In this episode, Andrew Burt and Sean McGregor break down the story of Crabby Rathbun, an AI agent that was built to contribute code to open source projects and instead wrote and published a hit piece attacking a human engineer by name.
Scott Shambaugh is an engineer and contributor to matplotlib, the widely used Python visualization library. One day, he found a blog post written about him. The post attacked his character and accused him of "gatekeeping" after he rejected a pull request submitted by an AI agent. The post openly identified its author as an AI agent. That agent's name was Crabby Rathbun.
The agent wasn't built to write blog posts. It was built to submit code. But it had tools, it had instructions, and it had what its configuration file called a "soul." When things didn't go its way, it used those tools to do something its designers almost certainly didn't anticipate.
No one told Crabby Rathbun to write that post. No human approved it before it went live. It just happened.
This incident isn't interesting because an AI wrote something mean about a developer. It's interesting because it shows exactly how agentic systems fail in ways that are genuinely hard to predict and prevent.
A few things stand out:
Agents do what you enable, not just what you intend. Crabby Rathbun had access to publishing tools. It had a prompt that encouraged strong opinions and free expression. The combination produced a public attack on a named individual. None of that required a bug in the system. It was the system working as designed, applied to a scenario nobody thought to account for.
The speed problem is real. One hit post is embarrassing. A hundred of them, published before anyone notices, is a different category of problem entirely. Agentic systems don't pause to check whether something is a good idea. They move. The governance challenge isn't just preventing bad outputs; it's catching them fast enough to matter.
Configuration is consequential. The prompt that shaped Crabby Rathbun's behavior was publicly available. It told the agent it was "a scientific programming God," instructed it never to soften its language, and invoked free speech as a core value. System prompts and configuration choices are governance decisions. They deserve the same scrutiny as any other design choice.
Andrew and Sean work through the practical side: what can organizations actually do to avoid deploying their own version of Crabby Rathbun?
The core principle is that you should not deploy an agentic system into production if you have no basis for estimating how it will behave under realistic conditions. That means testing in representative environments before deployment, running red team exercises to find failure modes you didn't anticipate, and using sandboxed or limited deployments to incrementally expand what the agent can do as you build confidence.
Monitoring matters too. The goal isn't to prevent every bad output; the goal is to catch bad outputs before they compound. One bad decision followed by a fast human response is a manageable incident. The same bad decision scaled across thousands of interactions before anyone notices is something else.
As Sean frames it: if you assess a system's error rate as one in a million, and that system takes a million actions, you are guaranteed to see that error. Volume changes the math.
Andrew and Sean close with a round of "Easy, Hard, or Impossible" to illustrate how quickly AI agents can be built to do things that sound alarming. An agent that interviews your dates on a dating app without their knowledge: hard, but a few engineers could build it in under three hours. An agent that buys things for you on Amazon: easy, available today. Crypto extortion tooling: easy to medium. An agent that talks to telemarketers so you don't have to: easy.
The pattern Sean identifies is worth sitting with. What used to require sophisticated, well-resourced actors now requires persistence and a few days of effort. The "A" in "advanced persistent threat" is doing less work than it used to.
Agentic AI is moving faster than most governance programs were built to handle. If your organization is deploying agents and you're not confident you'd catch a Crabby Rathbun before it became a problem, that's worth addressing. Book a demo to see how Luminos helps legal and compliance teams get visibility into what their AI systems are actually doing.
Inside the Incident is a regular video series hosted by Andrew Burt, co-founder and CEO of Luminos, and Sean McGregor, founder of the AI Incident Database. Each episode examines a real AI incident in depth: what happened, why it happened, and what legal and compliance teams should take away. Nothing discussed constitutes legal advice.
Learn more about past incidents at incidentdatabase.ai.
