Skip to content
Clawdemy

References: How agent loops work

Source material

Section titled “Source material”
Source material:
• Stanford CME 295: Transformers & Large Language Models, Autumn 2025
  Instructor: Afshine Amidi & Shervine Amidi, Stanford University
  Course site: https://cme295.stanford.edu/
  Cheatsheet: https://cme295.stanford.edu/cheatsheet/
  Source lecture (Lecture 7, Agentic LLMs):
    see course site at https://cme295.stanford.edu/ for the lecture URL
  License (lecture videos): as published on Stanford's public YouTube channel
  License (Amidi cheatsheets): MIT
This lesson adapts the agent-loops section of Stanford CME 295 Lecture 7,
covering [01:31:58-01:38:24] the agent definition + ReAct + the worked
teddy-bear-temperature example, [01:38:24-01:42:00] multi-agent and the
Agent-to-Agent (A2A) protocol, [01:42:00-01:47:38] the safety threads
(data exfiltration, prompt injection, tool misuse) and the two classes of
remediation. Clawdemy provides original notes, summaries, and quizzes
derived from this material for educational purposes. All rights to the
original lectures remain with Stanford and the instructors.

Foundational paper

Section titled “Foundational paper”
  • “ReAct: Synergizing Reasoning and Acting in Language Models”, Yao et al., 2022. The paper that introduced the observe-plan-act-style agent loop pattern (the paper itself uses think-observe-act). Section 2 (the prompting setup) is the conceptual core: interleave thinking and tool calls in a single prompt, with the model deciding when to think and when to act. The technique influenced essentially all production agent frameworks. Worth reading after this lesson; the actual prompting examples are short and concrete.

Agent safety literature

Section titled “Agent safety literature”

  • “A Survey on Tool-Use in Large Language Models”, Wang et al., 2024 (sometimes the “tool sword” paper the lecturer cited). Surveys the landscape of agent safety risks (including data exfiltration and prompt injection) and the remediation patterns. Worth reading for a broader view of the threats this lesson summarized.

  • “Agent Safety Bench”, Zhang et al., 2024. Introduces a benchmark for evaluating agent safety across tool use, reasoning, and multi-step interactions. Useful if you want to see how the field is starting to formally measure agent-safety claims.

  • Anthropic’s report on the late-2025 cyber attack launched from Claude. The lecturer’s reference. A real-world example of how tool-and-agent capabilities can be misused at scale, plus a step-by-step walkthrough of the defenses. Worth reading even at a non-technical level for the framing of how this problem looks in production.

Adjacent topics

Section titled “Adjacent topics”

  • Agent-to-Agent (A2A) protocol. Google’s protocol specification is the primary source if you want the actual standard. Released in 2025; the spec is still evolving but the framing (standardize how agents expose skills and statuses) is durable.

  • Compute-budget management for agents. When an agent might run many iterations, the cumulative cost can balloon. Search terms: “agent budget capping,” “iteration limits in agentic workflows,” “cost-aware planning in LLM agents.” Useful for understanding the practical engineering side of running agents at scale.

  • The reliability-vs-capability tradeoff for long-horizon agents. Search terms: “horizon length in LLM agents,” “compounding error in agentic workflows.” The cumulative-error framing in this lesson is one piece of a larger empirical literature on why long-horizon agents are still mostly research.

Going deeper

Section titled “Going deeper”

A short list of papers and posts on adjacent agent patterns.

  • “Reflexion: Language Agents with Verbal Reinforcement Learning”, Shinn et al., 2023. An agent pattern where the model self-critiques after each iteration and uses that critique to improve subsequent iterations. Useful for understanding one approach to mitigating cumulative error.

  • “Plan-and-Execute Agents”, Wang et al., 2023. An agent variant that produces a full plan up front, then executes step-by-step. Different shape from observe-plan-act-each-iteration; tradeoffs are mostly about predictability vs adaptability.

  • “Constitutional AI”, Bai et al., 2022. Anthropic’s approach to training-stage safety, originally for chat models but with implications for agents. Worth reading after this lesson for one example of how training-stage remediation gets implemented in practice.

Stanford CME 295 cheatsheet

Section titled “Stanford CME 295 cheatsheet”
  • Stanford CME 295 cheatsheet by the Amidi twins. MIT-licensed. The agent and safety section covers the same material in their dense visual style. Worth using as a study reference after this lesson.

Community discussion

Section titled “Community discussion”

None selected for this lesson. Vendor reports (Anthropic) and academic sources are the better entry points right now. Durable community references will be added at a future quarterly review if any consolidate.