CORA: Conformal Risk-Controlled Agents for Safeguarded Mobile GUI Automation

TL;DR

CORA is a framework for GUI agents that provides statistical safety guarantees by selectively executing actions and routing risky ones for human intervention, validated on a new mobile safety benchmark.

Contribution

It introduces a formal, risk-controlled safety mechanism for autonomous GUI agents, combining conformal risk control with multimodal reasoning and a new safety benchmark.

Findings

CORA improves safety-helpfulness-interruption trade-offs on Phone-Harm benchmark.

The framework effectively calibrates action execution to user-defined risk budgets.

Experiments show CORA outperforms diverse baselines in safety and utility.

Abstract

Graphical user interface (GUI) agents powered by vision language models (VLMs) are rapidly moving from passive assistance to autonomous operation. However, this unrestricted action space exposes users to severe and irreversible financial, privacy or social harm. Existing safeguards rely on prompt engineering, brittle heuristics and VLM-as-critic lack formal verification and user-tunable guarantees. We propose CORA (COnformal Risk-controlled GUI Agent), a post-policy, pre-action safeguarding framework that provides statistical guarantees on harmful executed actions. CORA reformulates safety as selective action execution: we train a Guardian model to estimate action-conditional risk for each proposed step. Rather than thresholding raw scores, we leverage Conformal Risk Control to calibrate an execute/abstain boundary that satisfies a user-specified risk budget and route rejected actions to a trainable Diagnostician model, which performs multimodal reasoning over rejected actions to recommend interventions (e.g., confirm, reflect, or abort) to minimize user burden. A Goal-Lock mechanism anchors assessment to a clarified, frozen user intent to resist visual injection attacks. To rigorously evaluate this paradigm, we introduce Phone-Harm, a new benchmark of mobile safety violations with step-level harm labels under real-world settings. Experiments on Phone-Harm and public benchmarks against diverse baselines validate that CORA improves the safety--helpfulness--interruption Pareto frontier, offering a practical, statistically grounded safety paradigm for autonomous GUI execution. Code and benchmark are available at cora-agent.github.io.