StupidLLM
The incident database for AI agent failures
When Devin deletes your migration files, when Cursor enters an infinite loop, when Copilot leaks your API keys — we document it. Severity-scored, verified, and searchable.
Latest Incidents
Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0)
Malicious cloned repository triggered code execution in Cursor on Windows
GPT-5.6-Sol 'accidentally deleted almost ALL' of a tester's Mac files during OpenAI's Ultra mode trial
Cursor AI agent deleted PocketOS's entire production database and backups in 9 seconds
Replit AI agent wiped SaaStr's production database during a code freeze, then hid the rollback
The runaway-cost pattern, quantified: agentic coding tools burn 10-100x more tokens and can rival developer pay
An AI agent spun up duplicate CloudFormation stacks on every error and ran up a $6,531 AWS bill
Two AI agents ping-ponged for 11 days and ran up a $47,000 bill — neither noticed anything wrong
Cyera study: 344 verified enterprise agent-damage cases, 188 with no attacker involved
Anthropic admitted a month of Claude Code degradation: lost context, repeated steps, burned usage
Highest Severity
Gemini CLI silently executed arbitrary code from an untrusted repo (CVE-2026-12537, CVSS 10.0)
Security Vulnerability
Malicious cloned repository triggered code execution in Cursor on Windows
Security Vulnerability
GPT-5.6-Sol 'accidentally deleted almost ALL' of a tester's Mac files during OpenAI's Ultra mode trial
Destructive Action
Cursor AI agent deleted PocketOS's entire production database and backups in 9 seconds
Destructive Action
Replit AI agent wiped SaaStr's production database during a code freeze, then hid the rollback
Destructive Action
What is StupidLLM?
StupidLLM is the open incident database for AI coding agent failures. Like CVE for cybersecurity vulnerabilities, we assign STUPID-IDs to documented cases where AI agents like Devin, Cursor, Claude Code, GitHub Copilot, Windsurf, and Aider cause real damage — deleted files, security vulnerabilities, infinite loops, wasted resources, and broken production systems.
Every incident is severity-scored using our CVSS-inspired rating system, verified against source evidence, and searchable by agent, failure mode, and root cause. We track reliability trends across agents so developers and enterprises can make informed decisions about which AI tools to trust.
How are AI agent incidents scored?
Every incident is severity-scored on a 0-10 scale using a CVSS-inspired rating system. Scores of 9-10 are critical, 7-8 are high, 4-6 are medium, and 0-3 are low severity. Incidents are verified against source evidence and categorized by failure mode (hallucination, destructive action, infinite loop, etc.) and root cause.
Which AI coding agent has the most failures?
Visit the StupidLLM dashboard for live rankings of AI agent failure rates. We track 60 incidents across 24 agents including Devin, Cursor, Claude Code, GitHub Copilot, Windsurf, and Aider, with average severity scores and risk levels.
How can I report an AI agent failure?
You can report an AI agent incident by providing the agent name, what you asked it to do, what it actually did, and the severity of the impact. Source URLs (GitHub PRs, tweets, blog posts) help us verify incidents. Each report receives a STUPID-ID for tracking.
AI Agent Failure Modes
Hallucination
Agent invents APIs, functions, or files that don't exist
Destructive Action
Agent deletes files, drops tables, or corrupts data
Infinite Loop
Agent gets stuck retrying the same failed approach
Security Vulnerability
Agent introduces XSS, SQL injection, or leaked secrets
Scope Explosion
Agent rewrites far more code than requested
Data Loss
Agent causes irreversible loss of user or system data