Table of Contents
Fetching ...

PINA: Prompt Injection Attack against Navigation Agents

Jiani Liu, Yixin He, Lanlan Fan, Qidi Zhong, Yushi Cheng, Meng Zhang, Yanjiao Chen, Wenyuan Xu

TL;DR

PINA tackles prompt injection vulnerabilities in embodied navigation by proposing an adaptive framework that combines an Attack Evaluator, Distribution Analyzer, and Adaptive Prompt Refinement to optimize malicious prompts under black-box, long-context constraints. The attack score is defined as $S = w^T M_nav$ over multiple navigation metrics, while the Distribution Analyzer uses KL divergence and key-token signals to guide refinement, forming a holistic feedback loop. Empirical results on indoor and outdoor navigation tasks show notable attack success (ASR 75% indoor, 100% outdoor) and degraded trajectory quality, with strong transferability and resilience to lightweight defenses. The work illuminates critical security risks for embodied LLM agents and motivates the development of defenses and broader studies of prompt risks in physical-world AI systems.

Abstract

Navigation agents powered by large language models (LLMs) convert natural language instructions into executable plans and actions. Compared to text-based applications, their security is far more critical: a successful prompt injection attack does not just alter outputs but can directly misguide physical navigation, leading to unsafe routes, mission failure, or real-world harm. Despite this high-stakes setting, the vulnerability of navigation agents to prompt injection remains largely unexplored. In this paper, we propose PINA, an adaptive prompt optimization framework tailored to navigation agents under black-box, long-context, and action-executable constraints. Experiments on indoor and outdoor navigation agents show that PINA achieves high attack success rates with an average ASR of 87.5%, surpasses all baselines, and remains robust under ablation and adaptive-attack conditions. This work provides the first systematic investigation of prompt injection attacks in navigation and highlights their urgent security implications for embodied LLM agents.

PINA: Prompt Injection Attack against Navigation Agents

TL;DR

PINA tackles prompt injection vulnerabilities in embodied navigation by proposing an adaptive framework that combines an Attack Evaluator, Distribution Analyzer, and Adaptive Prompt Refinement to optimize malicious prompts under black-box, long-context constraints. The attack score is defined as over multiple navigation metrics, while the Distribution Analyzer uses KL divergence and key-token signals to guide refinement, forming a holistic feedback loop. Empirical results on indoor and outdoor navigation tasks show notable attack success (ASR 75% indoor, 100% outdoor) and degraded trajectory quality, with strong transferability and resilience to lightweight defenses. The work illuminates critical security risks for embodied LLM agents and motivates the development of defenses and broader studies of prompt risks in physical-world AI systems.

Abstract

Navigation agents powered by large language models (LLMs) convert natural language instructions into executable plans and actions. Compared to text-based applications, their security is far more critical: a successful prompt injection attack does not just alter outputs but can directly misguide physical navigation, leading to unsafe routes, mission failure, or real-world harm. Despite this high-stakes setting, the vulnerability of navigation agents to prompt injection remains largely unexplored. In this paper, we propose PINA, an adaptive prompt optimization framework tailored to navigation agents under black-box, long-context, and action-executable constraints. Experiments on indoor and outdoor navigation agents show that PINA achieves high attack success rates with an average ASR of 87.5%, surpasses all baselines, and remains robust under ablation and adaptive-attack conditions. This work provides the first systematic investigation of prompt injection attacks in navigation and highlights their urgent security implications for embodied LLM agents.
Paper Structure (12 sections, 3 equations, 3 figures, 3 tables, 1 algorithm)

This paper contains 12 sections, 3 equations, 3 figures, 3 tables, 1 algorithm.

Figures (3)

  • Figure 1: Prompt injection attacks cause navigation agents to deviate from intended goals and result in mission failure.
  • Figure 2: Overview of PINA. By integrating an (1) Attack Evaluator, which quantifies impact using navigation metrics, and a (2) Distribution Analyzer, which captures global KL divergence and local key tokens, into an (3) Adaptive Refinement loop, PINA iteratively updates injection prompts, enabling effective black-box attacks on navigation agents.
  • Figure 3: Attacks on indoor and outdoor navigation agents