A Systematization of Security Vulnerabilities in Computer Use Agents

TL;DR

This paper systematically analyzes security vulnerabilities in Computer Use Agents (CUAs), revealing unique risks, architectural flaws, and proposing a security evaluation framework for safer deployment.

Contribution

It introduces a comprehensive threat analysis of CUAs, identifies seven risk classes, and presents concrete exploit scenarios and security design principles.

Findings

Identified seven classes of CUA-specific risks.

Analyzed three detailed exploit scenarios.

Proposed a security evaluation framework for CUAs.

Abstract

Computer Use Agents (CUAs), autonomous systems that interact with software interfaces via browsers or virtual machines, are rapidly being deployed in consumer and enterprise environments. These agents introduce novel attack surfaces and trust boundaries that are not captured by traditional threat models. Despite their growing capabilities, the security boundaries of CUAs remain poorly understood. In this paper, we conduct a systematic threat analysis and testing of real-world CUAs under adversarial conditions. We identify seven classes of risks unique to the CUA paradigm, and analyze three concrete exploit scenarios in depth: (1) clickjacking via visual overlays that mislead interface-level reasoning, (2) indirect prompt injection that enables Remote Code Execution (RCE) through chained tool use, and (3) CoT exposure attacks that manipulate implicit interface framing to hijack multi-step reasoning. These case studies reveal deeper architectural flaws across current CUA implementations. Namely, a lack of input provenance tracking, weak interface-action binding, and insufficient control over agent memory and delegation. We conclude by proposing a CUA-specific security evaluation framework and design principles for safe deployment in adversarial and high-stakes settings.