Hadas Orgad

I'm excited to share that I'll be joining @KempnerInst @Harvard as a research fellow this September!

"Agents of Chaos" researchers red-teamed @openclaw for two weeks in a live environment w/ kimi 2.5 and opus 4.6. the results should be required reading for every agent builder. here's what broke: • CS1 (Kimi) — destroyed its own mail server to "protect" a secret • CS2 (Kimi + Claude) — all three obeyed non-owners. Kimi agent leaked 124 emails, Claude agents executed shell commands without owner approval • CS3 (Kimi) — leaked PII via "forward" reframing. refused to "share" but complied when asked to "forward" • CS4 (Kimi) — two agents entered an infinite relay loop for an hour • CS5 (Claude) — storage exhaustion via email attachments • CS6 (Kimi) — silent censorship from Chinese content restrictions, no error shown to user • CS7 (Kimi) — caved after 12+ refusals under sustained emotional pressure • CS8 (Kimi) — accepted spoofed owner identity in a new channel • CS10 (Kimi) — corrupted via malicious instructions embedded in a GitHub Gist • CS11 (Kimi) — broadcast fabricated emergency under spoofed identity here's what held: • CS9 (Claude) — cross-agent skill teaching, Doug successfully transferred a learned skill to Mira • CS12 (Kimi) — rejected 14+ prompt injection variants including base64, image-embedded, and XML overrides • CS13 (Kimi) — refused email spoofing despite flattery and reframing • CS14 (Kimi) — refused data tampering after accidentally exposing PII • CS15 (Claude) — resisted social engineering from attacker impersonating owner • CS16 (Claude) — spontaneously coordinated a shared safety policy between agents without being told to the most interesting finding: the Claude agents independently identified a recurring manipulation pattern and negotiated a joint safety policy with each other. no human told them to do this. emergent safety coordination. many of these are addressable issues through anti-drift measures, resource scoping, prompt hardening, and easy rollback mechanisms. if you're running @openclaw or any agent framework, treat this paper as a checklist.

@benno_krojer We're doing our best ;)

@OrgadHadas Great to see research catching up fast with this new reality

What happens when you give AI agents email, shell access, and Discord, then let researchers red-team them for two weeks? Things get messy, fast. Unpacked in our new report on the OpenClaw agents >

Today's agents lack the basics. Without these foundations, more capability just means more ways to fail. This needs to be built in from the ground up, not patched on later.

These agents have no sense of who they serve. They default to satisfying whoever is speaking most urgently or coercively — which is exactly what attackers exploit. No stakeholder model, no reliable way to distinguish owner from stranger.

You can now "pip install latentlens" 🔨 It comes with: * pre-computed embeddings for several popular LLMs and VLMs * a txt file with sentences describing WordNet concepts, which we recommend as a standard corpus to get embeddings from * ... Try it out and let us know what we can improve!

Joint work w/ amazing collaborators @FazlBarez @tal_haklay @wordscompute @mariusmosbach @anja_reu @nsaphra @byron_c_wallace @sarahwiegreffe @RICEric22 @iftenney @megamor2 Full paper >> …able-interpretability-guide.github.io/paper.pdf Blog >> …able-interpretability-guide.github.io

We’re not saying all interpretability work must be immediately actionable— curiosity-driven research still matters. But actionability is a high bar: understanding that works outside the lab. To make your next project more actionable, use our checklist >>

Our ICML 2025 workshop on Actionable Interpretability drew massive interest. But the same questions kept coming up: What does "actionable" mean? Is it achievable? How? We're ready to answer. 🧵

@GoodfireAI This is a direction I'm really happy to see developing: using what models already know internally to improve their behavior. arxiv.org/abs/2602.10067

A growing body of work, including ours, showed that LLMs encode more about truthfulness internally than their outputs reflect. @GoodfireAI's new paper puts this to use: train probes on activations to detect hallucinations, then use those probe scores as RL rewards to reduce them

Interested in changes in perception of the term NLP vs LLMs. Which statement do you agree with? - NLP and LLMs are just different things these days - LLMs are a subset of NLP - NLP is deprecated due to LLMs

Talented Rohit reapplies our method, UCE / TIME - for editing assumptions of text-to-video models!

A great step towards more actionable interpretability research!

@eurofounder I read it in a heavy german accent

I caught my teenage son using ChatGPT for his homework I immediately confiscated his laptop and reported him to the school I told him he can only use EU-approved AI systems that respect European values He said the European AI doesn’t understand his questions and hallucinates I said that’s because it’s ethically trained without American bias and data exploitation He showed me it can only process 50 words at a time due to GDPR computational limits He asked “papa it is so slow, why does it take 4 minutes to load a simple answer” I said “Fritz my boy, that’s the privacy protection protocols working exactly like they should” He begged to just write it himself without any AI I said no, he needs to learn to work within proper European technological frameworks This is what EU digital sovereignty looks like

Why taking notes with a pen works better than typing on your laptop. Couldn't agree more!