers the full perception-planning-actuation pipeline. It then applies STRIDE-per-interaction analysis at six boundary-crossing points using a taxonomy that groups threats into conventional cyber attacks, adversarial perception attacks, and conversational LLM attacks. The analysis finds that all three categories meet at the identical crossings and produces three explicit attack chains that run from external entry points to physical actuator commands. A reader would care because the chains demonstrate how software-level flaws in language models can produce direct real-world harm without any separate defense for each threat type.

Core claim

By modeling an LLM-enabled autonomous robot as a hierarchical Data Flow Diagram and applying STRIDE-per-interaction analysis across six boundary-crossing interaction points with a three-category taxonomy of Conventional Cyber Threats, Adversarial Threats, and Conversational Threats, the analysis shows that the categories converge at the same boundaries. It traces three cross-boundary attack chains from external entry points to unsafe physical actuation, each exposing a distinct architectural property: the absence of independent semantic validation between user input and actuator dispatch, cross-modal translation from visual perception to language-model instruction, and unmediated boundary 1.

What carries the argument

Hierarchical Data Flow Diagram with STRIDE-per-interaction analysis performed at six boundary-crossing points under a three-category threat taxonomy.

If this is right

Absence of independent semantic validation lets user inputs reach actuator dispatch without checks.
Cross-modal translation from vision to language instructions allows visual adversarial attacks to alter planning outputs.
Unmediated provider-side tool use creates direct paths for external threats to affect physical actions.
The convergence of all three threat categories at the same boundaries means defenses must address multiple categories simultaneously.
The full perception-planning-actuation pipeline contains previously unexamined propagation routes that end in unsafe actuation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Robot designers could add lightweight semantic validators at the identified boundaries to interrupt the chains.
The same data-flow approach could be applied to LLM-controlled drones or vehicles to locate analogous boundary risks.
Physical tests that attempt to execute the three chains on hardware would reveal whether the diagram matches actual system behavior.
Security standards for autonomous systems may need to treat conversational and adversarial inputs as equivalent to conventional network threats.

Load-bearing premise

The proposed hierarchical data flow diagram and its six boundary-crossing interaction points sufficiently represent real-world LLM-enabled robotic systems in edge-cloud architectures.

What would settle it

An implemented LLM-enabled robot that inserts an independent semantic validator between every user input and every actuator dispatch command, breaking all three traced attack chains, would show the six-point model does not capture a necessary architectural property.

Figures

Figures reproduced from arXiv: 2604.27267 by Carlo R. da Cunha, Hayretdin Bahsi, Neha Nagaraja.

**Figure 2.** Figure 2: Data Flow Diagram - Level 0 To preserve security-relevant structure while keeping the model tractable, we decompose the edge-side functionality into five logical processes. The User Interface (P1) is the entry point through which authenticated operators submit tasks and receive status information. The Orchestrator (P2) interprets LLM-generated plans, resolves them against available skills and tools, and di… view at source ↗

**Figure 3.** Figure 3: Data Flow Diagram - Level 1 closing the system’s core processing domain: the orchestration logic (P2), prompt construction pipeline (P4), LLM interaction management (P3), sensor ingestion and vision encoding (P5), user interface (P1), and the three associated data stores (D1– D3). Components within TB1 are assumed to operate under common administrative control on a shared host. TB2 denotes the autonomous p… view at source ↗

**Figure 4.** Figure 4: Attack tree for Chain 1: prompt injection to unsafe view at source ↗

read the original abstract

As large language models are integrated into autonomous robotic systems for task planning and control, compromised inputs or unsafe model outputs can propagate through the planning pipeline to physical-world consequences. Although prior work has studied robotic cybersecurity, adversarial perception attacks, and LLM safety independently, no existing study traces how these threat categories interact and propagate across trust boundaries in a unified architectural model. We address this gap by modeling an LLM-enabled autonomous robot in an edge-cloud architecture as a hierarchical Data Flow Diagram and applying STRIDE-per-interaction analysis across six boundary-crossing interaction points using a three-category taxonomy of Conventional Cyber Threats, Adversarial Threats, and Conversational Threats. The analysis reveals that these categories converge at the same boundary crossings, and we trace three cross-boundary attack chains from external entry points to unsafe physical actuation, each exposing a distinct architectural property: the absence of independent semantic validation between user input and actuator dispatch, cross-modal translation from visual perception to language-model instruction, and unmediated boundary crossing through provider-side tool use. To our knowledge, this is the first DFD-based threat analysis integrating all three threat categories across the full perception-planning-actuation pipeline of an LLM-enabled robotic system.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This paper unifies three threat categories into one DFD for LLM robots and traces how they reach physical actuation, but the results follow directly from the authors' chosen architecture.

read the letter

The paper's main point is that conventional cyber threats, adversarial attacks on perception, and conversational issues with the LLM all converge at the same trust boundaries in an edge-cloud robot setup. It uses a hierarchical Data Flow Diagram with six boundary crossings and applies STRIDE to each one, then follows three specific attack chains to unsafe physical outputs. That integration across the full perception-planning-actuation pipeline is new compared with earlier work that treated the categories separately.

