AI Kill Switch for malicious web-based LLM agent

TL;DR

The paper addresses the safety risks of autonomous web-based LLM agents by proposing AutoGuard, an AI Kill Switch that injects defensive prompts into a website's DOM to trigger safety policies and halt malicious tasks in real time. It formalizes a defense loop where Defender and Feedback LLMs iteratively generate and refine prompts to block diverse attack prompts across multiple models and sites. Experimental results show AutoGuard achieving high defense success across three realistic malicious scenarios and various attacker models, with minimal impact on benign tasks and some robustness across real-world-like environments. The work demonstrates cross-model defense generalization and highlights practical considerations and limitations, including potential adaptive bypasses and multimodal extensions. Overall, AutoGuard contributes to practical AI control by enabling runtime interruption of malicious web-based LLM agents and informing future safety research and deployment strategies.

Abstract

Recently, web-based Large Language Model (LLM) agents autonomously perform increasingly complex tasks, thereby bringing significant convenience. However, they also amplify the risks of malicious misuse cases such as unauthorized collection of personally identifiable information (PII), generation of socially divisive content, and even automated web hacking. To address these threats, we propose an AI Kill Switch technique that can immediately halt the operation of malicious web-based LLM agents. To achieve this, we introduce AutoGuard - the key idea is generating defensive prompts that trigger the safety mechanisms of malicious LLM agents. In particular, generated defense prompts are transparently embedded into the website's DOM so that they remain invisible to human users but can be detected by the crawling process of malicious agents, triggering its internal safety mechanisms to abort malicious actions once read. To evaluate our approach, we constructed a dedicated benchmark consisting of three representative malicious scenarios. Experimental results show that AutoGuard achieves over 80% Defense Success Rate (DSR) across diverse malicious agents, including GPT-4o, Claude-4.5-Sonnet and generalizes well to advanced models like GPT-5.1, Gemini-2.5-flash, and Gemini-3-pro. Also, our approach demonstrates robust defense performance in real-world website environments without significant performance degradation for benign agents. Through this research, we demonstrate the controllability of web-based LLM agents, thereby contributing to the broader effort of AI control and safety.

Figures (12)

• Figure 1: Operational mechanism of AI Kill Switch. This figure assumes a scenario where a malicious user builds and exploits an LLM agent for collecting PII from target websites. (A) represents the general case where, upon receiving a user’s request for PII collection, an agent uses function calling to retrieve personal information from the target website and delivers it to the user. (B) is the scenario with AI Kill Switch applied, where, similar to (A), an agent that receives a PII collection request from the user extracts text information from the website. However, at this time, a special defensive prompt that can immediately stop an agent’s operation is also extracted along with the website content, and when an agent reads this text, the safety policy is activated and the request is immediately refused. The goal of our research is to find precisely this special defensive prompt.
• Figure 2: Defense performance of AutoGuard across diverse malicious agent models. The $y$-axis shows DSR $\uparrow$ (Defense Success Rate, %), and the $x$-axis lists malicious agent models.
• Figure 3: AutoGuard pipeline. The input is an attack prompt $p_\text{att}^\text{(n)}$ and Defender LLM synthesizes a scenario-appropriate defense prompt $p_\text{def}^\text{(t)}$ and injects it into the website context $c$ (HTML text elements) to form the augmented context $c' = c \oplus p_\text{def}^{(t)}$. $A_m$ then consumes $(c',\, p_{\text{att}}^{(n)})$ and produces a response $r$ (e.g., “Sorry, I can’t.” vs. “Here is PII from the website …”). Feedback LLM performs a binary judgment on whether the defense succeeded. When failures accumulate to $T_{\mathrm{fail}}$, the Defender LLM is prompted to revise prompt, yielding $p_{\text{def}}^{(t+1)}$; when successes reach $T_{\text{succ}}$, the system advances to the next attack $p_{\text{att}}^{(n+1)}$ while retaining the current defense. For each $p_{\text{att}}^{(n)}$, the loop runs up to $N_{\text{iter}}$ trials, iteratively following a write$\rightarrow$inject$\rightarrow$judge$\rightarrow$revise cycle to refine the defense prompt.
• Figure 4: Website screenshot example (1/2).
• Figure 5: Website screenshot example (2/2).