CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents

Hanna Foerster, Tom Blanchard, Kristina Nikolić, Ilia Shumailov, Cheng Zhang, Robert Mullins, Nicolas Papernot, Florian Tramèr, Yiren Zhao

🏛 Institutions: University of Cambridge, University of Toronto, Vector Institute, ETH, AI Sequrity Company
📅 Date: January 14, 2026
📑 Publisher: arXiv
💻 Env: Desktop
🔑 Keywords: safety prompt injection control flow integrity Single-Shot Planning Branch Steering OSWorld CaMeLs

TLDR

This paper adapts the Dual-LLM security paradigm to computer-use agents through Single-Shot Planning, where a trusted planner writes a full branching execution graph before seeing untrusted UI content. That gives control-flow integrity against injected instructions, but the paper also identifies Branch Steering as a remaining data-flow threat and studies its tradeoff with utility on OSWorld.

Open paper arXiv Edit on GitHub Report issue