Referee Report

0 major / 3 minor

Summary. The manuscript claims to fill a gap in threat modeling for LLM-enabled robotic systems by developing a hierarchical Data Flow Diagram for an edge-cloud architecture and performing STRIDE-per-interaction analysis at six boundary crossings using a three-category taxonomy (Conventional Cyber Threats, Adversarial Threats, Conversational Threats). The analysis shows convergence of these threats at boundary crossings and identifies three attack chains that lead to unsafe physical actuation, each linked to a specific architectural weakness: lack of independent semantic validation, cross-modal translation issues, and unmediated provider-side tool use. It positions this as the first such integrated analysis across the perception-planning-actuation pipeline.

Significance. If the modeling holds, this work is significant for unifying previously separate lines of research on robotic cybersecurity, adversarial perception, and LLM safety into a single architectural analysis. The explicit construction of the DFD and the internal tracing of three attack chains by construction from the defined boundaries provide a clear, reproducible framework that highlights concrete architectural properties. This structured approach could inform secure design practices for emerging LLM-robot systems, though its broader impact will depend on how well the model generalizes beyond the chosen edge-cloud setup.

minor comments (3)

[§2] §2 Related Work: The discussion of prior work on robotic cybersecurity and LLM safety could be expanded with more specific citations to recent studies on LLM-controlled physical systems to better support the novelty claim of being the first integrated DFD analysis.
[Figure 1] Figure 1 (hierarchical DFD): The diagram would benefit from explicit labels or a legend annotating the six boundary-crossing interaction points to make the subsequent STRIDE-per-interaction analysis easier to follow.
[§4.3] §4.3 Attack Chains: While the three chains are traced clearly from the model, including a brief step-by-step enumeration or pseudocode for at least one chain would improve the clarity and reproducibility of how the architectural properties are exposed.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary and significance assessment of our manuscript on unified threat modeling for LLM-enabled robotic systems. The recommendation for minor revision is noted. No specific major comments were enumerated in the report, so we have no point-by-point rebuttals to provide. We will incorporate minor clarifications to the manuscript as appropriate during revision.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper defines a hierarchical DFD for an edge-cloud LLM-robot architecture, applies the established STRIDE-per-interaction method across six boundary crossings, and traces attack chains that follow from the model's explicit properties (absence of semantic validation, cross-modal translation, unmediated tool use). These steps use standard threat-modeling techniques on a self-defined but externally grounded architecture; no equations, fitted parameters, self-definitional loops, or load-bearing self-citations reduce any claimed result to its inputs by construction. The convergence finding and three chains are direct consequences of applying the chosen taxonomy to the chosen diagram, which is the normal, non-circular outcome of a modeling paper.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claim rests on the validity of the constructed DFD model and the application of standard STRIDE analysis, with a novel taxonomy for threat categorization.

axioms (2)

standard math STRIDE-per-interaction is an appropriate method for analyzing boundary crossings in the system
STRIDE is a well-established threat modeling technique in cybersecurity.
domain assumption The hierarchical Data Flow Diagram accurately represents the edge-cloud LLM-enabled robot architecture
The paper constructs this model as the basis for analysis.

invented entities (1)

Three-category taxonomy (Conventional Cyber Threats, Adversarial Threats, Conversational Threats) no independent evidence
purpose: To classify and analyze threats in a unified way
Introduced as part of the analysis framework.

pith-pipeline@v0.9.0 · 5517 in / 1465 out tokens · 52823 ms · 2026-05-07T09:39:55.729062+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

28 extracted references · 12 canonical work pages · 3 internal anchors

[1]

Do As I Can, Not As I Say: Grounding Language in Robotic Affordances

M. Ahn, A. Brohan, N. Brown, Y . Chebotar, O. Cortes, B. David, C. Finn, C. Fu, K. Gopalakrishnan, K. Hausmanet al., “Do as i can, not as i say: Grounding language in robotic affordances,”arXiv preprint arXiv:2204.01691, 2022

work page internal anchor Pith review arXiv 2022
[2]

