Visual Confused Deputy: Exploiting and Defending Perception Failures in Computer-Using Agents

TL;DR

This paper identifies a security vulnerability in computer-using agents caused by perception failures, formalizes the 'visual confused deputy' problem, and proposes a dual-channel guardrail to verify agent actions independently, enhancing security.

Contribution

It introduces the first outside-the-perceptual-loop guardrail using dual-channel contrastive classification to detect and prevent visual perception-based exploits in CUAs.

Findings

The guardrail outperforms individual channels in detecting malicious manipulations.

Visual and reasoning channels complement each other, reducing false positives.

The method improves CUA safety by verifying both visual targets and agent intent.

Abstract

Computer-using agents (CUAs) act directly on graphical user interfaces, yet their perception of the screen is often unreliable. Existing work largely treats these failures as performance limitations, asking whether an action succeeds, rather than whether the agent is acting on the correct object at all. We argue that this is fundamentally a security problem. We formalize the visual confused deputy: a failure mode in which an agent authorizes an action based on a misperceived screen state, due to grounding errors, adversarial screenshot manipulation, or time-of-check-to-time-of-use (TOCTOU) races. This gap is practically exploitable: even simple screen-level manipulations can redirect routine clicks into privileged actions while remaining indistinguishable from ordinary agent mistakes. To mitigate this threat, we propose the first guardrail that operates outside the agent's perceptual loop. Our method, dual-channel contrastive classification, independently evaluates (1) the visual click target and (2) the agent's reasoning about the action against deployment-specific knowledge bases, and blocks execution if either channel indicates risk. The key insight is that these two channels capture complementary failure modes: visual evidence detects target-level mismatches, while textual reasoning reveals dangerous intent behind visually innocuous controls. Across controlled attacks, real GUI screenshots, and agent traces, the combined guardrail consistently outperforms either channel alone. Our results suggest that CUA safety requires not only better action generation, but independent verification of what the agent believes it is clicking and why. Materials are provided\footnote{Model, benchmark, and code: https://github.com/vllm-project/semantic-router}.