FocusAgent: Simple Yet Effective Ways of Trimming the Large Context of Web Agents

Web agents powered by large language models (LLMs) must process lengthy web page observations to complete user goals; these pages often exceed tens of thousands of tokens. This saturates context limits and increases computational cost processing; moreover, processing full pages exposes agents to security risks such as prompt injection. Existing pruning strategies either discard relevant content or retain irrelevant context, leading to suboptimal action prediction. We introduce FocusAgent, a simple yet effective approach that leverages a lightweight LLM retriever to extract the most relevant lines from accessibility tree (AxTree) observations, guided by task goals. By pruning noisy and irrelevant content, FocusAgent enables efficient reasoning while reducing vulnerability to injection attacks. Experiments on WorkArena and WebArena benchmarks show that FocusAgent matches the performance of strong baselines, while reducing observation size by over 50%. Furthermore, a variant of FocusAgent significantly reduces the success rate of prompt-injection attacks, including banner and pop-up attacks, while maintaining task success performance in attack-free settings. Our results highlight that targeted LLM-based retrieval is a practical and robust strategy for building web agents that are efficient, effective, and secure.

Key Contributions

• FocusAgent: a lightweight LLM retriever that extracts task-relevant lines from accessibility tree observations, reducing observation size by over 50% while matching strong baselines on WorkArena and WebArena
• Demonstrates that targeted context pruning provides an emergent defense against indirect prompt injection attacks (banner and pop-up attacks) in web agent pipelines
• A security-focused FocusAgent variant that significantly reduces prompt injection attack success rates while preserving task performance in attack-free settings

🛡️ Threat Analysis

Details

Similar Papers