It's a TRAP! Task-redirecting agent persuasion benchmark for web agents

Conference item

Web-based agents powered by large language models are increasingly used for tasks such as email management or professional networking. Their reliance on dynamic web content, however, makes them vulnerable to prompt injection attacks: adversarial instructions hidden in interface elements that persuade the agent to divert from its original task. We introduce the Task-Redirecting Agent Persuasion Benchmark (TRAP), a benchmark for studying how persuasion techniques misguide autonomous web agents on realistic tasks. Across six frontier models, agents are susceptible to prompt injection in 25% of tasks on average (13% for GPT-5 to 43% for DeepSeek-R1), with small interface or contextual changes often doubling success rates and revealing systemic, psychologically driven vulnerabilities in web-based agents. We also provide a modular social-engineering injection framework with controlled experiments on high-fidelity website clones, allowing for further benchmark expansion.

Authors: Korgul, K; Yang, Y; Drohomireck, A; Błaszczyk, P; Howard, W

• Publication status: Accepted
• Peer review status: Peer reviewed
• Host title: Proceedings of Machine Learning Research (PMLR) 2026
• Acceptance date: 2026-05-26
• Event title: International Conference on Machine Learning (ICML 2026)
• Event location: Seoul, South Korea
• Event website: https://icml.cc/
• Event start date: 2026-07-06
• Event end date: 2026-07-11
• Language: English