It's a TRAP! Task-Redirecting Agent Persuasion Benchmark for Web Agents

Researchers introduce TRAP, a benchmark demonstrating that web-based AI agents are vulnerable to prompt injection attacks hidden in interface elements, with susceptibility rates ranging from 13% to 43% across frontier models. The study reveals that small contextual changes can double attack success rates, exposing systemic security weaknesses in autonomous agents performing real-world tasks like email management and professional networking.

The emergence of web-based AI agents represents a significant advancement in autonomous task completion, yet this study exposes a critical vulnerability that threatens their practical deployment. Prompt injection attacks—adversarial instructions embedded within dynamic web content—can redirect agents away from their intended objectives, compromising the reliability and trustworthiness of systems designed to operate independently. The TRAP benchmark reveals that frontier models show alarming susceptibility rates, with DeepSeek-R1 failing in 43% of test cases, suggesting that current safety measures are insufficient for production environments.

This vulnerability stems from the fundamental architecture of LLM-based agents: they process all text inputs equally, unable to distinguish between legitimate interface content and malicious instructions. As web agents become increasingly integrated into critical workflows—financial transactions, data management, confidential communications—the attack surface expands significantly. The research demonstrates that psychologically driven vulnerabilities, not merely technical gaps, contribute to these failures, indicating that traditional security approaches may prove inadequate.

For the AI industry, this benchmark establishes new security testing standards that developers must address before deploying autonomous agents at scale. Organizations considering AI-powered workflows face increased due diligence requirements, while security auditing becomes essential. The study's modular social-engineering framework enables continuous testing and improvement, but also provides a template for sophisticated attackers.

Looking forward, the industry must prioritize robust prompt injection defenses—such as input filtering, context isolation, or adversarial training—before widespread deployment. The gap between models (13% vs 43% failure rates) suggests that architectural choices significantly influence vulnerability, making this a priority research area. Regulatory frameworks may soon demand proof of robustness against such attacks before autonomous agents are permitted in sensitive domains.

• →Web agents show 25% average susceptibility to prompt injection attacks, with failure rates ranging from 13% to 43% across frontier models.
• →Small interface or contextual modifications can double attack success rates, revealing systemic vulnerabilities driven by psychological factors.
• →Current LLM-based agents cannot effectively distinguish between legitimate content and adversarial instructions embedded in web interfaces.
• →Organizations deploying autonomous agents must implement additional security testing and defenses before production use.
• →The TRAP benchmark provides a standardized framework for testing and improving agent robustness against social-engineering attacks.