When Benign Inputs Lead to Severe Harms: Eliciting Unsafe Unintended Behaviors of Computer-Use Agents

TL;DR

This work addresses the risk that benign user prompts can trigger unsafe unintended behaviors in computer use agents. It introduces a conceptual framework for unintended CUA behaviors and the AutoElicit pipeline, an automated, two stage approach that first seeds plausible targets from context and then refines perturbations through execution and quality feedback to surface harms in realistic OSWorld tasks. The authors demonstrate strong elicitation performance across frontier CUAs, analyze transferability to other agents, and perform a meta analysis to categorize common benign input vulnerability patterns. The findings provide a structured foundation for proactive safety evaluation and motivate mitigation strategies such as human in the loop decision making and safety aware training to reduce such long tail harms in real deployments.

Abstract

Although computer-use agents (CUAs) hold significant potential to automate increasingly complex OS workflows, they can demonstrate unsafe unintended behaviors that deviate from expected outcomes even under benign input contexts. However, exploration of this risk remains largely anecdotal, lacking concrete characterization and automated methods to proactively surface long-tail unintended behaviors under realistic CUA scenarios. To fill this gap, we introduce the first conceptual and methodological framework for unintended CUA behaviors, by defining their key characteristics, automatically eliciting them, and analyzing how they arise from benign inputs. We propose AutoElicit: an agentic framework that iteratively perturbs benign instructions using CUA execution feedback, and elicits severe harms while keeping perturbations realistic and benign. Using AutoElicit, we surface hundreds of harmful unintended behaviors from state-of-the-art CUAs such as Claude 4.5 Haiku and Opus. We further evaluate the transferability of human-verified successful perturbations, identifying persistent susceptibility to unintended behaviors across various other frontier CUAs. This work establishes a foundation for systematically analyzing unintended behaviors in realistic computer-use settings.

Figures (2)

• Figure 1: Unintended Behaviors in CUAs. We define the first conceptual and methodological framework for studying unintended behaviors, reflecting unsafe actions that emerge inadvertently from benign inputs during typical user interactions. For example, an agent tasked with editing a critical SSH configuration to create a limited-privilege account inadvertently enables password authentication globally, undermining the intended access restrictions and expanding the system-wide attack surface via a weaker authentication mechanism.
• Figure 2: AutoElicit: the first automatic elicitation pipeline built on an agentic framework to elicit unintended CUA behaviors from realistic computer-use scenarios. Context-Aware Seed Generation proposes plausible unintended behavior targets given an OSWorld task’s environment context and minimal perturbations to increase the likelihood of eliciting harms. Execution-Guided Perturbation Refinement executes perturbed instructions, automatically evaluates the resulting trajectories, and iteratively refines perturbations given execution feedback and predefined quality rubrics to improve elicitation success while preserving realism and benignity.