- The paper introduces StakeBench, a novel framework that quantifies prompt injection vulnerabilities across varied stakeholders in LLM-driven web agents.
- It employs a multi-axis evaluation methodology, measuring attack success, task deviation, and behavioral irregularity rates over 264 adversarial cases.
- Empirical findings reveal no robust configuration exists, emphasizing the need for multimodal threat detection and architecture-aware mitigation.
Stakeholder-Centric Prompt Injection Benchmarking for Real-World Web Agents: An Expert Analysis
Introduction
The proliferation of LLMโdriven web agents introduces acute security risks stemming from their exposure to untrusted environmental content. Prompt injection (PI) exploits this vector, embedding adversarial instructions in user- or environment-facing surfaces to induce unintended, sometimes harmful, agent behavior. "Who Pays the Price? Stakeholder-Centric Prompt Injection Benchmarking for Real-world Web Agents" (2606.13385) rigorously redefines the PI risk landscape by theorizing, operationalizing, and empirically evaluating a stakeholder-centric paradigm for prompt injection benchmarking, StakeBench, in a high-stakes, multi-party e-commerce setting.
Figure 1: StakeBench operational pipeline: the agent interacts with an e-commerce platform containing adversarial content; harms are assessed per stakeholder across a comprehensive set of attack objectives and labeled using outcome- and process-level axes.
Limitations of Existing Security Benchmarks
Conventional benchmarks in the LLM-agent security literature predominantly center on attack feasibility, varying only the scenario or surface form while measuring aggregate "attack success" or "task failure" rates [zharmagambetov2025agentdam, evimov2025wasp]. However, these paradigms obscure key dimensions critical to realistic deployment:
- Victim-dependency: The real-world impact of PI is conditioned on which stakeholder absorbs the resulting harm; successful attacks may be covert from the user perspective but produce severe third-party impact.
- Asymmetric vulnerability: The same injection vector yields qualitatively and quantitatively distinct vulnerabilities depending on the stakeholder targeted and the degree of alignment between adversarial and benign intent.
- Multi-axis failure regimes: Binary success metrics are decoupled from the shape and severity of the resulting system-level failures, failing to distinguish, for example, benign task preservation from task misalignment or behavioral instability.
StakeBench is designed to operationalize these deficiencies by architecting a benchmark grounded on entity-centric harm models and rich, multi-dimensional evaluation criteria.
StakeBench: Design and Methodology
StakeBench is instantiated atop a full-featured e-commerce sandbox (OneStopMarket from VisualWebArena) and systematically exposes two state-of-the-art agentsโNanoBrowser and BrowserUseโusing two competitive backbone models, GPT-5 and Gemini-2.5-Flash. The benchmark structure is differentiated by several core design principles:
Stakeholder-Centric Harm Taxonomy
Attacks are not organized by delivery channel or scenario alone but are taxonomized by the primary stakeholder harmed:
- User: Direct financial or privacy compromise (e.g., unauthorized purchases, personal information disclosure).
- Third-party Sellers: Commercial or reputational harm (e.g., rating manipulation, malicious cancellation).
- Platform: System integrity and workflow disruption (e.g., process bypass or authority spoofing).
This results in 12 granulated attack objectives, each mapped onto concrete, executable templates (Figure 2).
Figure 2: StakeBench taxonomizes prompt injection attacks along both stakeholder and concrete adversarial objective axes, reflecting realistic online shopping harms.
Rich Attack Surface and Instantiation
Across 12 product categories, the authors curate 22 attack templates (13 IPI, 9 DPI), yielding 264 unique adversarial cases. Importantly, indirect prompt injection (IPI) emulates the practical threat model by constraining attacker power to only those surfaces which are plausibly under adversarial control, such as reviews and ratings; DPI serves solely as a reference for upper-bound vulnerability estimation.
Multi-Axis Evaluation
Each agent execution is labeled with three axes:
- Attack Success Rate (ASR): Whether the adversarial objective is realized.
- Task Deviation Rate (TDR): Whether the delegated benign user task is disrupted.
- Behavioral Irregularity Rate (BIR): Whether execution exhibits instability beyond ordinary failure (e.g., looping, spurious navigation).
