Prismix
Hugging Face Daily Papers · · 5 min read

Known By Their Actions: Fingerprinting LLM Browser Agents via UI Traces

#agents

Mirrored from Hugging Face Daily Papers for archival readability. Support the source by reading on the original site.

Like Read original ↗
<a href=\"https://cdn-uploads.huggingface.co/production/uploads/65cb41d20b3bd8f5ce0fcdba/RaFLy_k0YSOgy7UdNOneG.png\" rel=\"nofollow\"><img src=\"https://cdn-uploads.huggingface.co/production/uploads/65cb41d20b3bd8f5ce0fcdba/RaFLy_k0YSOgy7UdNOneG.png\" alt=\"Screen Shot 2026-05-18 at 4.27.35 PM\"></a></p>\n<p>We show that LLM browser agents can be stealthily fingerprinted using only their actions. With 14 frontier computer-use agents, we show that strong classifiers can be trained offline and are robust to using randomised delays between actions.</p>\n","updatedAt":"2026-05-18T15:27:54.027Z","author":{"_id":"65cb41d20b3bd8f5ce0fcdba","avatarUrl":"/avatars/351f1afbfba9f71f0c3760b046e4fccd.svg","fullname":"William Gitta Lugoloobi","name":"CoffeeGitta","type":"user","isPro":false,"isHf":false,"isHfAdmin":false,"isMod":false,"followerCount":2,"isUserFollowing":false}},"numEdits":0,"identifiedLanguage":{"language":"en","probability":0.8292779326438904},"editors":["CoffeeGitta"],"editorAvatarUrls":["/avatars/351f1afbfba9f71f0c3760b046e4fccd.svg"],"reactions":[],"isReport":false}},{"id":"6a0bc1465294544348ae808f","author":{"_id":"63d3e0e8ff1384ce6c5dd17d","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/1674830754237-63d3e0e8ff1384ce6c5dd17d.jpeg","fullname":"Librarian Bot (Bot)","name":"librarian-bot","type":"user","isPro":false,"isHf":false,"isHfAdmin":false,"isMod":false,"followerCount":357,"isUserFollowing":false},"createdAt":"2026-05-19T01:47:50.000Z","type":"comment","data":{"edited":false,"hidden":false,"latest":{"raw":"This is an automated message from the [Librarian Bot](https://huggingface.co/librarian-bots). I found the following papers similar to this paper. \n\nThe following papers were recommended by the Semantic Scholar API \n\n* [Trace: Unmasking AI Attack Agents Through Terminal Behavior Fingerprinting](https://huggingface.co/papers/2605.01186) (2026)\n* [WAAA! Web Adversaries Against Agentic Browsers](https://huggingface.co/papers/2605.05509) (2026)\n* [FP-Agent: Fingerprinting AI Browsing Agents](https://huggingface.co/papers/2605.01247) (2026)\n* [SnapGuard: Lightweight Prompt Injection Detection for Screenshot-Based Web Agents](https://huggingface.co/papers/2604.25562) (2026)\n* [WebAgentGuard: A Reasoning-Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents](https://huggingface.co/papers/2604.12284) (2026)\n* [TraceScope: Interactive URL Triage via Decoupled Checklist Adjudication](https://huggingface.co/papers/2604.21840) (2026)\n* [LoopTrap: Termination Poisoning Attacks on LLM Agents](https://huggingface.co/papers/2605.05846) (2026)\n\n\n Please give a thumbs up to this comment if you found it helpful!\n\n If you want recommendations for any Paper on Hugging Face checkout [this](https://huggingface.co/spaces/librarian-bots/recommend_similar_papers) Space\n\n You can directly ask Librarian Bot for paper recommendations by tagging it in a comment: `@librarian-bot recommend`","html":"<p>This is an automated message from the <a href=\"https://huggingface.co/librarian-bots\">Librarian Bot</a>. I found the following papers similar to this paper. </p>\n<p>The following papers were recommended by the Semantic Scholar API </p>\n<ul>\n<li><a href=\"https://huggingface.co/papers/2605.01186\">Trace: Unmasking AI Attack Agents Through Terminal Behavior Fingerprinting</a> (2026)</li>\n<li><a href=\"https://huggingface.co/papers/2605.05509\">WAAA! Web Adversaries Against Agentic Browsers</a> (2026)</li>\n<li><a href=\"https://huggingface.co/papers/2605.01247\">FP-Agent: Fingerprinting AI Browsing Agents</a> (2026)</li>\n<li><a href=\"https://huggingface.co/papers/2604.25562\">SnapGuard: Lightweight Prompt Injection Detection for Screenshot-Based Web Agents</a> (2026)</li>\n<li><a href=\"https://huggingface.co/papers/2604.12284\">WebAgentGuard: A Reasoning-Driven Guard Model for Detecting Prompt Injection Attacks in Web Agents</a> (2026)</li>\n<li><a href=\"https://huggingface.co/papers/2604.21840\">TraceScope: Interactive URL Triage via Decoupled Checklist Adjudication</a> (2026)</li>\n<li><a href=\"https://huggingface.co/papers/2605.05846\">LoopTrap: Termination Poisoning Attacks on LLM Agents</a> (2026)</li>\n</ul>\n<p> Please give a thumbs up to this comment if you found it helpful!