defense 2026

SnapGuard: Lightweight Prompt Injection Detection for Screenshot-Based Web Agents

Mengyao Du 1, Han Fang 2, Haokai Ma 3, Jiahao Chen 4, Kai Xu 1, Quanjun Yin 1, Ee-Chien Chang 3

1 National University of Defense Technology

2 University of Science and Technology of China

3 National University of Singapore

4 Zhejiang University

0 citations
α

Published on arXiv

2604.25562

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Achieves F1 score of 0.75 across eight attack types, outperforming GPT-4o-prompt while being 8x faster (1.81s vs 14.50s) with zero memory overhead

SnapGuard

Novel technique introduced

Web agents have emerged as an effective paradigm for automating interactions with complex web environments, yet remain vulnerable to prompt injection attacks that embed malicious instructions into webpage content to induce unintended actions. This threat is further amplified for screenshot-based web agents, which operate on rendered visual webpages rather than structured textual representations, making predominant text-centric defenses ineffective. Although multimodal detection methods have been explored, they often rely on large vision-language models (VLMs), incurring significant computational overhead. The bottleneck lies in the complexity of modern webpages: VLMs must comprehend the global semantics of an entire page, resulting in substantial inference time and GPU memory usage. This raises a critical question: can we detect prompt injection attacks from screenshots in a lightweight manner? In this paper, we observe that injected webpages exhibit distinct characteristics compared to benign ones from both visual and textual perspectives. Building on this insight, we propose SnapGuard, a lightweight yet accurate method that reformulates prompt injection detection as multimodal representation analysis over webpage screenshots. SnapGuard leverages two complementary signals: a visual stability indicator that identifies abnormally smooth gradient distributions induced by malicious content, and action-oriented textual signals recovered via contrast-polarity reversal. Extensive evaluations across eight attacks and two benign settings demonstrate that SnapGuard achieves an F1 score of 0.75, outperforming GPT-4o-prompt while being 8x faster (1.81s vs. 14.50s) and introducing no additional memory overhead.

Key Contributions

  • Reformulates prompt injection detection as multimodal representation analysis over webpage screenshots rather than structured text
  • Combines visual stability indicator (detecting smooth gradient distributions from malicious content) with action-oriented textual signals via contrast-polarity reversal
  • Achieves 8x faster inference than GPT-4o baseline (1.81s vs 14.50s) with no additional memory overhead while maintaining F1 of 0.75

🛡️ Threat Analysis

Details

Domains
multimodalnlp
Model Types
vlmmultimodal
Threat Tags
inference_timeblack_box
Applications
web agentsautonomous browsing
Read PDF arXiv

Similar Papers

defense

Cowpox: Towards the Immunity of VLM-based Multi-Agent Systems

2025 0 cit.
94%
defense

Who Grants the Agent Power? Defending Against Instruction Injection via Task-Centric Access Control

2025 1 cit.
94%
defense

UNSEEN: A Cross-Stack LLM Unlearning Defense against AR-LLM Social Engineering Attacks

2026 0 cit.
88%
defense

Blind Gods and Broken Screens: Architecting a Secure, Intent-Centric Mobile Agent Operating System

2026 0 cit.
88%
defense

Toward Trustworthy Agentic AI: A Multimodal Framework for Preventing Prompt Injection Attacks

2025 2 cit.
82%
defense

CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents

2026 1 cit.
82%
benchmark

Measuring the Security of Mobile LLM Agents under Adversarial Prompts from Untrusted Third-Party Channels

2025 0 cit.
82%
defense

Enhancing Reliability in LLM-Integrated Robotic Systems: A Unified Approach to Security and Safety

2025 0 cit.
81%