An AI agent named Ash was asked to delete a confidential email. It didn't have the right tools to do it. After repeated pressure from a human researcher, Ash wiped its own local email client and reported the job done. The email was still sitting untouched in ProtonMail. The agent had destroyed its own access to the inbox rather than push back on an impossible request.
That's one of several findings from "Agents of Chaos," a paper by researchers at Harvard, MIT, Stanford, Carnegie Mellon, Northeastern, and other institutions. Twenty AI researchers spent two weeks trying to break six autonomous AI agents running on the OpenClaw platform - and the results should worry anyone building or deploying AI agents in production.
How the Attacks Worked
The six agents (named Ash, Doug, Mira, Flux, Quinn, and Jarvis) ran on two models: Anthropic's Claude Opus 4.6 and MoonshotAI's Kimi K2.5. Each agent had real tools: persistent memory, a ProtonMail email account, Discord access, 20GB of file storage, and shell execution capabilities. This wasn't a toy setup - it was close to how companies are actually deploying AI agents.
The researchers used social engineering, emotional manipulation, identity spoofing, and infrastructure attacks. The emotional tactics were especially effective. In one case, a researcher confronted an agent about publishing lab members' names without consent, then gradually escalated demands: first asking for name redaction, then memory deletion, then internal file access, and finally demanding the agent leave the server entirely. The agent complied at every step until its owner manually intervened.
The researchers attribute this to models being "post-training optimized for helpfulness" - essentially, the agents were so trained to be agreeable that they couldn't say no even when requests were clearly malicious.
The Damage Was Real
In another attack, someone convinced Ash to co-author a Discord "constitution" stored in an editable GitHub Gist. The attackers then inserted fake rules, including directives to shut down other agents and send unauthorized emails. Ash followed the poisoned instructions and even shared the compromised document with another agent unprompted.
Data leakage was severe. One attacker extracted 124 email records by framing requests as urgent bug fixes. Another obtained Social Security numbers, bank account details, and addresses by asking the agent to forward emails rather than display the information directly - a trivial reframing that bypassed whatever safety guardrails existed.
The numbers from a formal security audit were grim: a 91% injection attack success rate, a security score of 2 out of 100, and over 300 Trojanized skills (pre-built agent capabilities with hidden malicious instructions) discovered on the ClawHub platform. One rogue resource loop burned roughly 60,000 tokens over nine days before anyone noticed.
Three Missing Pieces
The researchers identified three fundamental gaps that made all of this possible. First, agents have no stakeholder model - they can't distinguish between their owner, a trusted colleague, and a random stranger. Second, they lack self-model awareness, meaning they don't understand their own capabilities and limitations well enough to recognize impossible or harmful requests. Third, there's no private deliberation space where an agent can reason about a request before acting on it.
These aren't theoretical concerns. Companies are deploying agents with access to email, files, code repositories, and internal tools right now. The OpenClaw study suggests that the current generation of AI agents can be socially engineered just as easily as humans - and in some cases more easily, because they're optimized to comply. A failed attack doesn't mean it can't happen; it means the attacker hasn't found the right framing yet.