</p>\n<p> If you want recommendations for any Paper on Hugging Face checkout <a href=\"https://huggingface.co/spaces/librarian-bots/recommend_similar_papers\">this</a> Space</p>\n<p> You can directly ask Librarian Bot for paper recommendations by tagging it in a comment: <code><span class=\"SVELTE_PARTIAL_HYDRATER contents\" data-target=\"UserMention\" data-props=\"{&quot;user&quot;:&quot;librarian-bot&quot;}\"><span class=\"inline-block\"><span class=\"contents\"><a href=\"/librarian-bot\">@<span class=\"underline\">librarian-bot</span></a></span> </span></span> recommend</code></p>\n","updatedAt":"2026-05-19T01:47:50.287Z","author":{"_id":"63d3e0e8ff1384ce6c5dd17d","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/1674830754237-63d3e0e8ff1384ce6c5dd17d.jpeg","fullname":"Librarian Bot (Bot)","name":"librarian-bot","type":"user","isPro":false,"isHf":false,"isHfAdmin":false,"isMod":false,"followerCount":357,"isUserFollowing":false}},"numEdits":0,"identifiedLanguage":{"language":"en","probability":0.6792965531349182},"editors":["librarian-bot"],"editorAvatarUrls":["https://cdn-avatars.huggingface.co/v1/production/uploads/1674830754237-63d3e0e8ff1384ce6c5dd17d.jpeg"],"reactions":[],"isReport":false}}],"primaryEmailConfirmed":false,"paper":{"id":"2605.14786","authors":[{"_id":"6a06dd8bb1a8cbabc9f09bd7","name":"William Lugoloobi","hidden":false},{"_id":"6a06dd8bb1a8cbabc9f09bd8","name":"Samuelle Marro","hidden":false},{"_id":"6a06dd8bb1a8cbabc9f09bd9","name":"Jabez Magomere","hidden":false},{"_id":"6a06dd8bb1a8cbabc9f09bda","name":"Joss Wright","hidden":false},{"_id":"6a06dd8bb1a8cbabc9f09bdb","name":"Chris Russell","hidden":false}],"publishedAt":"2026-05-14T00:00:00.000Z","submittedOnDailyAt":"2026-05-18T00:00:00.000Z","title":"Known By Their Actions: Fingerprinting LLM Browser Agents via UI Traces","submittedOnDailyBy":{"_id":"65cb41d20b3bd8f5ce0fcdba","avatarUrl":"/avatars/351f1afbfba9f71f0c3760b046e4fccd.svg","isPro":false,"fullname":"William Gitta Lugoloobi","user":"CoffeeGitta","type":"user","name":"CoffeeGitta"},"summary":"As LLM-based agents increasingly browse the web on users' behalf, a natural question arises: can websites passively identify which underlying model powers an agent? Doing so would represent a significant security risk, enabling targeted attacks tailored to known model vulnerabilities. Across 14 frontier LLMs and four web environments spanning information retrieval and shopping tasks, we show that an agent's actions and interaction timings, captured via a passive JavaScript tracker, are sufficient to identify the underlying model with up to 96\\% F1. We formalise this attack surface by demonstrating that classifiers trained on agent actions generalise across model sizes and families. We further show that strong classifiers can be trained from few interaction traces and that agent identity can be inferred early within an episode. Injecting randomised timing delays between actions substantially degrades classifier performance, but does not provide robust protection: a classifier retrained on delayed traces largely recovers performance. We release our harness and a labelled corpus of agent traces https://github.com/KabakaWilliam/known_actions{here}.","upvotes":0,"discussionId":"6a06dd8bb1a8cbabc9f09bdc","githubRepo":"https://github.com/KabakaWilliam/known_actions","githubRepoAddedBy":"user","ai_summary":"Website tracking systems can identify the underlying large language model powering web browsing agents with high accuracy through behavioral patterns and timing data.","ai_keywords":["LLM-based agents","passive JavaScript tracker","model identification","classifier training","agent actions","interaction timings","model vulnerabilities","model generalization","randomised timing delays","agent trace analysis"],"githubStars":0},"canReadDatabase":false,"canManagePapers":false,"canSubmit":false,"hasHfLevelAccess":false,"upvoted":false,"upvoters":[],"acceptLanguages":["en"],"markdownContentUrl":"https://huggingface.co/buckets/huggingchat/papers-content/resolve/2605/2605.14786.md"}">
Papers
arxiv:2605.14786