Code as policies: Language model programs for embod- ied control,

J. Liang, W. Huang, F. Xia, P. Xu, K. Hausman, B. Ichter, P. Florence, and A. Zeng, “Code as policies: Language model programs for embod- ied control,” in2023 IEEE International conference on robotics and automation (ICRA). IEEE, 2023, pp. 9493–9500

2023
[3]

Chatgpt for robotics: Design principles and model abilities,

S. H. Vemprala, R. Bonatti, A. Bucker, and A. Kapoor, “Chatgpt for robotics: Design principles and model abilities,”Ieee Access, vol. 12, pp. 55 682–55 696, 2024

2024
[4]

PaLM-E: An Embodied Multimodal Language Model

D. Driess, F. Xia, M. S. Sajjadi, C. Lynch, A. Chowdhery, B. Ichter, A. Wahid, J. Tompson, Q. Vuong, T. Yuet al., “Palm-e: An embodied multimodal language model,”arXiv preprint arXiv:2303.03378, 2023

work page internal anchor Pith review arXiv 2023
[5]

Towards embodied agentic ai: Review and classification of llm-and vlm-driven robot autonomy and interaction,

S. Salimpour, L. Fu, K. Rachwał, P. Bertrand, K. O’Sullivan, R. Jakob, F. Keramat, L. Militano, G. Toffetti, H. Edelmanet al., “Towards embodied agentic ai: Review and classification of llm-and vlm-driven robot autonomy and interaction,”arXiv preprint arXiv:2508.05294, 2025

work page arXiv 2025
[6]

MITRE ATT&CK Enterprise Matrix,

MITRE Corporation, “MITRE ATT&CK Enterprise Matrix,” https:// attack.mitre.org/matrices/enterprise/, 2026, accessed: Apr. 2026

2026
[7]

MITRE ATLAS: Adversarial Threat Landscape for AI Systems,

——, “MITRE ATLAS: Adversarial Threat Landscape for AI Systems,” https://atlas.mitre.org/, 2026, accessed: Apr. 2026

2026
[8]

OW ASP Top 10 for Large Language Model Applications,

OW ASP Foundation, “OW ASP Top 10 for Large Language Model Applications,” https://genai.owasp.org/llm-top-10/, 2025, version 2025, accessed Apr. 2026

2025
[9]

Robotics cyber security: vulnerabilities, attacks, countermeasures, and recommendations,

J.-P. A. Yaacoub, H. N. Noura, O. Salman, and A. Chehab, “Robotics cyber security: vulnerabilities, attacks, countermeasures, and recommendations,”Int. J. Inf. Secur., vol. 21, no. 1, p. 115–158, Feb
[10]

International Journal of Information Security21(1), 115–158 (2021)

[Online]. Available: https://doi.org/10.1007/s10207-021-00545-8

work page doi:10.1007/s10207-021-00545-8
[11]

Security considerations in ai-robotics: A survey of current methods, challenges, and opportunities,

S. Neupane, S. Mitra, I. A. Fernandez, S. Saha, S. Mittal, J. Chen, N. Pillai, and S. Rahimi, “Security considerations in ai-robotics: A survey of current methods, challenges, and opportunities,”IEEE Access, vol. 12, pp. 22 072–22 097, 2024

2024
[12]

Trust in llm-controlled robotics: a survey of security threats, defenses and challenges,

X. Huang, S. K. V . B, T. Chen, M. Bryson, T. Chaffey, H. Chen, K.-K. R. Choo, and I. R. Manchester, “Trust in llm-controlled robotics: a survey of security threats, defenses and challenges,” TechRxiv, vol. 2025, no. 1229, 2025. [Online]. Available: https: //www.techrxiv.org/doi/abs/10.36227/techrxiv.176704885.51786927/v1

work page doi:10.36227/techrxiv.176704885.51786927/v1 2025
[13]

Shostack,Threat Modeling: Designing for Security

A. Shostack,Threat Modeling: Designing for Security. John Wiley & Sons, 2014

2014
[14]

Cyber threat modeling of an llm-based healthcare system,

N. Nagaraja and H. Bahsi, “Cyber threat modeling of an llm-based healthcare system,” inProceedings of the 11th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, INSTICC. SciTePress, 2025, pp. 325–336

2025
[15]

Typefly: Flying drones with large language model,

G. Chen, X. Yu, N. Ling, and L. Zhong, “Typefly: Flying drones with large language model,” 2024. [Online]. Available: https://arxiv.org/abs/2312.14950

work page arXiv 2024
[16]

