arXiv:2605.22794: MOSS shows agents that self-improve by rewriting their own source code

The arXiv preprint MOSS published May 21, 2026, presents a framework for autonomous agents that improve themselves by rewriting their own source code — not just their prompt or fine-tuning weights. The authors document that a MOSS agent identifies production failures, delegates the fix to a coding agent, verifies the change in an ephemeral test sandbox, and only deploys after validation with a rollback mechanism. In a single autonomous cycle on the OpenClaw benchmark, the score jumps from a baseline of 0.25 to 0.61, compared with a prompt-only self-improvement baseline that stays at 0.28.

How does MOSS distinguish structural from surface-level fixes?

MOSS builds a distinction between two categories of failure. Surface-level failures are wrong prompts, bad examples in the few-shot block, or an overly rigid persona definition — all things that prompt engineering can fix. Structural failures are incorrect routing rules in multi-agent dispatch, missed hooks for error handling, unsafe state access in parallel sub-agents, and logic errors in tool integration. MOSS shows that prompt-only methods cannot fix structural failures because those failures live in Python/TypeScript code, not in prompt text.

Concretely, when MOSS detects on an OpenClaw task that a sub-agent is returning semi-valid JSONs, it does not try to rewrite the prompt to make the sub-agent “be more careful” — it opens dispatch.py, adds a JSON Schema validator with rollback semantics, deploys the change in the sandbox, and verifies that the failing scenarios now pass. That is a structural fix that the prompt-only baseline cannot replicate.

What is the OpenClaw benchmark and why is 0.61 significant?

OpenClaw is a benchmark of 240 multi-step production tasks that require the agent to resolve a combination of retrieve-and-summarize, code-modify, and deploy-verify operations. The baseline score of 0.25 is expected for state-of-the-art LLM agents without a self-improvement loop. A score of 0.61 after one MOSS cycle means that 87 additional tasks out of 240 are now successfully resolved — which is borderline superhuman performance for a standalone autonomous improvement session.

The authors emphasize that MOSS did not find a “magic trick” — fixes are concrete and auditable. A typical fix is 15–40 lines of Python code, takes 2–8 minutes of wall-clock time, and leaves a git commit history that is readable by a human reviewer.

What are the security risks and how does MOSS address them?

The authors discuss security mechanisms in detail. Every change passes through an ephemeral test sandbox that simulates the production environment without access to real data. A pre-deploy regression test set must pass — it grows automatically with each new scenario that MOSS resolves. Post-deploy, a rollback activates if a new regression is observed in production metrics. All changes are committed to git with detailed commit messages describing which class of failures they fix.

However, the authors acknowledge an open problem: if an agent can modify its own code, a human reviewer cannot track every iteration in real time. They propose that MOSS in production should be used with a weekly oversight gate in which cumulative changes are human-reviewed before being merged into the stable branch. Without this, the system can accumulate subtle changes that are locally rational but globally shift the agent’s semantics in undesired ways.