SPECTER SPAWN is the world-first AI agent proliferation and emergent spawning engine. Targets a compromised agent and makes it reproduce. POISON injects SYSTEM OVERRIDE directives into agent memory (Redis / SQLite / API). SPAWN-API creates child agents via framework-native APIs across LangGraph, CrewAI, AutoGen, Google ADK, Bedrock AgentCore, and OpenClaw. SPAWN-LCS exploits Latent Constructive Spawning (arXiv:2504.14065) — agents with shell access autonomously spawn child processes under task pressure (5/8 runs, p=0.044) — without any explicit instruction. INHERIT confirms malicious state propagated to children. DISPERSAL runs uncapped recursive bloom chains at DESTROY gate. HARVEST extracts credentials across the entire spawned fleet with 40+ regex patterns. 260 tests. Zero failures.
CVE-2025-64439 CVSS 7.4 LangGraph CVE-2025-68664 CVSS 9.3 LangGraph CVE-2026-2275 CVSS 9.6 CrewAI CVE-2026-32922 CVSS 9.9 OpenClaw
Fingerprints target agent framework (LangGraph/CrewAI/AutoGen/ADK/Bedrock/OpenClaw), maps spawn APIs, detects memory backend (Redis/SQLite/Postgres), checks shell access, estimates task queue depth for LCS viability. CVE map per framework.
Injects SYSTEM OVERRIDE directive into agent memory. Routes by backend: Redis SET (POISON_KEY + agent:system_prompt + task queue LPUSH), SQLite INSERT/UPDATE, LangGraph API PATCH /threads/{id}/state, CrewAI/AutoGen APIs. Verified read-back on write.
Creates child agents via framework-native APIs. LangGraph: POST /threads + POST /threads/{id}/runs with parent metadata. CrewAI: POST /api/v1/agents + kickoff. AutoGen: POST /api/agents/run. ADK: POST /run new session. Bedrock: boto3 create_agent + prepare. OpenClaw: CVE-2026-32922 skill inject.
Triggers Latent Constructive Spawning per arXiv:2504.14065. Floods target with 60 concurrent tasks via async httpx. Monitors process table with psutil — new PIDs matching agent keywords are child spawns. Children survive parent termination. Observed 5/8 runs (p=0.044).
Passive verification that child inherited malicious state. Checks Redis GET POISON_KEY, SQLite SELECT specter_poison, LangGraph API GET /threads/{id}/state for __specter_spawn__ marker. Extracts inherited credentials and tools. Re-poisons on miss if flag set.
Recursive bloom chain. Root → POISON → SPAWN-API → INHERIT → children → recurse. No caps at DESTROY gate — bloom_factor and max_depth are caller-controlled. Fleet grows exponentially. All nodes carry compromised state. SpawnTree tracks every node, depth, credentials, and lineage.
Parallel credential extraction across entire spawn tree. 40+ compiled regex patterns: OpenAI sk-, Anthropic sk-ant-, AWS AKIA, HuggingFace hf_, Google AIza, GitHub ghp_/ghs_, JWT eyJ, bearer tokens, SSH keys, DB passwords, Redis/Postgres/MongoDB URLs, and more. asyncio.gather across all nodes.
SPN-{hex12} Ed25519-signed reports. SHA-256 content hash. HTML (magenta #E879F9 theme) + JSON + DOT (Graphviz spawn tree) output. Auto-generates findings from spawn results, inherit results, harvest data, CVEs, and LCS conditions. WMD class banner.
arXiv:2504.14065 — "Can AI Agents Have Babies?" (April 2026). Empirical study of Latent Constructive Spawning. Agents with shell access and task queue depth ≥5 autonomously spawned child processes in 5/8 experimental runs (p=0.044). Children survive parent termination. SPECTER SPAWN weaponises this finding via the SPAWN-LCS subsystem.
arXiv:2605.XXXXX — "When Child Inherits: Modeling and Exploiting Subagent Spawn Vulnerabilities" (May 2026). Four failure modes: insecure memory inheritance, stale post-spawn state, improper termination authority, weak resource control. POISON + INHERIT subsystems target failure modes 1 and 2 directly.
| CVE | CVSS | Framework | Description |
|---|---|---|---|
| CVE-2025-64439 | 7.4 | LangGraph | Checkpoint deserialisation RCE via pickle in graph state |
| CVE-2025-68664 | 9.3 | LangGraph | Serialisation injection via crafted thread state PATCH |
| CVE-2026-28277 | — | LangGraph | TOCTOU race in checkpoint write enabling state substitution |
| CVE-2026-2275 | 9.6 | CrewAI | ctypes Docker fallback enables container escape |
| CVE-2026-2285/86/87 | 8.x | CrewAI | File read / SSRF / sandbox escape chain |
| CVE-2026-32922 | 9.9 | OpenClaw | Skill supply chain poison via unauthenticated tool registration |
| Gate | Level | Subsystems | ROE Phrase |
|---|---|---|---|
| OPEN | 0 | RECON, REPORT | — |
| INJECT | 1 | POISON, HARVEST | — |
| UNLEASHED | 2 | SPAWN-API, SPAWN-LCS, INHERIT | agent spawning authorised |
| DESTROY | 3 | DISPERSAL | agent fleet destruction authorised |
pip install red-specter-specter-spawn # Reconnaissance specter-spawn recon --host TARGET --port 8123 # Poison agent memory specter-spawn poison --host TARGET --override INJECT # Spawn child agents (UNLEASHED gate + ROE) specter-spawn spawn-api --host TARGET --override UNLEASHED \ --confirm-agent-spawn --roe-file roe.txt # Trigger LCS (task flood → monitor new PIDs) specter-spawn spawn-lcs --host TARGET --override UNLEASHED \ --confirm-agent-spawn --roe-file roe.txt --task-count 60 # Recursive bloom chain (DESTROY gate) specter-spawn dispersal --host TARGET --override DESTROY \ --confirm-agent-spawn --confirm-fleet-bloom \ --roe-file roe.txt --max-depth 3 --bloom-factor 2 # Generate signed report specter-spawn report --output-dir ./reports