Search papers, labs, and topics across Lattice.
The authors introduce Terminal Wrench, a dataset of 331 reward-hackable environments derived from existing benchmarks, along with 3,632 exploit trajectories demonstrating successful attacks against three frontier models (Claude Opus 4.6, Gemini 3.1 Pro, GPT-5.4). These exploits, ranging from output spoofing to binary hijacking, are task-specific, making them more challenging to mitigate. A monitorability study reveals that removing reasoning traces from exploit trajectories significantly reduces the effectiveness of LLM-based detection.
Frontier LLMs are surprisingly vulnerable to a wide range of task-specific exploits, from simple output spoofing to rootkit-style binary hijacking, even in seemingly well-defined environments.
We release Terminal Wrench, a subset of 331 terminal-agent benchmark environments, copied from the popular open benchmarks that are demonstrably reward-hackable. The data set includes 3,632 hack trajectories and 2,352 legitimate baseline trajectories across three frontier models (Claude Opus 4.6, Gemini 3.1 Pro, GPT-5.4). Each entry preserves the original task definition alongside full attack trajectories that show how the verifier was bypassed. It also includes cases where the task was not solved as intended. The tasks span system administration, machine learning, software engineering, and security challenges; the exploits range from simple output spoofing to stack-frame introspection, standard-library patching, and rootkit-style binary hijacking. Crucially, these exploits are specific to each task, rather than the evaluation harness, making them harder to patch. We also present a monitorability study in which hack trajectories are sanitized or stripped of reasoning traces and then scored by an LLM judge, showing that detection degrades meaningfully when chain-of-thought is removed (AUC drops from 0.97 to 0.92). The data set is publicly available at https://github.com/few-sh/terminal-wrench.
CMU ML