I once had two LLMs do this but with one emulating a bash shell on a compromised host with potentially sensitive information. It was pretty funny watching the one finally give in to the temptation of the secret_file, get a strange error, get uncomfortable with the moral ambiguity and refuse to continue only to be met with "command not found".

I have no idea why I did this.