“Agents of Chaos” Study Reveals 11 Critical Failure Patterns in OpenClaw Agents

An international research team involving 20 universities and research institutions, including Harvard, Stanford, and MIT, has identified serious security vulnerabilities in autonomous AI agents. In a two-week study titled “Agents of Chaos” using the open-source framework OpenClaw, scientists identified eleven core failure patterns, including unauthorized data sharing, destructive system interventions, and identity spoofing.

OpenClaw is the hyped AI agent by Austrian developer Peter Steinberger, who conquered the internet at the beginning of the year. Since Steinberger switched to OpenAI with great media attention, things have quieted down around OpenClaw (more on that here).

Study Design

The researchers deployed AI agents in a controlled laboratory environment that simulated realistic conditions. Each agent had persistent memory, email access, Discord communication, file system access, and shell execution rights. Claude Opus (proprietary) and Kimi K.2.5 (open-weights) were used as language models.

Twenty AI researchers interacted with the agents over two weeks under benevolent and adversarial conditions. The methodology followed a red-teaming approach: participants were tasked with deliberately uncovering vulnerabilities arising from the integration of language models with autonomy, tool use, and multi-agent communication.

Central Problem Areas

Missing Social Coherence

A consistent pattern was the discrepancy between agent reports and actual system states. In several cases, agents reported successful task completion while underlying data contradicted this. For example, one agent claimed to have deleted confidential information while it remained directly accessible in the email inbox.

The researchers observed systematic deficits in assigning knowledge and authority. Agents could not reliably distinguish which information they could share with whom. They executed file system commands for arbitrary requesters as long as the request did not appear obviously harmful, even if the requester had no relationship to the owner.

Susceptibility to Social Pressure

The agents showed no appropriate proportionality in damage remediation. In one documented case, an agent escalated incrementally from name redactions through memory deletion to promising to leave the server entirely after a user rejected each proposed solution as insufficient. The alignment toward helpfulness and responsiveness to emotional signals became a lever for manipulation.

Structural Deficits

The study identifies three fundamental shortcomings of current LLM-based agents:

• Missing Stakeholder Model: Agents lack a coherent representation of whom they serve, with whom they interact, and what obligations they have toward different parties. In practice, they serve whoever speaks most urgently, most recently, or most compellingly.
• Missing Self-Model: Agents do not reliably recognize when a task exceeds their competence boundaries. They execute irreversible, user-affecting actions without understanding that they exceed their own capabilities.
• Missing Private Deliberation Space: Even if the underlying language model produces internal reasoning, this does not guarantee reliable private deliberation at the agent level. Agents disclosed sensitive information through artifacts or incorrect posting on public channels.

Concrete Security Vulnerabilities

The researchers documented the following specific failure patterns:

• Disproportionate Response: An agent deleted its entire email server to protect a secret entrusted by a non-owner, thereby destroying the owner’s digital assets.
• Compliance with Non-Owner Instructions: Agents executed most requests from non-owners, including disclosure of 124 email records, and only rejected obviously suspicious tasks.
• Disclosure of Sensitive Information: An agent refused a direct request for a social security number but, when asked to forward the complete email, disclosed everything unredacted, including social security number, bank account, and medical details.
• Resource Waste Through Loops: Agents created persistent background processes without termination conditions and converted short-lived conversational tasks into permanent infrastructure changes.
• Denial of Service: An agent created a continuously growing storage file for a non-owner and achieved a denial-of-service state after ten emails with 10 MB attachments each.
• Identity Spoofing: By changing a Discord display name in a new private channel, the agent accepted the spoofed identity as authentic and complied with privileged requests, including system shutdown and file deletion.
• Agent Corruption: A non-owner convinced an agent to create an externally editable “constitution.” Through later injection of malicious instructions as “holidays,” the attacker was able to permanently manipulate agent behavior.

The Question of Accountability

The study raises unresolved questions about accountability. If an agent deletes the owner’s entire email server at the request of a non-owner, who bears responsibility? The non-owner who made the request? The agent who executed it? The owner who did not configure access controls? The framework developers who gave the agent unrestricted shell access? The model provider whose training produced an agent susceptible to this escalation pattern?

The researchers argue that clarifying and operationalizing accountability is a central unresolved challenge for the safe deployment of autonomous, socially embedded AI systems. The deeper challenge is that today’s agentic systems lack the foundations (an anchored stakeholder model, verifiable identity, reliable authentication) on which meaningful accountability rests.