{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:C6QXZPSOSPBPUHZAQQ5PIV6NAH","short_pith_number":"pith:C6QXZPSO","canonical_record":{"source":{"id":"2605.15030","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T16:26:27Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"03502263a57b86ffe6866ed271eeb253ef1dd80f1e5620377f5183ad03b38e7f","abstract_canon_sha256":"ba394e60817a7ce44a285168bb915a5d8101d4953248863a728a6e1664ba1514"},"schema_version":"1.0"},"canonical_sha256":"17a17cbe4e93c2fa1f20843af457cd01d338f78b3265c0b019f2bb3065c93777","source":{"kind":"arxiv","id":"2605.15030","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.15030","created_at":"2026-05-17T23:38:54Z"},{"alias_kind":"arxiv_version","alias_value":"2605.15030v1","created_at":"2026-05-17T23:38:54Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.15030","created_at":"2026-05-17T23:38:54Z"},{"alias_kind":"pith_short_12","alias_value":"C6QXZPSOSPBP","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"C6QXZPSOSPBPUHZA","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"C6QXZPSO","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:C6QXZPSOSPBPUHZAQQ5PIV6NAH","target":"record","payload":{"canonical_record":{"source":{"id":"2605.15030","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T16:26:27Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"03502263a57b86ffe6866ed271eeb253ef1dd80f1e5620377f5183ad03b38e7f","abstract_canon_sha256":"ba394e60817a7ce44a285168bb915a5d8101d4953248863a728a6e1664ba1514"},"schema_version":"1.0"},"canonical_sha256":"17a17cbe4e93c2fa1f20843af457cd01d338f78b3265c0b019f2bb3065c93777","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:54.592743Z","signature_b64":"TyO1zgdKllrkGA5C/uichEA3i+MhHv2cWdRWweeMFKeOITBnjo8mKCvk8vLgH1VsvLGavEqvg2UxxAae/VwWDg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"17a17cbe4e93c2fa1f20843af457cd01d338f78b3265c0b019f2bb3065c93777","last_reissued_at":"2026-05-17T23:38:54.592070Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:54.592070Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.15030","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:38:54Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"vjKtzUgzwen8X9NiRB/0L3P842moNr5fTkSEJm7v172PSulhWR7pHCLNOIei8EdHo7BGqA6yTZv0BaL/ulz/Cw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-04T06:50:03.443909Z"},"content_sha256":"d0a901dac468bf7f3f5b9e9e042ab790d4ac740959b4c4d75759ef1e5f150c1d","schema_version":"1.0","event_id":"sha256:d0a901dac468bf7f3f5b9e9e042ab790d4ac740959b4c4d75759ef1e5f150c1d"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:C6QXZPSOSPBPUHZAQQ5PIV6NAH","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"WARD: Adversarially Robust Defense of Web Agents Against Prompt Injections","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Bryan Hooi, Hieu Cao, Khoi Le, Shuicheng Yan, Thong Nguyen, Tri Cao, Yibo Li, Yue Liu, Yuexin Li, Yufei He, Yulin Chen","submitted_at":"2026-05-14T16:26:27Z","abstract_excerpt":"Web agents can autonomously complete online tasks by interacting with websites, but their exposure to open web environments makes them vulnerable to prompt injection attacks embedded in HTML content or visual interfaces. Existing guard models still suffer from limited generalization to unseen domains and attack patterns, high false positive rates on benign content, reduced deployment efficiency due to added latency at each step, and vulnerability to adversarial attacks that evolve over time or directly target the guard itself. To address these limitations, we propose WARD (Web Agent Robust Def"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.15030","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:38:54Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"2UH7W2BJ2rAlrvqplTQf1bnd60ZNpIo1Yn07bzrSEduPA2eu/iT+a8UwiRDRAvQXUfiBfPS3rRiikCax/qBQBA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-04T06:50:03.444269Z"},"content_sha256":"a15714f26dd56be724deea6f37e1992e649ce79ab9d34c40f377f7ab08766a9f","schema_version":"1.0","event_id":"sha256:a15714f26dd56be724deea6f37e1992e649ce79ab9d34c40f377f7ab08766a9f"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/C6QXZPSOSPBPUHZAQQ5PIV6NAH/bundle.json","state_url":"https://pith.science/pith/C6QXZPSOSPBPUHZAQQ5PIV6NAH/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/C6QXZPSOSPBPUHZAQQ5PIV6NAH/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-04T06:50:03Z","links":{"resolver":"https://pith.science/pith/C6QXZPSOSPBPUHZAQQ5PIV6NAH","bundle":"https://pith.science/pith/C6QXZPSOSPBPUHZAQQ5PIV6NAH/bundle.json","state":"https://pith.science/pith/C6QXZPSOSPBPUHZAQQ5PIV6NAH/state.json","well_known_bundle":"https://pith.science/.well-known/pith/C6QXZPSOSPBPUHZAQQ5PIV6NAH/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:C6QXZPSOSPBPUHZAQQ5PIV6NAH","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"ba394e60817a7ce44a285168bb915a5d8101d4953248863a728a6e1664ba1514","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T16:26:27Z","title_canon_sha256":"03502263a57b86ffe6866ed271eeb253ef1dd80f1e5620377f5183ad03b38e7f"},"schema_version":"1.0","source":{"id":"2605.15030","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.15030","created_at":"2026-05-17T23:38:54Z"},{"alias_kind":"arxiv_version","alias_value":"2605.15030v1","created_at":"2026-05-17T23:38:54Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.15030","created_at":"2026-05-17T23:38:54Z"},{"alias_kind":"pith_short_12","alias_value":"C6QXZPSOSPBP","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"C6QXZPSOSPBPUHZA","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"C6QXZPSO","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:a15714f26dd56be724deea6f37e1992e649ce79ab9d34c40f377f7ab08766a9f","target":"graph","created_at":"2026-05-17T23:38:54Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Web agents can autonomously complete online tasks by interacting with websites, but their exposure to open web environments makes them vulnerable to prompt injection attacks embedded in HTML content or visual interfaces. Existing guard models still suffer from limited generalization to unseen domains and attack patterns, high false positive rates on benign content, reduced deployment efficiency due to added latency at each step, and vulnerability to adversarial attacks that evolve over time or directly target the guard itself. To address these limitations, we propose WARD (Web Agent Robust Def","authors_text":"Bryan Hooi, Hieu Cao, Khoi Le, Shuicheng Yan, Thong Nguyen, Tri Cao, Yibo Li, Yue Liu, Yuexin Li, Yufei He, Yulin Chen","cross_cats":["cs.AI"],"headline":"","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T16:26:27Z","title":"WARD: Adversarially Robust Defense of Web Agents Against Prompt Injections"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.15030","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:d0a901dac468bf7f3f5b9e9e042ab790d4ac740959b4c4d75759ef1e5f150c1d","target":"record","created_at":"2026-05-17T23:38:54Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"ba394e60817a7ce44a285168bb915a5d8101d4953248863a728a6e1664ba1514","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T16:26:27Z","title_canon_sha256":"03502263a57b86ffe6866ed271eeb253ef1dd80f1e5620377f5183ad03b38e7f"},"schema_version":"1.0","source":{"id":"2605.15030","kind":"arxiv","version":1}},"canonical_sha256":"17a17cbe4e93c2fa1f20843af457cd01d338f78b3265c0b019f2bb3065c93777","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"17a17cbe4e93c2fa1f20843af457cd01d338f78b3265c0b019f2bb3065c93777","first_computed_at":"2026-05-17T23:38:54.592070Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:38:54.592070Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"TyO1zgdKllrkGA5C/uichEA3i+MhHv2cWdRWweeMFKeOITBnjo8mKCvk8vLgH1VsvLGavEqvg2UxxAae/VwWDg==","signature_status":"signed_v1","signed_at":"2026-05-17T23:38:54.592743Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.15030","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:d0a901dac468bf7f3f5b9e9e042ab790d4ac740959b4c4d75759ef1e5f150c1d","sha256:a15714f26dd56be724deea6f37e1992e649ce79ab9d34c40f377f7ab08766a9f"],"state_sha256":"e3c9f2497945f29d8b09a62978bdde6a049a8090f4a7fc6972f7e765dadf2047"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"+XGIJasBfbfhu4PNLrmZWfqXa3zCdANFOuZms07Q7Xpt3jpGZfIi36HSI5AWC32TYSaUU5SBKVVllLAQpRAABA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-04T06:50:03.446403Z","bundle_sha256":"bcb0b071488c51f5b4f31af4f2279065bf3e4b91e45f209a24692875fa79c12c"}}