WebAgentGuard: A Reasoning-Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents

TL;DR

WebAgentGuard is a reasoning-driven guard model designed to detect prompt injection attacks in vision-language web agents, enhancing security without sacrificing performance.

Contribution

The paper introduces WebAgentGuard, a novel multimodal guard model that effectively detects prompt injections by decoupling detection from agent reasoning, trained on a large synthetic dataset.

Findings

WebAgentGuard outperforms baseline models in detection accuracy.

The approach maintains agent utility and does not add latency.

Training on a synthetic dataset enables robust prompt injection detection.

Abstract

Web agents powered by vision-language models (VLMs) enable autonomous interaction with web environments by perceiving and acting on both visual and textual webpage content to accomplish user-specified tasks. However, they are highly vulnerable to prompt injection attacks, where adversarial instructions embedded in HTML or rendered screenshots can manipulate agent behavior and lead to harmful outcomes such as information leakage. Existing defenses, including system prompt defenses and direct fine-tuning of agents, have shown limited effectiveness. To address this issue, we propose a defense framework in which a web agent operates in parallel with a dedicated guard agent, decoupling prompt injection detection from the agent's own reasoning. Building on this framework, we introduce WebAgentGuard, a reasoning-driven, multimodal guard model for prompt injection detection. We construct a synthetic multimodal dataset using GPT-5 spanning 164 topics and 230 visual and UI design styles, and train the model via reasoning-intensive supervised fine-tuning followed by reinforcement learning. Experiments across multiple benchmarks show that WebAgentGuard consistently outperforms strong baselines while preserving agent utility, without introducing additional latency.