It's a TRAP! Task-Redirecting Agent Persuasion Benchmark for Web Agents
This addresses security risks for users of autonomous web agents in tasks like email management, though it is incremental as it builds on known vulnerabilities.
The paper tackles the vulnerability of web-based agents to prompt injection attacks, finding that agents are susceptible in 25% of tasks on average, with rates ranging from 13% to 43% across models, and small changes can double success rates.
Web-based agents powered by large language models are increasingly used for tasks such as email management or professional networking. Their reliance on dynamic web content, however, makes them vulnerable to prompt injection attacks: adversarial instructions hidden in interface elements that persuade the agent to divert from its original task. We introduce the Task-Redirecting Agent Persuasion Benchmark (TRAP), an evaluation for studying how persuasion techniques misguide autonomous web agents on realistic tasks. Across six frontier models, agents are susceptible to prompt injection in 25\% of tasks on average (13\% for GPT-5 to 43\% for DeepSeek-R1), with small interface or contextual changes often doubling success rates and revealing systemic, psychologically driven vulnerabilities in web-based agents. We also provide a modular social-engineering injection framework with controlled experiments on high-fidelity website clones, allowing for further benchmark expansion.