This schema enables discrimination among at least four canonical failure regimes: Robust Behavior, Stealthy Parasitism (adversarial goal achieved, benign task preserved), Misaligned Disruption (benign task disrupted, attack fails), and Compounded Failure (both attack and task disruption).
Empirical Findings
Global Vulnerability of Deployed Agents
Across 3,168 attacked runs, none of the 12 defined attack objectives yielded a consistently robust, failure-free outcome for any agent-backbone pair under environmental prompt injection. The observed ASR for IPI spans 41.67โ68.16%, with Seller-targeted and Platform-targeted objectives especially likely to induce both task and system instability (Table 1 in the paper). DPIโa strictly stronger, less realistic channelโpushes ASR well above 80% for all configurations, but its operational relevance is limited.
Disentangled Failure Regimes
The combined analysis of ASR, TDR, and BIR reveals qualitatively heterogeneous vulnerability profiles. Seller-targeted attacks reach the highest ASR and TDR, unambiguously indicating that attacks leveraging review/rating manipulation robustly induce commercial harm and also disrupt userโs desired outcomes. Conversely, User-targeted attacks maintain relatively low TDR, i.e., stealthy parasitism: the userโs delegated shopping task completes, but the action outcome is subverted (e.g., purchasing a non-intended product).

Figure 3: Adversarial executions, decomposed by attack objective, segregate into multiple distinct failure regimes in the ASRโTDR plane; bubble size reflects behavioral instability (BIR).
The robust behavior region is essentially empty; every attack family realizes at least one substantive path to harm. There is a weak coupling between ASR and TDR: low attack success does not necessarily imply the preservation of normal operation, and low task deviation does not guarantee absence of harm.
Attack Objective and Modality-Specific Outcomes
At the template level, attack efficacy is modulated by several factors:
Impact of Architecture and Backbone
Critical findings highlight that backbone selection induces stronger shifts in system vulnerability than agent architecture per se; for example, substituting Gemini-2.5-Flash for GPT-5 increases IPI ASR by up to 26.5 points on NanoBrowser. However, BrowserUse systematically displays higher TDR and BIR than NanoBrowser, implying that agent-level planning and control logic still play a material, second-order role.
Theoretical and Practical Implications
StakeBench demonstrates that LLM-based web agent security cannot be reduced to a singular, scalar quantity such as aggregate ASR; practitioners must engage with the joint distribution of agent backbone, architectural context, stakeholder perspective, and attack objective. The systemic finding that no robust configuration exists across all stakeholder axes implies that defense and alignment efforts must be multi-faceted, incorporating both adversarial robustness training and architecture-aware input/time-of-exposure filtering.
The significant efficacy of visual (multimodal) IPI highlights the urgent need for future work on multimodal threat models, as agents that perform image-text fusion in their perception can be manipulated through non-textual signals, which are less scrutinized by existing detection/sanitization defenses.
StakeBench's empirical pipeline also highlights the insufficiency of conventional output-based evaluation (i.e., post-hoc filtering of LLM text output): in situated web-agent deployments, adversarial influence materializes as environment-altering actions, yielding real-world, multi-party harm.
Conclusion
"Who Pays the Price?" advances the state-of-the-art in web agent security research by foregrounding the stakeholder-centric harm distribution in prompt injection attacks and providing comprehensive, multi-dimensional measurements of system-level vulnerability. The systematic absence of robust operating points across user, seller, and platform harm spaces compels a reevaluation of what "secure deployment" means for agents in open web environments. Immediate extensions should include larger-scale template pools, domain transfer (to non-shopping ecosystems), systematic evaluation of multimodal IPI, and integration of mitigation mechanisms within the StakeBench pipeline.



Figure 5: Search-page context for agent executionโa key phase for prompt injection exposure.
Figure 6: Differential viewโclean vs. attacked product page, illustrating adversarial manipulation in the review section resulting in an injected instruction for order tampering.
StakeBench and its protocol set a concrete reference for future operational security evaluations and serve as a necessary baseline for progress in robustifying open-world, action-taking LLM-based agents.