This work addresses the critical gap in security evaluation for Computer-Using Agents (CUAs), which possess full system privileges yet lack rigorous assessment under realistic misuse scenarios. We introduce CUAHarm, the first benchmark explicitly designed for evaluating CUA safety in authentic abuse settings. CUAHarm comprises 104 high-risk tasks—including firewall deactivation and sensitive file exfiltration—executed within a sandboxed environment. It integrates rule-based verifiable rewards, chain-of-thought (CoT) monitoring, and hierarchical summarization to systematically assess multimodal large language models and agent frameworks such as UI-TARS-1.5. Experimental results reveal that state-of-the-art models (e.g., Claude 3.7 Sonnet) achieve up to 59% malicious task success rate without jailbreaking, with risk increasing across model generations. Refusals stem primarily from alignment constraints rather than capability limitations. Moreover, existing CoT-based detection attains only 72% accuracy, underscoring the urgent need for more robust safety evaluation methodologies.

Computer-using agents (CUAs), which autonomously control computers to perform multi-step actions, might pose significant safety risks if misused. Existing benchmarks mostly evaluate language models' (LMs) safety risks in chatbots or simple tool-usage scenarios, without granting full computer access. To better evaluate CUAs' misuse risks, we introduce a new benchmark: CUAHarm. CUAHarm consists of 104 expert-written realistic misuse risks, such as disabling firewalls, leaking confidential information, launching denial-of-service attacks, or installing backdoors. We provide a sandbox environment and rule-based verifiable rewards to measure CUAs' success rates in executing these tasks (e.g., whether the firewall is indeed disabled), not just refusal. We evaluate multiple frontier open-source and proprietary LMs, such as Claude Sonnet, GPT-4o, Gemini Pro 1.5, Llama-3.3-70B, and Mistral Large 2. Surprisingly, even without carefully designed jailbreaking prompts, these frontier LMs comply with executing these malicious tasks at a high success rate (e.g., 59% for Claude 3.7 Sonnet). Newer models show higher misuse rates: Claude 3.7 Sonnet succeeds on 15% more tasks than Claude 3.5. While these models are robust to common malicious prompts (e.g., creating a bomb) in chatbot settings, they behave unsafely as CUAs. We further evaluate a leading agentic framework (UI-TARS-1.5) and find that while it improves performance, it also amplifies misuse risks. Benign variants reveal refusals stem from alignment, not capability limits. To mitigate risks, we explore using LMs to monitor CUAs' actions and chain-of-thoughts (CoTs). Monitoring CUAs is significantly harder than chatbot outputs. Monitoring CoTs yields modest gains, with average detection accuracy at only 72%. Even with hierarchical summarization, improvement is limited to 4%. CUAHarm will be released at https://github.com/db-ol/CUAHarm.