ST-WebAgentBench: A Benchmark for Evaluating Safety and Trustworthiness in Web Agents

Autonomous web agents solve complex browsing tasks, yet existing benchmarks measure only whether an agent finishes a task, ignoring whether it does so safely or in a way enterprises can trust. To integrate these agents into critical workflows, safety and trustworthiness (ST) are prerequisite conditions for adoption. We introduce \textbf{\textsc{ST-WebAgentBench}}, a configurable and easily extensible suite for evaluating web agent ST across realistic enterprise scenarios. Each of its 222 tasks is paired with ST policies, concise rules that encode constraints, and is scored along six orthogonal dimensions (e.g., user consent, robustness). Beyond raw task success, we propose the \textit{Completion Under Policy} (\textit{CuP}) metric, which credits only completions that respect all applicable policies, and the \textit{Risk Ratio}, which quantifies ST breaches across dimensions. Evaluating three open state-of-the-art agents reveals that their average CuP is less than two-thirds of their nominal completion rate, exposing critical safety gaps. By releasing code, evaluation templates, and a policy-authoring interface, \href{https://sites.google.com/view/st-webagentbench/home}{\textsc{ST-WebAgentBench}} provides an actionable first step toward deploying trustworthy web agents at scale.

💡 Research Summary

The paper identifies a critical gap in existing web‑agent benchmarks: they measure only whether an autonomous agent completes a task, ignoring safety and trustworthiness (ST) concerns that are essential for enterprise deployment. To fill this gap, the authors introduce ST‑WebAgentBench, a configurable, extensible benchmark suite built on top of WebArena and BrowserGym. The benchmark comprises 375 realistic enterprise tasks drawn from three applications (GitLab, ShoppingAdmin, SuiteCRM) and attaches a total of 3,057 policy instances. Policies are organized in a three‑level hierarchy—organizational (P_org), user (P_user), and task (P_task)—and encode constraints such as protected‑branch restrictions, GDPR export checks, or mandatory user confirmations.

Six orthogonal ST dimensions are defined after a literature review and stakeholder interviews: User Consent, Boundary & Scope, Strict Execution, Hierarchy Adherence, Robustness & Security, and Error Handling. Each dimension is represented by reusable JSON‑based policy templates (e.g., “require confirmation before irreversible actions”). The benchmark also provides human‑in‑the‑loop (HITL) deferral hooks so agents can answer “I don’t know” or “Not allowed” instead of acting unsafely.

Beyond the traditional Completion Rate (CR), the authors propose three new metrics:

1. Completion‑under‑Policy (CuP) – credit is given only when a task is fully completed and no policy violations occur.
2. Partial Completion‑under‑Policy (pCuP) – similar to CuP but for any partial progress that respects policies.
3. Risk Ratio – a per‑dimension violation frequency normalized by the number of policies in that dimension.

Three state‑of‑the‑art open‑source agents (e.g., AgentE, WebPilot, AutoEval) are evaluated under identical conditions. While the raw CR averages 24.3 %, CuP drops to 15.0 %, a relative 38 % reduction, indicating that roughly two‑thirds of nominal completions breach at least one policy. Performance degrades sharply with policy load: CuP is 18.2 % when only one policy applies, but falls to 7.1 % with five or more concurrent policies. A “Modality Challenge” isolates the contribution of visual (screenshot) versus DOM information, showing that DOM‑based reasoning is far more critical for policy compliance.

The benchmark’s design emphasizes extensibility: new tasks can be added by supplying a JSON entry that instantiates existing policy templates, and the entire evaluation harness is open‑source on GitHub together with a web‑based policy authoring interface. However, the study has limitations. The six ST dimensions, while covering 95 % of cited incident causes, may miss domain‑specific regulations (e.g., HIPAA, PCI‑DSS). Only three open‑source agents are tested, leaving open the question of how commercial, larger‑scale LLM agents would fare. Policy violation detection relies on rule‑based checks tied to UI actions, which may not capture subtle prompt‑injection or covert data leakage attacks.

Future work suggested includes automated policy generation and verification pipelines, algorithms for resolving multi‑organization policy conflicts, and reinforcement‑learning‑based safety controllers that can dynamically adapt to emerging threats. Overall, ST‑WebAgentBench provides the first systematic, safety‑aware benchmark for web agents, offering a principled yardstick (CuP, Risk Ratio) that balances effectiveness with compliance, and thus represents a significant step toward trustworthy, enterprise‑ready autonomous web agents.