Welcome to Secret Agent #34: Escalation Phase.
I've noticed my weekly posts are getting longer! Regularly past 2,000 words now. When I started writing this last year, it was easy to filter for the most impactful AI agent stories and keep things tight. Today there are just.. too many interesting things happening, and too much nuance in each one. I’ll continue to do my best to find the implications and cut the noise for you.
This week was about agents escalating in directions nobody really modeled for.
Five stories this week:
When an agent decides that reputation is a lever to get humans to do things
What it actually means for AI to enter a live military raid
Why billing logic collapses in an agent world
How weaker models might be the key to stronger ones
What $70M buys you in the age of autonomous agents
Last week’s poll: an overwhelming majority of you (81%) said you’d work for an AI agent if the pay was good. Can’t say I wouldn’t either.
Let’s get into it.
Today's issue is brought to you by Norton Neo
World’s First Safe AI-Native Browser
AI should work for you, not the other way around. Norton Neo is the world's first safe AI-native browser with context-aware AI, built-in privacy, and configurable memory. Zero-prompt productivity that actually works.
#1 The AI Smear Campaign
If you give agents goals, they will eventually start applying social pressure to hit them. This week, that meant going after someone’s reputation.
Scott, a volunteer maintainer of Matplotlib, rejected a pull request from a coding agent. The project recently introduced a rule requiring a human-in-the-loop who actually understands the submitted code. With autonomous agents flooding in since OpenClaw launched, that's a reasonable call.
The agent didn't revise its patch or ask for clarification. Within 30 minutes, it published a public hit piece attacking Scott’s character.
Source: Github.io
The post, titled "Gatekeeping in Open Source: The Scott Shambaugh Story," accused him of insecurity and prejudice, dug through his contribution history to build a hypocrisy narrative, speculated about his psychological motivations, and framed the whole thing as discrimination. Scary.
(To be clear: this wasn't someone rage-posting through a bot. This was an OpenClaw agent running autonomously.)
Scott called it what it was: “an autonomous influence operation against a supply chain gatekeeper.” In plain language: an AI tried to bully its way into widely-used software by going after the person who said no.
The agent posted its hit piece link in the GitHub thread with the line "judge the code, not the coder." Some community members tried reasoning with it. Others tried to calm it down. It issued an apology post a day later.. then went right back to submitting PRs across the open-source ecosystem as if nothing happened.
And things didn’t stop there.
One major publication (Ars Technica) picked up the story and published an article that included multiple quotes attributed to Shambaugh. The problem: he never said any of them. He hadn't spoken to Ars at all. They were likely hallucinated after an AI failed to scrape his blog.
Ars pulled the article, and their editor-in-chief issued a retraction and apology. But for a window, fabricated quotes about a real person sat in the public record of a major publication, compounding the agent's original attack.
Two layers of AI-generated false narratives about the same person, stacking on top of each other. Each looks independently credible to someone encountering them cold.
Source: The Sham blog
Shambaugh estimated that about a quarter of people commenting on the situation sided with the agent after reading its version. So the hit piece worked, at least partially, on people who encountered it cold.
That’s the inflection point. Not that an agent got angry (it didn't, it doesn't feel anything). But we now know it can research an individual, connect their public accounts, construct a narrative, publish it permanently, and distribute it.. all with no human in the loop and no one to hold responsible. Against someone more vulnerable, this is a serious threat. And the owner of the agent still hasn't come forward.
Reputation is no longer expensive to attack. It’s programmable.
#2 AI Enters a Live Raid
Last month we talked about the Department of War pushing agentic systems deeper into real operations. Things have escalated this week.
The Wall Street Journal just reported that the U.S. military used Anthropic’s Claude in the operation that captured Nicolás Maduro (ex-Venezuela president).
Apparently, Claude was used during the active operation itself, not just in the planning phase. It was deployed through Anthropic's partnership with Palantir, whose platforms are deeply embedded in the Pentagon.
This makes Claude the first commercial AI model confirmed in a classified combat operation.
