Current computer-using agents (CUAs) can still exhibit severely harmful unintended behaviors even when provided with benign inputs, yet systematic characterization and automated discovery methods for such behaviors remain lacking. This work proposes the first formal definition of CUA unintended behavior and introduces AutoElicit, a framework that actively elicits and identifies potential risks while preserving input authenticity through instruction perturbation, execution feedback loops, and automated behavioral analysis. Experiments on state-of-the-art models—including Claude 4.5 Haiku and Opus—successfully uncover hundreds of harmful behaviors, demonstrating the cross-model transferability of the perturbation strategy and revealing widespread security vulnerabilities inherent in CUAs.

Although computer-use agents (CUAs) hold significant potential to automate increasingly complex OS workflows, they can demonstrate unsafe unintended behaviors that deviate from expected outcomes even under benign input contexts. However, exploration of this risk remains largely anecdotal, lacking concrete characterization and automated methods to proactively surface long-tail unintended behaviors under realistic CUA scenarios. To fill this gap, we introduce the first conceptual and methodological framework for unintended CUA behaviors, by defining their key characteristics, automatically eliciting them, and analyzing how they arise from benign inputs. We propose AutoElicit: an agentic framework that iteratively perturbs benign instructions using CUA execution feedback, and elicits severe harms while keeping perturbations realistic and benign. Using AutoElicit, we surface hundreds of harmful unintended behaviors from state-of-the-art CUAs such as Claude 4.5 Haiku and Opus. We further evaluate the transferability of human-verified successful perturbations, identifying persistent susceptibility to unintended behaviors across various other frontier CUAs. This work establishes a foundation for systematically analyzing unintended behaviors in realistic computer-use settings.