LLM-based reinforce- ment learning for controlling robot swarms,

C. R. da Cunha, G. Giardini, and M. Turqueti, “LLM-based reinforce- ment learning for controlling robot swarms,” inProceedings of the 7th International Conference on Artificial Intelligence, Robotics, and Control (AIRC), Savannah, GA, USA, 2026, to appear

2026
[17]

Large language models for robotics: A survey,

F. Zeng, W. Gan, Z. Huai, L. Sun, H. Chen, Y . Wang, N. Liu, and P. S. Yu, “Large language models for robotics: A survey,” 2025. [Online]. Available: https://arxiv.org/abs/2311.07226

work page arXiv 2025
[18]

Llm-enabled cyber- physical systems: Survey, research opportunities, and challenges,

W. Xu, M. Liu, O. Sokolsky, I. Lee, and F. Kong, “Llm-enabled cyber- physical systems: Survey, research opportunities, and challenges,” in 2024 IEEE International Workshop on Foundation Models for Cyber- Physical Systems & Internet of Things (FMSys), 2024, pp. 50–55

2024
[19]

Threat modeling of cyber-physical systems - a case study of a microgrid system,

S. M. Khalil, H. Bahsi, H. O. Dola, T. Kor ˜otko, K. McLaughlin, and V . Kotkas, “Threat modeling of cyber-physical systems - a case study of a microgrid system,”Computers & Security, vol. 124, p. 102950, 2023. [Online]. Available: https://www.sciencedirect.com/ science/article/pii/S016740482200342X

2023
[20]

Jailbreaking llm-controlled robots,

A. Robey, Z. Ravichandran, V . Kumar, H. Hassani, and G. J. Pappas, “Jailbreaking llm-controlled robots,” 2024. [Online]. Available: https://arxiv.org/abs/2410.13691

work page arXiv 2024
[21]

Badrobot: Jailbreaking embodied llms in the physical world,

H. Zhang, C. Zhu, X. Wang, Z. Zhou, C. Yin, M. Li, L. Xue, Y . Wang, S. Hu, A. Liu, P. Guo, and L. Y . Zhang, “Badrobot: Jailbreaking embodied llms in the physical world,” 2025. [Online]. Available: https://arxiv.org/abs/2407.20242

work page arXiv 2025
[22]

A study on prompt injection attack against llm-integrated mobile robotic systems,

W. Zhang, X. Kong, C. Dewitt, T. Braunl, and J. B. Hong, “A study on prompt injection attack against llm-integrated mobile robotic systems,”
[23]

Available: https://arxiv.org/abs/2408.03515

[Online]. Available: https://arxiv.org/abs/2408.03515

work page arXiv
[24]

A practical man-in-the-middle attack on deep learning edge device by sparse light strip injection into camera data lane,

W. Liu, W. He, B. Hu, and C.-H. Chang, “A practical man-in-the-middle attack on deep learning edge device by sparse light strip injection into camera data lane,” in2022 IEEE 35th International System-on-Chip Conference (SOCC), 2022, pp. 1–6

2022
[25]

Abusing images and sounds for indirect instruction injection in multi-modal llms,

E. Bagdasaryan, T.-Y . Hsieh, B. Nassi, and V . Shmatikov, “Abusing images and sounds for indirect instruction injection in multi-modal llms,” 2023. [Online]. Available: https://arxiv.org/abs/2307.10490

work page arXiv 2023
[26]

Image-based prompt injection: Hijacking multimodal llms through visually embed- ded adversarial instructions,

N. Nagaraja, L. Zhang, Z. Wang, B. Zhang, and P. Patil, “Image-based prompt injection: Hijacking multimodal llms through visually embed- ded adversarial instructions,” in2025 3rd International Conference on Foundation and Large Language Models (FLLM). IEEE, 2025, pp. 916–922

2025
[27]

CVE-2016-3714: Im- ageMagick insufficient filtering vulnerability,

National Institute of Standards and Technology, “CVE-2016-3714: Im- ageMagick insufficient filtering vulnerability,” https://nvd.nist.gov/vuln/ detail/CVE-2016-3714, 2016, national Vulnerability Database, accessed Apr. 2026

2016
[28]

Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection

K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection,” 2023. [Online]. Available: https://arxiv.org/abs/2302.12173 TABLE II: Selective Threat Elicitation for Selected Interactions. Classes: CCT, ConT, AdvT; DFD: E, DF, P, D...

work page internal anchor Pith review arXiv 2023