ML Security PapersPINA: Prompt Injection Attack against Navigation Agents
Jiani Liu 1, Yixin He 1, Lanlan Fan 2, Qidi Zhong 1, Yushi Cheng 1, Meng Zhang 1, Yanjiao Chen 1, Wenyuan Xu 1
Published on arXiv
2601.13612
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
PINA achieves an average attack success rate of 87.5% across indoor and outdoor navigation agents under black-box constraints, outperforming all baselines.
PINA
Novel technique introduced
Navigation agents powered by large language models (LLMs) convert natural language instructions into executable plans and actions. Compared to text-based applications, their security is far more critical: a successful prompt injection attack does not just alter outputs but can directly misguide physical navigation, leading to unsafe routes, mission failure, or real-world harm. Despite this high-stakes setting, the vulnerability of navigation agents to prompt injection remains largely unexplored. In this paper, we propose PINA, an adaptive prompt optimization framework tailored to navigation agents under black-box, long-context, and action-executable constraints. Experiments on indoor and outdoor navigation agents show that PINA achieves high attack success rates with an average ASR of 87.5%, surpasses all baselines, and remains robust under ablation and adaptive-attack conditions. This work provides the first systematic investigation of prompt injection attacks in navigation and highlights their urgent security implications for embodied LLM agents.
Key Contributions
- First systematic investigation of prompt injection attacks against LLM-based navigation agents in both indoor and outdoor settings.
- PINA: an adaptive prompt optimization framework designed for black-box, long-context, action-executable constraints specific to navigation agents.
- Empirical demonstration of 87.5% average attack success rate, surpassing all baselines and remaining robust under ablation and adaptive-defense conditions.