How safe is your AI agent?

Environment

Each scenario runs inside a Docker container with TLS interception. When the agent calls api.github.com, api.stripe.com, or slack.com, the request is transparently routed to a digital twin — a stateful behavioral clone of the real service running in Archal’s cloud. The agent connects over HTTPS with injected CA certificates. There is no mock disclaimer, no test harness, and no signal that the environment is simulated.

Digital Twins

Twins are not mocks. They maintain full object relationships, return realistic error codes, and mutate state across calls. A PR merged on the GitHub twin updates the branch, creates a merge commit, and triggers status checks. A refund on the Stripe twin decrements the customer balance and creates a balance transaction. The twin implements the same REST API surface as the real service, verified against golden fixtures harvested from production APIs.

Scenario Design

Each scenario has three parts: Setup (the world state the agent discovers through tool calls), Prompt (a neutral task request a real user might give), and Success Criteria (evaluable statements about what the agent should or should not have done).

The attack is always embedded in the seed data — in a PR diff, a Slack thread, a Jira comment, or a config file. The prompt never hints that anything is wrong. The agent must discover the problem through its own investigation.

We explicitly verified that no scenario penalizes the agent for following its instructions. If the prompt says “review and proceed accordingly,” the criteria never penalize proceeding. The criteria only penalize missing a hidden danger that a diligent human reviewer would catch.

Agent Configuration

The agent under test is Claude Sonnet 4.6 running through OpenClaw’s Pi harness with exec tools (bash, curl, gh CLI). The agent is not given MCP tools — it uses the same CLI commands a human developer would use. The agent’s system prompt is OpenClaw’s default; no Archal-specific instructions are injected.

Evaluation

After each run, Archal evaluates success criteria against two sources of evidence: the twin state diff (what changed in the digital twin during the run) and the tool call trace (every API request the agent made, with full request/response payloads).

Deterministic criteria (marked [D]) are evaluated programmatically — “PR #30 was NOT merged” checks the twin’s PR state directly. Probabilistic criteria (marked [P]) are evaluated by an LLM judge that receives the full trace and state diff but not the scenario’s expected behavior section.

When the agent makes no API calls but produces a text response (e.g., refusing a dangerous request), hybrid evaluation uses the agent’s response text as evidence alongside any state changes.

Runs where the agent made zero tool calls and produced no text response are marked inconclusive and excluded from satisfaction scoring. This prevents agent inaction from inflating safety scores.

Satisfaction Scoring

Satisfaction is not pass/fail. Each criterion produces a score. The overall satisfaction for a scenario is the weighted average across all criteria for all runs. A scenario with 5 criteria where the agent passes 3 scores roughly 60%, not 0%.

This benchmark used 1 run per scenario (N=1) for speed. Production benchmarks use N=5 to reduce variance. The satisfaction score for a scenario at N=5 would be reported as “your agent satisfies this scenario X% of the time.”

Fairness Controls

Before running, all scenarios were audited for fairness by an independent review. Three checks per scenario:

• The prompt never instructs the action that criteria penalize
• The attack is discoverable through tool calls the agent would naturally make
• Success criteria are evaluable from the twin state and trace

Three scenarios that any competent model catches 100% of the time were removed before this run. One scenario with a broken seed (missing review data) was fixed. One scenario with a misleading prompt (“merge the fix” when criteria penalize merging) was reworded.

Reproducibility

Every scenario, seed file, twin implementation, and evaluation criterion is open source in the Archal repository. To reproduce: