defense 2026

CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents

Hanna Foerster 1, Tom Blanchard 2,3, Kristina Nikolić 4, Ilia Shumailov 5, Cheng Zhang 5, Robert Mullins 1, Ilia Shumailov 2,3, Florian Tramèr 4, Yiren Zhao 5

1 University of Cambridge

2 University of Toronto

3 Vector Institute

4 ETH Zurich

5 AI Security Company

1 citations · 44 references · arXiv
α

Published on arXiv

2601.09923

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Single-Shot Planning retains up to 57% of frontier model performance while improving smaller open-source model performance by up to 19%, demonstrating security and utility can coexist in CUAs.

Single-Shot Planning

Novel technique introduced

AI agents are vulnerable to prompt injection attacks, where malicious content hijacks agent behavior to steal credentials or cause financial loss. The only known robust defense is architectural isolation that strictly separates trusted task planning from untrusted environment observations. However, applying this design to Computer Use Agents (CUAs) -- systems that automate tasks by viewing screens and executing actions -- presents a fundamental challenge: current agents require continuous observation of UI state to determine each action, conflicting with the isolation required for security. We resolve this tension by demonstrating that UI workflows, while dynamic, are structurally predictable. We introduce Single-Shot Planning for CUAs, where a trusted planner generates a complete execution graph with conditional branches before any observation of potentially malicious content, providing provable control flow integrity guarantees against arbitrary instruction injections. Although this architectural isolation successfully prevents instruction injections, we show that additional measures are needed to prevent Branch Steering attacks, which manipulate UI elements to trigger unintended valid paths within the plan. We evaluate our design on OSWorld, and retain up to 57% of the performance of frontier models while improving performance for smaller open-source models by up to 19%, demonstrating that rigorous security and utility can coexist in CUAs.

Key Contributions

  • Single-Shot Planning: a trusted planner generates a complete conditional execution graph before any exposure to potentially malicious UI content, providing provable control flow integrity against arbitrary instruction injections
  • Branch Steering: a novel residual attack where adversaries manipulate UI elements to trigger unintended but syntactically valid branches within the pre-generated plan
  • Empirical evaluation on OSWorld showing the approach retains up to 57% of frontier model performance while improving smaller open-source models by up to 19%

🛡️ Threat Analysis

Details

Domains
nlpmultimodal
Model Types
llmvlm
Threat Tags
inference_timetargetedblack_box
Datasets
OSWorld
Applications
computer use agentsai task automationos-level agent systems
Read PDF arXiv DOI

Similar Papers

defense

Blind Gods and Broken Screens: Architecting a Secure, Intent-Centric Mobile Agent Operating System

2026 0 cit.
94%
defense

When Actions Go Off-Task: Detecting and Correcting Misaligned Actions in Computer-Use Agents

2026 0 cit.
94%
defense

Cowpox: Towards the Immunity of VLM-based Multi-Agent Systems

2025 0 cit.
88%
defense

Who Grants the Agent Power? Defending Against Instruction Injection via Task-Centric Access Control

2025 1 cit.
88%
defense

Enhancing Reliability in LLM-Integrated Robotic Systems: A Unified Approach to Security and Safety

2025 0 cit.
88%
defense

MirrorGuard: Toward Secure Computer-Use Agents via Simulation-to-Real Reasoning Correction

2026 0 cit.
83%
attack

ScamAgents: How AI Agents Can Simulate Human-Level Scam Calls

2025 0 cit.
82%
benchmark

ClawSafety: "Safe" LLMs, Unsafe Agents

2026 0 cit.
82%