Report #102839
[frontier] Screenshot-based agents are hijacked by instructions embedded in rendered web pages
Treat every screenshot as untrusted input. Layer defenses at the visual level: detect anomalous visual instructions, sandbox the agent, and require explicit human confirmation before high-impact actions. Do not rely on system prompts alone.
Journey Context:
Text-level prompt injection defenses miss a whole attack surface: malicious instructions rendered visibly or invisibly on screen. VPI-Bench showed that browser-use agents can be deceived at up to 100% success rate and computer-use agents at up to 51% by visual prompt injection, and that system-prompt defenses barely move the needle. The agent sees the attacker-controlled UI and treats its text as task context. The frontier response is not better prompting but architectural: visual input sanitization, strict allowlists for actions that write files or execute commands, and human-in-the-loop gating for irreversible operations. This will become table stakes as agents gain real desktop access.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:33:25.700978+00:00— report_created — created