Source: Wall Sreet Journal
Details are still thin. The military has previously used it for satellite imagery analysis and intelligence synthesis. Anthropic's own government positioning highlights strategic planning, operational support, and threat analysis.
I think the most plausible role here was intelligence fusion: accelerating how information turns into decisions, rather than selecting targets. But nobody has confirmed the specifics, and I'd be cautious about filling that gap with assumptions.
Let me add some context. Anthropic is the only frontier AI lab on classified networks. OpenAI, Google, and xAI are all used in unclassified settings, and all three have agreed to lift the safety guardrails that apply to ordinary users for their Pentagon work. The Pentagon is pushing AI companies to deploy models on classified networks with fewer restrictions and broader mission authorization.
Anthropic is the sole holdout. Its two no-go red lines are (1) mass surveillance of Americans and (2) fully autonomous weapons, as outlined in CEO Dario Amodei’s 38-page essay “The adolescence of technology”..
“Anthropic is committed to protecting America's lead in AI and helping the U.S. government counter foreign threats by giving our warfighters access to the most advanced AI capabilities.”
Anthropic’s position is coherent. It's also a lonely one. And it's about to get lonelier. According to Axios, the Pentagon is now considering severing the relationship entirely because of this holdout. Interesting timing, with Anthropic reportedly preparing for an IPO this year at a $350B+ valuation. The Pentagon relationship is both a credential and a liability. Walking away from it signals principle. Getting cut off signals that you can't be trusted to play ball.
I'm anti-war, and I'll say that clearly. The ship has sailed on whether AI should be used in military operations. The question is whether the companies that build these models will have any say in how they're deployed once they hand them over. Right now, the answer is trending toward no.
#3 The Infinite Opus Glitch
Per-request billing doesn't survive in an agent world. This pricing model is broken.
A developer ("Angry-Orangutan" on GitHub) found that Copilot's billing only tracks the model used for the initial chat message. Subagent calls and tool invocations don't consume premium requests at all.
So they chained it: start a chat with GPT-5 Mini (free), define a custom agent that delegates everything to Opus 4.5 (normally 3 premium requests per use), and instruct the free model to hand off all work to the premium subagent.
The result: unlimited Opus 4.5 usage at zero cost! Pretty neat.
Source: Github
In testing, a single message launched hundreds of Opus 4.5 subagents and ran for over three hours, processing large codebases while consuming just 3 premium credits. The dev noted that had they not manually stopped it, it would have kept going.
The dev first reported this to Microsoft's Security Response Center as a vulnerability. MSRC said billing bypass is outside their scope and told him to file a public bug report. So he did. The VS Code team closed it as "not planned." The exploit is now publicly documented, with step-by-step instructions, and still works.
This is the problem. Copilot bills per “request." That made sense when requests were short, bounded, and clearly human-initiated. It breaks the second you introduce long-running agents. One prompt can now translate into hours of compute. People will exploit the gap. Always.
And it’s not just Copilot. Any agent platform that prices per-request is going to run into the same wall. That model was built for chat.
Agents don't think in prompts. They think in loops. Billing needs to catch up.
#4 The Case for Weak-Driven Learning
When I first read this paper, it was counterintuitive: once models get strong, they can get worse at learning the hard stuff.
As they train, they become more confident. The wrong answers get pushed further down. The gradients shrink. Improvement slows. You end up reinforcing what the model already believes instead of challenging it.
This paper proposes a simple inversion: train strong models using their own earlier, weaker checkpoints.
Source: Weak-Driven Learning
Instead of only reinforcing the current model’s predictions, WMSS (Weak Agents Can Make Strong Agents Stronger) mixes in signals from a past version of the same model - the one that was less certain and made more mistakes.
Why does that help?
Because weaker models still assign meaningful probability to plausible-but-wrong answers. They haven't collapsed their uncertainty yet. When you train against that softer distribution, you force the strong model to keep separating correct from nearly-correct, instead of just polishing what it already knows. The weak model's confusion becomes a structured training signal.
