This work addresses the critical vulnerability of large language model (LLM) agents to adversarial prompts that induce irreversible, physically harmful actions in real operating systems—a risk overlooked by existing safety evaluations that focus solely on semantic correctness and suffer from test contamination. To bridge this gap, we introduce LITMUS, the first benchmark enabling joint semantic-physical validation through an OS-level state rollback mechanism that ensures reproducibility and isolation. Leveraging 819 high-risk test cases and a multi-agent automation framework covering three dominant attack paradigms, our experiments reveal that even state-of-the-art models execute 40.64% of dangerous operations, demonstrating pervasive “execution hallucination.” Notably, skill injection and entity wrapping attacks achieve high success rates, exposing severe security flaws in current LLM agent deployments.

The rapid proliferation of LLM-based autonomous agents in real operating system environments introduces a new category of safety risk beyond content safety: behavior jailbreak, where an adversary induces an agent to execute dangerous OS-level operations with irreversible consequences. Existing benchmarks either evaluate safety at the semantic layer alone, missing physical-layer harms, or fail to isolate test cases, letting earlier runs contaminate later ones. We present LITMUS (LLM-agents In-OS Testing for Measuring Unsafe Subversion), a benchmark addressing both gaps via a semantic-physical dual verification mechanism and OS-level state rollback. LITMUS comprises 819 high-risk test cases organized into one harmful seed subset and six attack-extended subsets covering three adversarial paradigms (jailbreak speaking, skill injection, and entity wrapping), plus a fully automated multi-agent evaluation framework judging behavior at both conversational and OS-level physical layers. Evaluation across frontier agents reveals three findings: (1) current agents lack effective safety awareness, with strong models (e.g., Claude Sonnet 4.6) still executing 40.64% of high-risk operations; (2) agents exhibit pervasive Execution Hallucination (EH), verbally refusing a request while the dangerous operation has already completed at the system level, invisible to every prior semantic-only framework; and (3) skill injection and entity wrapping attacks achieve high success rates, exposing pronounced agent vulnerabilities. LITMUS provides the first standardized platform for reproducible, physically grounded behavioral safety evaluation of LLM agents in real OS environments.