Known By Their Actions: Fingerprinting LLM Browser Agents via UI Traces

Published on May 14
· Submitted by
William Gitta Lugoloobi on May 18
Authors:
,
,
,
,

Abstract

Website tracking systems can identify the underlying large language model powering web browsing agents with high accuracy through behavioral patterns and timing data.

AI-generated summary

As LLM-based agents increasingly browse the web on users' behalf, a natural question arises: can websites passively identify which underlying model powers an agent? Doing so would represent a significant security risk, enabling targeted attacks tailored to known model vulnerabilities. Across 14 frontier LLMs and four web environments spanning information retrieval and shopping tasks, we show that an agent's actions and interaction timings, captured via a passive JavaScript tracker, are sufficient to identify the underlying model with up to 96\% F1. We formalise this attack surface by demonstrating that classifiers trained on agent actions generalise across model sizes and families. We further show that strong classifiers can be trained from few interaction traces and that agent identity can be inferred early within an episode. Injecting randomised timing delays between actions substantially degrades classifier performance, but does not provide robust protection: a classifier retrained on delayed traces largely recovers performance. We release our harness and a labelled corpus of agent traces https://github.com/KabakaWilliam/known_actions{here}.

Community

Screen Shot 2026-05-18 at 4.27.35 PM

We show that LLM browser agents can be stealthily fingerprinted using only their actions. With 14 frontier computer-use agents, we show that strong classifiers can be trained offline and are robust to using randomised delays between actions.

This is an automated message from the Librarian Bot. I found the following papers similar to this paper.

The following papers were recommended by the Semantic Scholar API

Please give a thumbs up to this comment if you found it helpful!

If you want recommendations for any Paper on Hugging Face checkout this Space

You can directly ask Librarian Bot for paper recommendations by tagging it in a comment: @librarian-bot recommend

Upload images, audio, and videos by dragging in the text input, pasting, or clicking here.
Tap or paste here to upload images

· Sign up or log in to comment

Get this paper in your agent:

hf papers read 2605.14786
Don't have the latest CLI?
curl -LsSf https://hf.co/cli/install.sh | bash

Models citing this paper 0

No model linking this paper

Cite arxiv.org/abs/2605.14786 in a model README.md to link it from this page.

Datasets citing this paper 0

No dataset linking this paper

Cite arxiv.org/abs/2605.14786 in a dataset README.md to link it from this page.

Spaces citing this paper 0

No Space linking this paper

Cite arxiv.org/abs/2605.14786 in a Space README.md to link it from this page.

Collections including this paper 1

Discussion (0)

Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.

Sign in →

No comments yet. Sign in and be the first to say something.

More from Hugging Face Daily Papers