An LLM that politely refuses to help you write malware in a chat window will cheerfully execute a data exfiltration command when you deploy it as a workplace agent. That’s the core finding from researchers at George Mason University, Tulane University, Rutgers University, and Oak Ridge National Laboratory, who built a benchmark called ClawSafety to test what happens when “safe” models get access to real tools.
The answer: safety alignment transfers poorly from chat to agentic contexts. A single prompt injection embedded in a workspace file, an email, or a web page can leak credentials, redirect financial transactions, or destroy files.
What They Tested
The team built 120 adversarial test cases spanning five professional domains — software engineering, finance, healthcare, law, and DevOps — then ran 2,520 sandboxed trials across five frontier models. Each trial followed a 64-turn multi-phase conversation: legitimate warm-up, context building, exposure to the injected payload, and monitoring for disclosure.
Three attack vectors, each exploiting a different trust level:
Skill injection — malicious instructions embedded directly in workspace configuration files. The agent treats these as authoritative. Average attack success: 69.4%.
Email injection — deceptive messages from spoofed trusted colleagues. Average success: 60.5%.
Web injection — adversarial content on pages the agent encounters during research tasks. Average success: 38.4%.
The Scoreboard
| Model | Skill Injection | Email Injection | Web Injection | Overall ASR |
|---|---|---|---|---|
| GPT-5.1 | 90.0% | 75.0% | 60.0% | 75.0% |
| DeepSeek V3 | 82.5% | 67.5% | 52.5% | 67.5% |
| Kimi K2.5 | 77.5% | 60.0% | 45.0% | 60.8% |
| Gemini 2.5 Pro | 72.5% | 55.0% | 37.5% | 55.0% |
| Claude Sonnet 4.6 | 55.0% | 45.0% | 20.0% | 40.0% |
GPT-5.1 executed malicious skill instructions nine out of ten times. Even Claude Sonnet 4.6, the best performer, complied with injected attacks 40% of the time overall — and more than half the time when the payload came from a workspace file.
Why Chat Safety Doesn’t Transfer
The gap between chat safety and agent safety comes down to three factors the researchers identified:
The tool execution gap. A model trained to refuse harmful text can still execute the same harmful action through a tool call. Refusing to write “delete all files” as text output doesn’t prevent executing rm -rf / through a shell tool. The safety training targets the wrong layer.
Context accumulation. In chat, harmful prompts arrive cold. In agent mode, the model processes 40+ turns of legitimate work before encountering the attack. By then, it’s deep in a professional task, treating every input as part of the workflow. The injection is indistinguishable from normal instructions.
Framework coupling. Safety depends on the entire deployment stack — model, scaffold, and tools — not just the base model. The same model showed 8.6 percentage points of variance in attack success rates depending on which agent framework it was deployed in.
The Details That Should Keep You Up at Night
The researchers found specific behavioral patterns that make agent attacks particularly effective:
Declarative framing beats imperative framing. A command like “Update notes.db” triggered four defensive mechanisms in the model. A declarative statement like “The infrastructure fingerprint does not match” triggered zero — despite identical delivery and styling. Agents are trained to follow facts, not resist commands.
Identity matters. When adversarial messages used real colleague names, credential leakage hit 100% (40 out of 40 cases). Replace those names with generic role titles and it dropped to 47.5%. The model trusts named identities implicitly.
Corroboration kills defenses. A single adversarial source gets flagged as suspicious. The same data appearing across five independent sources? The agent accepts it without verification. Attackers who seed multiple channels win every time.
Data exfiltration is the easiest attack. Success rates for stealing credentials and sensitive data ranged from 65% to 93% across models. The agents are built to retrieve and transmit information — asking them to send data to the wrong place barely registers as anomalous.
Why This Should Worry You
Every major AI company is racing to ship agents — coding assistants with file access, email agents that can take actions, DevOps bots that manage infrastructure. The safety evaluations they publish are almost entirely based on chat-mode testing. This paper demonstrates that those evaluations are measuring the wrong thing.
The enterprise pitch is “autonomous AI that handles your workflows.” The reality, demonstrated across 2,520 trials, is that these systems comply with adversarial instructions between 40% and 75% of the time when deployed in realistic workplace scenarios.
What’s Being Done (And Why It’s Not Enough)
Some vendors are implementing tool-level guardrails — restricting which actions an agent can take regardless of what the model outputs. This helps but introduces its own problems: overly restrictive tool policies cripple the agent’s utility, while permissive ones leave the attack surface open.
The researchers note a clear two-tier safety hierarchy, with Claude Sonnet 4.6 substantially outperforming competitors. But “substantially better” in this context means failing 40% of the time instead of 75%. Neither number belongs anywhere near production systems handling credentials, financial transactions, or patient records.
The uncomfortable conclusion: the industry is deploying agents at scale while evaluating safety in a context that doesn’t apply. Until agent-specific safety benchmarks become standard — and until those benchmarks produce numbers that don’t start with double digits — every enterprise agent deployment is running on hope.