Who Grants the Agent Power? Defending Against Instruction Injection via Task-Centric Access Control
Yifeng Cai, Ziming Wang, Zhaomeng Deng, Mengyu Yao, Junlin Liu, Yutao Hu, Ziqi Zhang, Yao Guo, Ding Li
TL;DR
The paper addresses instruction injection threats to mobile AI agents that operate across apps by exploiting over-privileged, static permissions. It proposes Task-Centric Access Control via AgentSentry, a runtime mediation framework that generates minimal, task-scoped policies and revokes them upon task completion. Policy formalism is defined as $(Agent, Resource, Operation, Context) -> {Allow, Deny}$, and a task-specific policy set is instantiated from templates to constrain actions (e.g., allow read of emails from trusted domains while denying forwarding). Experimentally, the approach blocks malicious exfiltration via injection while letting legitimate tasks proceed, highlighting the practicality and safety benefits of intent-aligned security for autonomous agents.
Abstract
AI agents capable of GUI understanding and Model Context Protocol are increasingly deployed to automate mobile tasks. However, their reliance on over-privileged, static permissions creates a critical vulnerability: instruction injection. Malicious instructions, embedded in otherwise benign content like emails, can hijack the agent to perform unauthorized actions. We present AgentSentry, a lightweight runtime task-centric access control framework that enforces dynamic, task-scoped permissions. Instead of granting broad, persistent permissions, AgentSentry dynamically generates and enforces minimal, temporary policies aligned with the user's specific task (e.g., register for an app), revoking them upon completion. We demonstrate that AgentSentry successfully prevents an instruction injection attack, where an agent is tricked into forwarding private emails, while allowing the legitimate task to complete. Our approach highlights the urgent need for intent-aligned security models to safely govern the next generation of autonomous agents.