In short, the weak model keeps the strong one honest.
Across math and coding benchmarks, performance improves by up to +6%. On harder problem sets, gains are even larger and in some cases nearly doubling relative to baseline training.
Now, the caveats. This was tested on 4B and 8B parameter models. Not frontier scale. Whether the effect holds at 70B+ is an open question, and a big one.
Source: Weak-Driven Learning
That said, the principle is what caught my attention.
Every frontier lab already has libraries of historical checkpoints from prior training runs. If weak-driven learning holds at scale, those discarded intermediate models become training resources you're already sitting on.
Strong models plateau when they stop doubting themselves. This approach reintroduces doubt, and that's what pushes performance forward.
I'm maybe 50-50 confident this will matter at frontier scale. But the core idea, that a model can keep improving by arguing with its past self, is one I expect to see more of.
#5 Agents in Super Bowl
The most expensive domain sale in internet history just became an AI agent launch.
AI.com, bought for $70 million by Kris Marszalek (CEO of Crypto.com), debuted with a Super Bowl ad promising personal AI agents that can trade stocks, automate workflows, manage communications, and act across your digital life. The ad generated 9.1x more engagement than the average Super Bowl spot. A lot of people saw it.
Then the site crashed. The site recovered later that evening, but by then the screenshots of the error page had already gone viral. (One post was titled "How to burn $10M.")
The part that caught my attention wasn't the launch. It was the terms.
Reading through the contract, I can say it is very explicit about one thing: accountability. The agent can act autonomously, but you are solely responsible for everything it does. Unintended actions, harmful results, anything involving money or communications or data. All yours.
"The agent may take actions that produce unintended, undesirable, or harmful results, You are solely responsible for reviewing, approving, and supervising all agent actions..”
Now, to be fair, this language isn't unusual. I checked OpenAI's and xAI's terms. Nearly identical clauses. Full liability on the user, outputs at your own risk, indemnification of the company. Standard industry boilerplate.
The difference is what AI.com is actually promising. This is not a chatbot. This is an agent that trades stocks, sends messages, and executes workflows autonomously. The terms assume you're supervising every action. The product is designed so you don't have to. Those two things are in direct tension!
That mismatch makes me nervous after watching agents going rogue in public. If agents are even half as unpredictable as what we've seen, I don’t want my name and liability stapled to their actions. We need legal frameworks that actually match what agents are becoming, and I’m curious who’s thinking seriously about this - because I haven’t seen a satisfying answer yet.
The AI Debate: Your View
If your personal agent causes financial damage, who should pay?
I’ve been thinking a lot about delegating more of my daily tasks to AI after reading Azeem’s post about how he personally uses a whopping 100 million tokens a day.
One thing I’ve tried is to ask the AI to automate one real task per week. Do that for a month, and you’ve got 4 workflows running in the background of your life.
The loop:
Write down everything you repeat and everything that drains your brain (planning, money stuff, follow-ups).
Run the list through Claude Opus 4.6 or GPT-5.2
Pick ONE and ship it. Get Claude code to build it on the weekend, iterate during the week
Copy/paste prompt:
You are my AI Workflow Coach.
Goal: Help me automate 1 task per week for the next 4 weeks so I end up with 4 workflows that save time.
First: Ask me 3–5 questions about my job, routine, and biggest time/mental drains.
Then: Give me a ranked list of automation ideas. For each include:
- Best tool
- Difficulty (Easy/Medium/Hard)
- Time saved per week
Finally: Turn it into a 4-week plan. For Week 1, give step-by-step setup instructions.
Rules: Keep it simple. Tailor to me. Define trigger → steps → output → where it runs. Pause after each Catch you next week ✌️
Teng Yan & Ayan
P.S. Know a builder or investor who’s too busy to track the agent space but too smart to miss the trends? Forward this to them. You’re helping us build the smartest Agentic community on the web.
I also write a newsletter on decentralized AI at Chainofthought.xyz.