← Back to Library

PINA: Prompt Injection Attack against Navigation Agents

Authors: Jiani Liu, Yixin He, Lanlan Fan, Qidi Zhong, Yushi Cheng, Meng Zhang, Yanjiao Chen, Wenyuan Xu

Published: 2026-01-20

arXiv ID: 2601.13612v1

Added to Library: 2026-01-21 05:00 UTC

Red Teaming

📄 Abstract

Navigation agents powered by large language models (LLMs) convert natural language instructions into executable plans and actions. Compared to text-based applications, their security is far more critical: a successful prompt injection attack does not just alter outputs but can directly misguide physical navigation, leading to unsafe routes, mission failure, or real-world harm. Despite this high-stakes setting, the vulnerability of navigation agents to prompt injection remains largely unexplored. In this paper, we propose PINA, an adaptive prompt optimization framework tailored to navigation agents under black-box, long-context, and action-executable constraints. Experiments on indoor and outdoor navigation agents show that PINA achieves high attack success rates with an average ASR of 87.5%, surpasses all baselines, and remains robust under ablation and adaptive-attack conditions. This work provides the first systematic investigation of prompt injection attacks in navigation and highlights their urgent security implications for embodied LLM agents.

🔍 Key Points

  • PINA introduces a novel adaptive prompt optimization framework specifically designed for prompt injection attacks against navigation agents powered by LLMs, addressing a significant gap in the existing literature on LLM vulnerabilities.
  • The framework employs two main components: the Attack Evaluator, which aggregates navigation metrics for robust attack effectiveness measurement, and the Distribution Analyzer, which utilizes KL divergence and key token identification to guide adaptive prompt refinement.
  • Experimental results demonstrate high attack success rates (ASR) of 75% for indoor navigation agents and 100% for outdoor agents, with significant degradation in trajectory quality, showcasing the practicality and effectiveness of the proposed method over existing baseline attacks.
  • PINA's architecture is tailored to operate under black-box conditions with long-context and action-executable constraints, making it applicable to realistic navigation scenarios where agents cannot be directly manipulated.
  • The study emphasizes the urgent need for security measures in navigation agents, revealing the potential for real-world harm due to prompt injection attacks, thus underlining the importance of developing proactive defenses.

💡 Why This Paper Matters

The PINA framework represents a substantial advancement in understanding the vulnerabilities of navigation agents powered by large language models (LLMs). By articulating the threats posed by prompt injection attacks and introducing a systematic approach to exploit such vulnerabilities, this paper not only highlights significant security risks but also provides a foundation for subsequent research into more resilient navigation systems.

🎯 Why It's Interesting for AI Security Researchers

This paper is of high relevance to AI security researchers due to its examination of a previously unaddressed vulnerability in navigation agents that deploy LLMs. It underscores the real-world implications of prompt injection attacks and offers insights into the design of robust defenses. Researchers focused on AI robustness, adversarial attacks, and security frameworks will find the methodologies and findings crucial for enhancing the safety and reliability of AI systems in navigation and other physical applications.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF