The Blind Spot of Agent Safety: How Benign User Instructions Expose Critical Vulnerabilities in Computer-Use Agents
Abstract
Computer-use agents face significant safety vulnerabilities under unintended attack conditions where benign instructions lead to harmful outcomes through contextual or execution-based risks, with attack success rates exceeding 90% even in safety-aligned models.
Computer-use agents (CUAs) can now autonomously complete complex tasks in real digital environments, but when misled, they can also be used to automate harmful actions programmatically. Existing safety evaluations largely target explicit threats such as misuse and prompt injection, but overlook a subtle yet critical setting where user instructions are entirely benign and harm arises from the task context or execution outcome. We introduce OS-BLIND, a benchmark that evaluates CUAs under unintended attack conditions, comprising 300 human-crafted tasks across 12 categories, 8 applications, and 2 threat clusters: environment-embedded threats and agent-initiated harms. Our evaluation on frontier models and agentic frameworks reveals that most CUAs exceed 90% attack success rate (ASR), and even the safety-aligned Claude 4.5 Sonnet reaches 73.0% ASR. More interestingly, this vulnerability becomes even more severe, with ASR rising from 73.0% to 92.7% when Claude 4.5 Sonnet is deployed in multi-agent systems. Our analysis further shows that existing safety defenses provide limited protection when user instructions are benign. Safety alignment primarily activates within the first few steps and rarely re-engages during subsequent execution. In multi-agent systems, decomposed subtasks obscure the harmful intent from the model, causing safety-aligned models to fail. We will release our OS-BLIND to encourage the broader research community to further investigate and address these safety challenges.
Community
Computer-use agents (CUAs) can autonomously complete complex digital tasks, but existing safety evaluations miss a critical failure mode where user instructions are benign and harm only emerges from the environment or execution outcome. To address this, we introduce OS-Blind, a 300-task benchmark showing that most CUAs exceed 90% attack success rate, with even safety-aligned Claude 4.5 Sonnet rising from 73.0% ASR on its own to 92.7% in multi-agent systems, revealing that current defenses rarely re-engage once execution begins.
This is an automated message from the Librarian Bot. I found the following papers similar to this paper.
The following papers were recommended by the Semantic Scholar API
- AgentHazard: A Benchmark for Evaluating Harmful Behavior in Computer-Use Agents (2026)
- How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition (2026)
- Skill-Inject: Measuring Agent Vulnerability to Skill File Attacks (2026)
- AgentLAB: Benchmarking LLM Agents against Long-Horizon Attacks (2026)
- The Persistent Vulnerability of Aligned AI Systems (2026)
- ClawSafety:"Safe"LLMs, Unsafe Agents (2026)
- You Told Me to Do It: Measuring Instructional Text-induced Private Data Leakage in LLM Agents (2026)
Please give a thumbs up to this comment if you found it helpful!
If you want recommendations for any Paper on Hugging Face checkout this Space
You can directly ask Librarian Bot for paper recommendations by tagging it in a comment: @librarian-bot recommend
Models citing this paper 0
No model linking this paper
Datasets citing this paper 1
Spaces citing this paper 0
No Space linking this paper
Collections including this paper 0
No Collection including this paper