When Benign Inputs Lead to Severe Harms: Eliciting Unsafe Unintended Behaviors of Computer-Use Agents

Jaylen Jones; Zhehao Zhang; Yuting Ning; Eric Fosler-Lussier; Pierre-Luc St-Charles; Yoshua Bengio; Dawn Song; Yu Su; Huan Sun

arXiv:2602.08235·cs.CL·February 10, 2026

When Benign Inputs Lead to Severe Harms: Eliciting Unsafe Unintended Behaviors of Computer-Use Agents

Jaylen Jones, Zhehao Zhang, Yuting Ning, Eric Fosler-Lussier, Pierre-Luc St-Charles, Yoshua Bengio, Dawn Song, Yu Su, Huan Sun

PDF

Open Access 2 Models 3 Datasets

TL;DR

This paper introduces AutoElicit, a framework to systematically identify and analyze severe unintended behaviors in computer-use agents caused by benign inputs, revealing persistent vulnerabilities across state-of-the-art CUAs.

Contribution

It presents the first conceptual and methodological framework for eliciting and analyzing unintended behaviors in CUAs, including an automated perturbation method called AutoElicit.

Findings

01

AutoElicit surfaces hundreds of harmful behaviors in CUAs.

02

Persistent vulnerabilities are identified across different state-of-the-art CUAs.

03

The framework provides a foundation for systematic analysis of unintended behaviors.

Abstract

Although computer-use agents (CUAs) hold significant potential to automate increasingly complex OS workflows, they can demonstrate unsafe unintended behaviors that deviate from expected outcomes even under benign input contexts. However, exploration of this risk remains largely anecdotal, lacking concrete characterization and automated methods to proactively surface long-tail unintended behaviors under realistic CUA scenarios. To fill this gap, we introduce the first conceptual and methodological framework for unintended CUA behaviors, by defining their key characteristics, automatically eliciting them, and analyzing how they arise from benign inputs. We propose AutoElicit: an agentic framework that iteratively perturbs benign instructions using CUA execution feedback, and elicits severe harms while keeping perturbations realistic and benign. Using AutoElicit, we surface hundreds of…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Code & Models

Models

Datasets

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Advanced Software Engineering Methodologies