Computer-using agents (CUAs)—which interact with GUIs via browsers or virtual machines—introduce novel attack surfaces and trust boundaries not addressed by conventional threat models. Method: We conduct the first systematic security boundary modeling of CUAs, perform adversarial testing, and empirically analyze input provenance, UI action binding, and memory/permission mechanisms. Contribution/Results: We propose a taxonomy of seven CUA-specific risks, uncovering new attack vectors—including clickjacking, indirect prompt injection, and chain-of-thought (CoT) leakage. Our analysis confirms the feasibility of remote code execution and multi-step reasoning hijacking. Furthermore, we introduce the first dedicated security evaluation framework for CUAs and establish foundational design principles to guide the development of security-enhanced agent architectures. This work bridges a critical gap in AI agent security, enabling rigorous assessment and robust design of GUI-interacting autonomous systems.

Computer Use Agents (CUAs), autonomous systems that interact with software interfaces via browsers or virtual machines, are rapidly being deployed in consumer and enterprise environments. These agents introduce novel attack surfaces and trust boundaries that are not captured by traditional threat models. Despite their growing capabilities, the security boundaries of CUAs remain poorly understood. In this paper, we conduct a systematic threat analysis and testing of real-world CUAs under adversarial conditions. We identify seven classes of risks unique to the CUA paradigm, and analyze three concrete exploit scenarios in depth: (1) clickjacking via visual overlays that mislead interface-level reasoning, (2) indirect prompt injection that enables Remote Code Execution (RCE) through chained tool use, and (3) CoT exposure attacks that manipulate implicit interface framing to hijack multi-step reasoning. These case studies reveal deeper architectural flaws across current CUA implementations. Namely, a lack of input provenance tracking, weak interface-action binding, and insufficient control over agent memory and delegation. We conclude by proposing a CUA-specific security evaluation framework and design principles for safe deployment in adversarial and high-stakes settings.