能幹但粗心:計算機使用代理是否遵循情境完整性?
Capable but Careless: Do Computer-Use Agents Follow Contextual Integrity?
June 22, 2026
作者: Anmol Goel, Iryna Gurevych
cs.AI
摘要
计算机使用代理(Computer-use agents, CUAs)现已能够代表用户在电子邮件、日历及待办事项列表等个人应用中执行操作。这种跨应用访问能力虽然实用,却也带来了一个长期被忽视的隐私风险:当代理在一个上下文中工作时,可能会从另一个不合适的上下文中提取信息。为此,我们提出了AgentCIBench,一个将这一风险转化为可执行、可确定性评分场景的评估框架。我们针对CUA中三种常见的失败模式进行了研究:视觉同位置泄露(visual co-location),即代理将任务目标附近UI界面中的禁止内容一并提取;任务模糊过度分享(task-ambiguity overshare),即代理在响应未明确指定的提示时,泄露大量密集的个人状态信息;以及收件人不匹配(recipient misalignment),即代理将内容发送至不适当的收件人。我们评估了15个前沿代理,发现其失败率高得惊人:其中11个代理在超过50%的场景中出现泄露,平均泄露率达67.9%,且当代理以端到端方式在实际环境中完成任务时,同样的失败依然存在。我们发布AgentCIBench,旨在推动更安全的计算机使用代理的开发,并将上下文泄露测试定位为部署前的安全检查环节。
English
Computer-use agents (CUAs) now act on a user's behalf across personal applications such as email, calendars, and to-do lists. This cross-application access is useful, but it also creates a privacy risk that has been largely overlooked: when an agent works in one context, it can pull in information from another that is inappropriate in that context. Hence, we introduce AgentCIBench, an evaluation harness that turns this risk into executable, deterministically scored scenarios. We target three common failure modes in CUAs: visual co-location, where the agent pulls in prohibited items that sit next to the task target in the UI; task-ambiguity overshare, where the agent dumps dense personal state in response to an under-specified prompt; and recipient misalignment, where the agent sends content to an addressee for whom it is inappropriate. We evaluate 15 frontier agents and find a surprisingly high failure rate: 11 of 15 leak on more than 50% of scenarios, with an average leakage of 67.9%, and the same failures persist when agents act end-to-end in the environment to complete the task. We release AgentCIBench to encourage the development of safer computer-use agents and position contextual disclosure testing as a pre-deployment safety check.