Web agents, powered by large language models (LLMs), are increasingly deployed to automate complex web interactions. The rise of open-source frameworks (e.g., Browser Use, Skyvern-AI) has accelerated adoption, but also broadened the attack surface. While prior research has focused on model threats such as prompt injection and backdoors, the risks of social engineering remain largely unexplored. We present the first systematic study of social engineering attacks against web automation agents and design a pluggable runtime mitigation solution. On the attack side, we introduce the AgentBait paradigm, which exploits intrinsic weaknesses in agent execution: inducement contexts can distort the agent's reasoning and steer it toward malicious objectives misaligned with the intended task. On the defense side, we propose SUPERVISOR, a lightweight runtime module that enforces environment and intention consistency alignment between webpage context and intended goals to mitigate unsafe operations before execution. Empirical results show that mainstream frameworks are highly vulnerable to AgentBait, with an average attack success rate of 67.5% and peaks above 80% under specific strategies (e.g., trusted identity forgery). Compared with existing lightweight defenses, our module can be seamlessly integrated across different web automation frameworks and reduces attack success rates by up to 78.1% on average while incurring only a 7.7% runtime overhead and preserving usability. This work reveals AgentBait as a critical new threat surface for web agents and establishes a practical, generalizable defense, advancing the security of this rapidly emerging ecosystem. We reported the details of this attack to the framework developers and received acknowledgment before submission.

翻译：基于大语言模型（LLM）驱动的Web代理正日益被部署以自动化复杂的网络交互。开源框架（例如Browser Use、Skyvern-AI）的兴起加速了其应用，但也扩大了攻击面。尽管先前的研究主要关注提示注入和后门等模型威胁，但社会工程攻击的风险在很大程度上仍未得到探索。我们首次对针对Web自动化代理的社会工程攻击进行了系统性研究，并设计了一种可插拔的运行时缓解方案。在攻击方面，我们提出了AgentBait范式，该范式利用代理执行过程中的固有弱点：诱导性上下文可以扭曲代理的推理，并引导其朝向与预期任务不一致的恶意目标。在防御方面，我们提出了SUPERVISOR，一个轻量级的运行时模块，它强制执行网页上下文与预期目标之间的环境和意图一致性对齐，从而在执行前缓解不安全操作。实证结果表明，主流框架对AgentBait高度脆弱，平均攻击成功率高达67.5%，在特定策略（例如可信身份伪造）下峰值超过80%。与现有的轻量级防御方案相比，我们的模块可以无缝集成到不同的Web自动化框架中，平均将攻击成功率降低高达78.1%，同时仅产生7.7%的运行时开销并保持可用性。这项工作揭示了AgentBait是Web代理面临的一个关键新威胁面，并建立了一种实用、可推广的防御机制，推动了这一快速兴起的生态系统的安全性。我们已将此攻击的细节报告给相关框架开发者，并在投稿前获得了确认。