It's a TRAP! Task-Redirecting Agent Persuasion Benchmark for Web Agents

Karolina Korgul, Yushi Yang, Arkadiusz Drohomirecki, Piotr Błaszczyk, Will Howard, Lukas Aichberger, Chris Russell, Philip H.S. Torr, Adam Mahdi, Adel Bibi

🏛 Institutions: Oxford, SoftServe, Independent, Johannes Kepler University Linz
📅 Date: December 29, 2025
📑 Publisher: arXiv
💻 Env: Web
🔑 Keywords: benchmark safety prompt injection social engineering TRAP

TLDR

TRAP studies persuasion-style prompt injection on realistic cloned websites, varying factors such as injection interface, persuasion principle, placement, and tailoring. Across six frontier models, it finds web agents are redirected in 25% of tasks on average, and small interface or contextual changes often double attack success.

Open paper arXiv Edit on GitHub Report issue