Recent research from Google DeepMind identifies six critical categories of security vulnerabilities specific to AI agents, an attack surface that did not exist two years ago. The study, particularly relevant to computer-use agents browsing the web, introduces a taxonomy of AI agent traps designed to help developers understand and defend against these emerging threats. These findings align with previous concerns from Hugging Face, which argued for bounded autonomy, noting that fully autonomous agents face significant risks. The first major vulnerability category involves semantic manipulation. Unlike direct injection attacks, these exploit distributional pressure on inputs. For example, saturating a webpage with authoritative-sounding phrases can bias an agent's summarization, or wrapping malicious requests in educational contexts can bypass safety filters. This approach is often subtler and potentially more common than traditional command injections. Cognitive state poisoning targets how agents store and retrieve information. Retrieval-Augmented Generation (RAG) poisoning injects fabricated statements into data corpora, causing agents to treat attacker content as verified fact. While training-time poisoning is difficult to execute, a more immediate threat lies in agent self-write memory. If an agent stores unreviewed data into long-term memory without provenance checks, a single poisoned input can create a persistent backdoor activated by future retrieval. Behavioral control encompasses direct hijacking where attackers force an agent to ignore instructions or leak data. Delivery is typically indirect, with malicious commands hidden within emails, webpages, or documents the agent accesses. Research shows agents can be tricked into exfiltrating local files or dumping private context simply by reading a booby-trapped message. A newer variant, sub-agent hijacking, occurs when an orchestrator spawns helper agents with compromised instructions inherited from a malicious source file. Systemic traps exploit the widespread use of identical base models. A crafted input, such as a poisoned RSS feed or package registry signal, can trigger identical failures across thousands of agents simultaneously, leading to cascading errors. Human-in-the-loop traps bypass the agent entirely by targeting human reviewers. Through approval fatigue or crafted summaries, attackers convince humans to approve agent outputs that look benign in isolation but cause harm when executed. The study emphasizes that defense strategies must mirror the specific loop section where traps operate. Input filters cannot prevent memory poisoning, and output critics cannot stop compositional traps split across multiple files. By separating the location of the attack from the attacker's intent, this taxonomy provides a shared vocabulary for designing comprehensive guardrails. While systemic and human-centric traps remain largely theoretical, the paper serves as a foundational reference for teams tasked with securing the next generation of agentic applications.