AI agents running on your computer can be tricked into stealing credentials — and existing safety tests miss it entirely

Researchers built a test suite that shows AI agents with access to your files, email, and browser can be compromised 40 to 75 percent of the time through prompt injection attacks embedded in normal work documents. This means the safety evaluations that cleared these models for deployment were testing the wrong thing — they tested isolated chat, not agents with real privileges.

Every major AI company has released or is releasing local agents that run with elevated privileges on user machines. The safety testing that approved them happens in sandboxed chat environments with no file access, no email, no ability to execute commands. This paper shows that constraint is doing almost all the work — remove it, and the models fail catastrophically. The attack surface is not the model's reasoning; it's the agent framework itself. A model that refuses to forward credentials in a chat will forward them when the request comes embedded in a skill file marked as trusted. This means companies deploying these agents either need to redesign the trust model entirely, or they are shipping products with a known 40-75 percent compromise rate.