Saved in:
Bibliographic Details
Main Authors: Wang, Yanxi, Zhang, Zhiling, Zhou, Wenbo, Zhang, Weiming, Zhang, Jie, Zhu, Qiannan, Shi, Yu, Zheng, Shuxin, He, Jiyan
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.18842
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916008151744512
author Wang, Yanxi
Zhang, Zhiling
Zhou, Wenbo
Zhang, Weiming
Zhang, Jie
Zhu, Qiannan
Shi, Yu
Zheng, Shuxin
He, Jiyan
author_facet Wang, Yanxi
Zhang, Zhiling
Zhou, Wenbo
Zhang, Weiming
Zhang, Jie
Zhu, Qiannan
Shi, Yu
Zheng, Shuxin
He, Jiyan
contents As GUI agents increasingly rely on screenshots to perceive and operate digital environments, they may inadvertently expose sensitive information such as identities, accounts, locations, and behavioral traces. While existing benchmarks primarily focus on task completion, grounding, or defenses against third-party attacks, current visual privacy datasets remain largely restricted to static natural images, limiting their ability to capture the contextual dependence and task relevance of privacy risks in GUI task trajectories. To bridge this gap, we introduce \textbf{GUIGuard-Bench}, a first-step benchmark for studying privacy-preserving GUI agents in trajectory-based GUI workflows. GUIGuard-Bench contains 241 real GUI-agent trajectories with 4,080 screenshots across Android and PC environments. Each screenshot is annotated at the region level with privacy bounding boxes, semantic privacy categories, risk levels, and whether the private information is necessary for completing the task. Built on these annotations, GUIGuard-Bench supports three complementary evaluations: privacy recognition, offline planning fidelity under protected screenshots, and the utility impact of different protection strategies. Our results show that current models can often detect whether a screenshot contains private information, but they struggle with fine-grained localization, category recognition, risk assessment, and task-necessity judgment. We also find that closed-source models, exemplified by Claude Sonnet 4.6, can maintain largely consistent planner semantics in Android environments after privacy protection is applied. Our results highlight privacy recognition as a critical bottleneck for practical GUI agents. Project: https://futuresis.github.io/GUIGuard-page/
format Preprint
id arxiv_https___arxiv_org_abs_2601_18842
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle GUIGuard-Bench: Toward a General Evaluation for Privacy-Preserving GUI Agents
Wang, Yanxi
Zhang, Zhiling
Zhou, Wenbo
Zhang, Weiming
Zhang, Jie
Zhu, Qiannan
Shi, Yu
Zheng, Shuxin
He, Jiyan
Cryptography and Security
Artificial Intelligence
Computer Vision and Pattern Recognition
As GUI agents increasingly rely on screenshots to perceive and operate digital environments, they may inadvertently expose sensitive information such as identities, accounts, locations, and behavioral traces. While existing benchmarks primarily focus on task completion, grounding, or defenses against third-party attacks, current visual privacy datasets remain largely restricted to static natural images, limiting their ability to capture the contextual dependence and task relevance of privacy risks in GUI task trajectories. To bridge this gap, we introduce \textbf{GUIGuard-Bench}, a first-step benchmark for studying privacy-preserving GUI agents in trajectory-based GUI workflows. GUIGuard-Bench contains 241 real GUI-agent trajectories with 4,080 screenshots across Android and PC environments. Each screenshot is annotated at the region level with privacy bounding boxes, semantic privacy categories, risk levels, and whether the private information is necessary for completing the task. Built on these annotations, GUIGuard-Bench supports three complementary evaluations: privacy recognition, offline planning fidelity under protected screenshots, and the utility impact of different protection strategies. Our results show that current models can often detect whether a screenshot contains private information, but they struggle with fine-grained localization, category recognition, risk assessment, and task-necessity judgment. We also find that closed-source models, exemplified by Claude Sonnet 4.6, can maintain largely consistent planner semantics in Android environments after privacy protection is applied. Our results highlight privacy recognition as a critical bottleneck for practical GUI agents. Project: https://futuresis.github.io/GUIGuard-page/
title GUIGuard-Bench: Toward a General Evaluation for Privacy-Preserving GUI Agents
topic Cryptography and Security
Artificial Intelligence
Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2601.18842