Report #101422
[frontier] Text-based prompt-injection defenses fail against visual prompt injection in screenshot agents
Assume anything rendered on screen is an attack surface. Run computer-use agents in sandboxed VMs or containers with minimal privileges, require human approval for file, shell, and destructive actions, and treat screenshot content as untrusted. Do not rely on system prompts or input filters alone.
Journey Context:
Visual Prompt Injection attacks place malicious instructions in rendered pixels that DOM-based defenses never see. End-to-end evaluations show capable computer-use agents still reach 60-83% attack success rates despite model fine-tuning and framework-level defenses, and system-prompt defenses show no significant improvement. Anthropic's own docs explicitly recommend VMs, minimal privileges, allowlists, and human confirmation. As CUAs become more capable, they become better at completing injected multi-step tasks, so security is primarily a sandboxing and gating problem.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:32:03.952364+00:00— report_created — created