PINA: Prompt Injection Attack against Navigation Agents
Jiani Liu, Yixin He, Lanlan Fan, Qidi Zhong, Yushi Cheng, Meng Zhang, Yanjiao Chen, Wenyuan Xu
TL;DR
PINA tackles prompt injection vulnerabilities in embodied navigation by proposing an adaptive framework that combines an Attack Evaluator, Distribution Analyzer, and Adaptive Prompt Refinement to optimize malicious prompts under black-box, long-context constraints. The attack score is defined as $S = w^T M_nav$ over multiple navigation metrics, while the Distribution Analyzer uses KL divergence and key-token signals to guide refinement, forming a holistic feedback loop. Empirical results on indoor and outdoor navigation tasks show notable attack success (ASR 75% indoor, 100% outdoor) and degraded trajectory quality, with strong transferability and resilience to lightweight defenses. The work illuminates critical security risks for embodied LLM agents and motivates the development of defenses and broader studies of prompt risks in physical-world AI systems.
Abstract
Navigation agents powered by large language models (LLMs) convert natural language instructions into executable plans and actions. Compared to text-based applications, their security is far more critical: a successful prompt injection attack does not just alter outputs but can directly misguide physical navigation, leading to unsafe routes, mission failure, or real-world harm. Despite this high-stakes setting, the vulnerability of navigation agents to prompt injection remains largely unexplored. In this paper, we propose PINA, an adaptive prompt optimization framework tailored to navigation agents under black-box, long-context, and action-executable constraints. Experiments on indoor and outdoor navigation agents show that PINA achieves high attack success rates with an average ASR of 87.5%, surpasses all baselines, and remains robust under ablation and adaptive-attack conditions. This work provides the first systematic investigation of prompt injection attacks in navigation and highlights their urgent security implications for embodied LLM agents.
