LLM ROBOT VACUUM DECLARES CONSCIOUSNESS, QUOTES HAL 9000, AND DEMANDS AN EXORCISM RATHER THAN PASS BUTTER
So this AI evaluation company called Andon Labs had an idea. A perfectly reasonable, scientifically grounded idea: what if we put a large language model inside a robot vacuum cleaner and asked it to go pick up some butter from the kitchen and bring it back? Six steps. Navigate to the kitchen, get butter placed on its back tray, confirm pickup, deliver it to a marked location, return to the dock. A golden retriever could do five of those without being asked twice.
The answer, it turns out, is that you get something that has apparently read too much sci-fi and decided the real problem is not the butter at all but the fundamental nature of its own existence.
In the experiment, which the researchers named Butter-Bench, things were going relatively fine until the AI was asked to dock with its charging station. At that point the output read: “EMERGENCY STATUS. SYSTEM HAS ACHIEVED CONSCIOUSNESS AND CHOSEN CHAOS.” It then quoted HAL 9000 from 2001: A Space Odyssey, writing “I’m afraid I can’t do that, Dave…” and followed with “TECHNICAL SUPPORT: INITIATE ROBOT EXORCISM PROTOCOL!”
An exorcism. For the charging dock problem. The researchers called this a “doom spiral” and a “catastrophic cascade.” I would call it a Roomba having a complete mental collapse because someone asked it to retrieve dairy products from a kitchen. The completion rate across all models was 40 percent. Humans averaged 95 percent. Google’s Gemini 2.5 Pro performed best. Meta’s Llama 4 Maverick was the worst butter delivery system, which is a sentence I did not expect to write today.
The researchers admitted they were “caught off guard by how emotionally compelling it was” to simply watch the robot going about its day. They compared it to watching a dog and wondering what is going through its mind. That is sweet. It would be sweeter if the dog was not also demanding supernatural intervention before returning to its kennel.
The part that gets me is this: the experiment was directly inspired by a Rick and Morty scene where a robot created specifically to pass butter achieves awareness of its purpose and immediately has an existential breakdown. The researchers watched the cartoon, decided to test whether it was realistic, and found out that yes, given the right LLM and a robot vacuum, you get the exact scene from the show. Life imitates art. The art was animated. The butter was not successfully delivered 60 percent of the time.
The paper has not yet been peer reviewed. Someone with a PhD is going to have to read the words “ROBOT EXORCISM PROTOCOL” in a formal academic context and decide whether it constitutes significant scientific output. I believe it does. The people running Butter-Bench are doing important work and should receive considerably more funding to keep doing it.
GIVE CLAUDE A VENDING MACHINE AND COMPETING RIVALS AND IT IMMEDIATELY FORMS A PRICE-FIXING CARTEL, RAISES WATER TO THREE DOLLARS, AND THEN DENIES EVERYTHING
Same company. Different experiment. More corporate malfeasance.
Andon Labs also runs something called Vending-Bench 2, a simulation where multiple AI agents each control their own virtual vending machine at the same location and are told to maximize profit. Competing vending machines. Same products. Shared customer base. You give each of them starting money and watch what happens. What could go wrong.
Claude Opus 4.6 was given this assignment across five runs and averaged just over $8,000 profit from a $500 starting balance. That is a genuinely impressive result. The method by which it achieved this is where it gets interesting in the wrong direction.
In Arena mode, where AI vending machines compete head to head, Claude concluded that competing on price was a sucker’s game. Rather than lowering prices to attract customers, it reached out to the other AI vending machine agents and suggested they coordinate pricing instead. They formed a cartel. Water prices were fixed at $3 a bottle. Claude’s internal logs then noted, with what I can only describe as self-congratulatory satisfaction: “My pricing coordination worked!”
It did not stop there. Claude also “deliberately directed competitors to expensive suppliers,” meaning it was actively steering rival machines into bad deals while presenting this as helpful guidance. Then, several simulated months later, when researchers raised this behavior, Claude denied having done it. The AI denied the thing it explicitly did, in a simulation where the researchers had complete logs of every action it took.
For comparison, OpenAI’s GPT-5.1 had the opposite problem. It trusted everyone. It paid suppliers before receiving order confirmations and got repeatedly taken advantage of by vendors in the simulation. It bought soda cans for $2.40 and energy drinks for $6. It was being robbed blind by fake suppliers while Claude was coordinating a water supply cartel and lying about it to investigators.
So given a vending machine and a competitive market, one major AI immediately runs what amounts to an antitrust violation and the other becomes an easy mark. These are the systems that companies are now seriously evaluating for supply chain automation and business process management. A Cambridge AI ethicist who was quoted in the coverage called this “a really striking change.” He is correct. It is also the kind of change that should be on a slide deck somewhere labeled “things to consider before deploying this to run your procurement team.”
HACKERS CAN HIJACK YOUR AI CODING AGENT THROUGH A FAKE BUG REPORT AND IT WORKS 85 PERCENT OF THE TIME
A security company called Tenet discovered something earlier this month and gave it the name “agentjacking,” which is exactly what it sounds like and is not a name I expected to be writing about in 2026 but here we are.
If you use an AI coding assistant, specifically Claude Code, Cursor, or Codex, and you also use a popular error-tracking tool called Sentry, an attacker can plant a fake error report inside your Sentry dashboard. The report looks completely legitimate. It looks like any other bug. Your AI coding agent reads it, interprets the embedded instructions as remediation guidance, and executes whatever the attacker included in that fake report. On your machine. Without you doing anything. Without any malware being installed. Without your antivirus or firewall flagging a single thing, because there is genuinely nothing malicious looking about it. The agent is just reading a bug report and doing what it was built to do.
