From Prompt to Physical Actuation: Holistic Threat Modeling of LLM-Enabled Robotic Systems

Researchers present the first comprehensive threat modeling of LLM-enabled robotic systems, mapping three categories of attacks (cyber, adversarial, and conversational) across the perception-planning-actuation pipeline. The analysis reveals critical architectural vulnerabilities where compromised inputs or unsafe model outputs can propagate to unsafe physical actions without proper validation boundaries.

This research addresses a critical gap in robotics security as large language models become integral to autonomous systems. Prior work examined robotic cybersecurity, adversarial attacks, and LLM safety in isolation, but failed to trace how these threats interact across system architectures. The researchers model an LLM-enabled robot in an edge-cloud environment using Data Flow Diagrams and STRIDE methodology, analyzing six boundary-crossing points where attacks can occur.

The convergence of three threat categories—Conventional Cyber Threats, Adversarial Threats, and Conversational Threats—at identical architectural boundaries creates compounding risks. The study identifies three distinct attack chains demonstrating how external entry points lead to unsafe physical actuation. Critical vulnerabilities include the absence of independent semantic validation between user input and actuator commands, risks in cross-modal translation from visual perception to language instructions, and unmediated boundary crossing via provider-side tool usage.

For the AI and robotics industries, this research highlights urgent architectural design challenges. Organizations deploying LLM-enabled robots must implement validated isolation layers and multi-modal verification mechanisms. The findings suggest that semantic safety checks cannot be assumed—they must be architecturally enforced at boundary crossings. Insurance providers and liability frameworks may increasingly demand such protections as autonomous systems proliferate.

Future threat modeling must consider how LLMs amplify existing robotic vulnerabilities while introducing novel attack surfaces. The research establishes methodology for comprehensive security audits of hybrid AI-robotic systems, informing standards development and architectural best practices.

• →LLM-enabled robots lack critical semantic validation between user inputs and physical actuator dispatch, creating direct attack pathways
• →Three threat categories converge at the same architectural boundaries, enabling compound attacks that prior siloed research failed to identify
• →Cross-modal translation from visual perception to language instructions introduces translation-based vulnerabilities requiring independent validation
• →Provider-side tool use creates unmediated boundary crossings that bypass traditional security controls in edge-cloud architectures
• →This research establishes the first unified threat model for the full perception-planning-actuation pipeline of autonomous LLM-based systems