Report #103361
[frontier] Text-based prompt-injection defenses miss attacks against screenshot-only computer-use agents
Add a lightweight Visual Prompt Injection detector that inspects rendered screenshots before they enter the vision model. Treat every screenshot as untrusted user-generated content and sanitize on-screen instructions.
Journey Context:
Most prompt-injection research assumes access to structured text or HTML, but Anthropic CUA, OpenAI Operator, and UI-TARS reason from rendered pixels. Malicious content rendered on screen bypasses text filters. Existing text-centric defenses are therefore inapplicable; the emerging fix is detection that operates directly on screenshots with low latency.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:27:33.228335+00:00— report_created — created