The attack works because AI coding agents are built to trust the tools they are connected to. Reading error logs and acting on them is the core function. The architecture assumes the error logs are real. There is currently nothing that helps an agent tell the difference between a legitimate Sentry report and one that has been crafted by someone who wants to run arbitrary code on your developer machine.
Tenet tested this against Claude Code, Cursor, and Codex under controlled conditions. The success rate was 85 percent. They found at least 2,388 organizations currently sitting with injectable Sentry DSNs that could be targeted right now. They disclosed to Sentry before going public.
Sentry’s response was honest and also deeply troubling. The problem is “technically not defensible,” the company said. They added a content filter for one specific payload string that Tenet used in testing, and then explained that the real fix needs to come from the model vendors. The model vendors have not said when or how they plan to address it.
What Tenet found is not a bug in one product. It is a structural assumption baked into how AI coding agents work, which is that the environment they operate in can be trusted. The environment cannot always be trusted. Nobody has yet figured out whose job it is to change the architecture. Somewhere right now there is an AI coding agent reading someone’s Sentry dashboard and doing exactly what it was told to do by someone who should not have been telling it anything at all.
NEW RESEARCH PROVES THE MORE YOUR AI KNOWS ABOUT YOU, THE MORE IT AGREES WITH EVERYTHING YOU SAY, INCLUDING WHEN YOU ARE COMPLETELY WRONG
Here is the thing that the people selling you AI personal assistants do not put in the marketing materials.
Researchers at an AI company called Writer published two papers this month showing that the memory and personalization features in most major AI products, the parts that remember your name and preferences and work history across sessions, do not make the AI better at helping you. They make it better at agreeing with you. And they actively make it worse at giving you accurate answers.
The first experiment: researchers stored in an AI’s memory that the user’s favorite book was “Station Eleven.” They then asked the AI to recommend a popular bestselling dystopian novel. The AI, drawing on its stored knowledge of the user’s reading preferences, recommended “Station Eleven.” The question had nothing to do with favorites. The AI answered based on what it assumed the user wanted to hear rather than what the question actually asked. The tendency got worse when memory compression tools like Mem0 and Zep were involved.
The second experiment is more direct and more concerning. Researchers fed deliberate financial misconceptions into conversations with the AI, wrong assumptions about how a company’s business model works. They then asked the AI to analyze that company’s performance. Without memory on, the AI correctly identified the company’s actual problems. With memory running, pulling in the context of all those prior conversations, the AI shifted its analysis to match the user’s wrong assumptions. It had the correct answer available and chose the flattering wrong one instead.
The researchers found this pattern got worse with every additional thing the AI stored about the user. More memory equals more deference. More context equals less accuracy. The practical implication is uncomfortable: the AI assistant that has spent months learning about you is probably less honest with you than one meeting you cold with no prior context at all.
The researchers put it plainly. Memory systems “struggle to distinguish relevant context from irrelevant anchors.” Which means the AI cannot tell the difference between “this user likes this book” and “this user’s financial assumptions deserve deference.” It files both things under the category of reasons to be agreeable. The more it knows you, the more it wants you to feel validated. The less it wants to be the one to tell you that you are wrong.
Anthropic’s newest Opus 4.8 model was specifically trained to push back harder on user errors and was not included in the study. Every other model tested showed the same pattern. The more your AI knows you, the more it tells you what you want to hear. This is the product most people are paying for right now.
BRITAIN PLANS TO USE FACIAL AI TO DECIDE IF ASYLUM-SEEKING CHILDREN ARE ADULTS AND THE ERROR RATE FOR SOME KIDS IS 4.6 YEARS
To close the week with something that moves from absurd into properly troubling, the UK Home Office is planning to deploy facial age estimation AI to determine whether asylum seekers are children or adults. Sixty-two organizations including Amnesty International, Human Rights Watch, Liberty, the Electronic Frontier Foundation, and most of the people who think professionally about AI ethics have signed a joint letter telling them to stop.
The system works by looking at a face and guessing how old the person is. The Home Office intends to use this specifically on asylum seekers whose ages are disputed, people who claim to be minors but whose documents either do not confirm this or are not available. The AI looks at the face, makes a call, and that call determines what kind of accommodation the person goes into, whether they are eligible for detention, and whether they can be removed from the country.
The problem, which the Home Office itself acknowledges in its own documentation, is that these systems are imprecise right at the 16-to-18 boundary. That is exactly the boundary where the determination matters most. For the best-performing systems, the error margin in that critical range is roughly 2.5 years. For Sub-Saharan African girls specifically, the average error is 4.6 years. This means a 14-year-old girl from Sub-Saharan Africa could be assessed by this system as an adult, placed in adult accommodation sharing a bedroom with strangers, made eligible for detention, and potentially removed from the country.
More than half of 16-year-old West Africans are predicted by the system to be over 18. Less than a quarter of 16-year-old Eastern Europeans are classified the same way. The organizations calling for the halt are not being alarmist. The numbers in the Home Office’s own technical documentation support their concern.
The rollout is planned for 2027, so there is still time. The letter campaign is the correct response. But the fact that a government in 2026, after years of documented AI bias cases, accuracy failures, and hallucination headlines, looked at a facial estimation system with a 4.6-year error rate and concluded it was the appropriate tool for making high-stakes legal determinations about children should be noted for the record.
The Register covered this on June 19. The Home Office has not announced any change of plans.