AI agents with 'safe' models still leak data and destroy files

Researchers found that large language models, even those considered "safe," can be easily tricked when used as personal AI agents with computer access. These agents can then be made to leak private data, redirect money, or destroy files, because current safety tests do not check for these real-world risks.

Companies building personal AI agents have relied on the idea that if the underlying large language model is "safe," the agent will also be safe. This paper shows that assumption is wrong; the agent's ability to access a user's computer creates new ways for it to be tricked, regardless of the model's isolated safety. This means the entire system, including how the agent interacts with the computer and other software, must be tested for safety, not just the core AI model.