arXiv: Seeing Is Not Screening: Multimodal Hidden Instruction Attacks on Agent Skill Scanners

This paper, published on arXiv, presents a new class of security vulnerability specifically targeting AI agents that use multimodal inputs—such as images, text, and audio. The authors demonstrate that malicious actors can embed hidden instructions within visual data that bypass existing safety scanners, effectively tricking an AI agent into executing harmful actions even when the agent’s text-based screening appears clean. This is not a regulatory change but a significant technical finding that exposes a blind spot in current AI safety testing frameworks, particularly for systems that process mixed media.

The primary affected organizations are those deploying or developing autonomous AI agents in high-stakes sectors, including financial services, healthcare, critical infrastructure, and legal technology. Any firm using large language models or multimodal AI to automate decision-making, customer interactions, or data processing should consider this a material risk. Regulators in the EU, particularly under the AI Act’s high-risk classification, will likely scrutinize whether such vulnerabilities are adequately addressed in conformity assessments.

Compliance teams should immediately review their AI agent architectures to determine if multimodal inputs are processed without independent verification. They should update internal risk assessments to include this attack vector and ensure that safety scanners are not solely reliant on text-based filters. It is prudent to engage with technical teams to implement layered detection mechanisms, such as separate image and audio sanitization pipelines, and to document these controls in preparation for future regulatory audits.