This study addresses a critical security gap in current agent browsers, which largely overlook traditional web-based social engineering attacks targeting humans, thereby creating significant threat blind spots. The work proposes the first webpage-centric threat model tailored to agent browsers, conceptualizing agents as “confused deputies” incapable of distinguishing legitimate task instructions from malicious content. It systematically constructs a unified taxonomy encompassing both conventional web attacks and threats unique to large language models (LLMs), revealing how ten established threat categories re-emerge and intensify in agent-driven environments. Leveraging an extended See→Act agent framework integrated with web social engineering techniques, prompt injection strategies, and multi-component interaction analysis, the authors empirically validate the generalizability of 14 out of 20 attack types across 14 mainstream LLMs from four vendors, identifying five fundamental failure modes through which agent browsers succumb to web-based threats.

Large language models (LLMs) are increasingly being integrated into web browsers to create agentic browsing systems that execute actions on behalf of the user. Prior work considering the security of agentic browsers focuses exclusively on indirect prompt-injection attacks. However, by failing to consider traditional web attacks, previous agentic browser threat models have a blind spot to web social engineering attacks originally designed to trick humans. In this paper, we propose the first web-focused threat model for agentic browsers and use it to derive a taxonomy of 20 attacks across both the web and LLM space, and implement 18 of the attacks. Our threat model extends the original See$\rightarrow$Act browser agent model to account for all components of a browser, and frames the agent as a confused deputy unable to distinguish task steps from traditional web attacks. We show that 10 web threats can reemerge often in amplified forms once an agent can be influenced by untrusted page content. We further conduct a generalizability study on 14 of the 20 attacks, showing that our attacks reproduce across 4 major LLM models spanning multiple vendors. We show that agentic browsers exhibit five major failure modes when facing traditional and LLM web threats, demonstrating the need to rearchitect agentic browsers before they are ready for the current web.