pith. sign in
Pith Number

pith:BLJKZC7V

pith:2026:BLJKZC7VXITEIB4CCHRAZLRJ2D
not attested not anchored not stored refs resolved

Web Agents Should Adopt the Plan-Then-Execute Paradigm

Annabella Chow, David Wagner, Jinhao Zhu, Julien Piet, Muxi Lyu, Raluca Ada Popa, Sylvie Venuto, Yiwei Hou

Web agents should commit to a task-specific program before observing runtime web content.

arxiv:2605.14290 v1 · 2026-05-14 · cs.CR · cs.AI · cs.CL · cs.SE

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{BLJKZC7VXITEIB4CCHRAZLRJ2D}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

web agents should default to plan-then-execute: commit to a task-specific program before observing runtime web content, then execute it. The reason is that web content mixes inputs from many parties.

C2weakest assumption

That web tasks do not require reactivity by default and that tools can be made to map cleanly to semantic actions with effects known before execution.

C3one line summary

Web agents should default to planning a complete task program before observing live web content to reduce prompt injection exposure, since WebArena tasks are compatible and 80% need no runtime LLM calls.

References

41 extracted · 41 resolved · 12 Pith anchors

[1] IPIGuard: A novel tool dependency graph-based defense against indirect prompt injection in LLM agents.arXiv preprint arXiv:2508.15310, 2025 2025
[2] Claude code auto mode: a safer way to skip permissions 2026
[3] Design Patterns for Securing LLM Agents against Prompt Injections 2025
[4] StruQ: Defending Against Prompt Injection with Structured Queries 2024
[5] SecAlign: Defending Against Prompt Injection with Preference Optimization 2024

Formal links

2 machine-checked theorem links

Receipt and verification
First computed 2026-05-17T23:39:10.205401Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

0ad2ac8bf5ba2644078211e20cae29d0f98df4def5ea37c34b749bf1c57f3dcd

Aliases

arxiv: 2605.14290 · arxiv_version: 2605.14290v1 · doi: 10.48550/arxiv.2605.14290 · pith_short_12: BLJKZC7VXITE · pith_short_16: BLJKZC7VXITEIB4C · pith_short_8: BLJKZC7V
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/BLJKZC7VXITEIB4CCHRAZLRJ2D \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 0ad2ac8bf5ba2644078211e20cae29d0f98df4def5ea37c34b749bf1c57f3dcd
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "aa080c96474c2c77bc98109b6e72ab2a8c429ad8f35e58432cff3b5f39144891",
    "cross_cats_sorted": [
      "cs.AI",
      "cs.CL",
      "cs.SE"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-14T02:48:57Z",
    "title_canon_sha256": "ca4debe7f05ce0be949c1538d13a1f17a7695bb450c059ea2057b72093894b19"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.14290",
    "kind": "arxiv",
    "version": 1
  }
}