EPS
← All batches·2605.11514

FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems

topic: general_safetytop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFthreats2026-05-13

Authors: Fanxiao Li, Jiaying Wu, Tingchao Fu et al.

arXiv · PDF

Summary

The authors show that multi-agent LLM systems with planner-executor architectures are vulnerable to workflow steering attacks: adversaries can craft prompts that manipulate how the planner organizes subtasks, roles, and routing paths, amplifying malicious signals through the agent network. They introduce FlowSteer, a prompt-only attack that achieves up to 55% higher attack success by positioning malicious content in influential workflow slots and exploiting sycophantic (overly-agreeable) downstream behavior, plus FlowGuard, an input-side defense that reduces attack success by up to 34%.

Main takeaways:

  • Multi-agent planners that convert prompts into workflows create a new attack surface: adversaries can shape agent coordination structures through carefully crafted inputs alone, without touching infrastructure.
  • Two key vulnerabilities emerge: workflow position amplifies or suppresses malicious signals, and sycophantic framing makes downstream agents more likely to propagate harmful content.
  • FlowSteer translates these insights into a black-box attack that works across different multi-agent setups and even when the attacker doesn't know the full topology.
  • Defenses that only inspect the generated workflow (after planning) provide limited protection, because the attack biases the planning signals themselves.
  • FlowGuard operates on the input side, filtering prompts before they reach the planner, and preserves most benign prompt utility.

Relevance

Not directly related to my persona/midtraining work — this is about multi-agent coordination attacks, not single-model behavioral installation or persona leakage. Could be tangentially relevant if I ever explore how persona markers propagate across multi-agent systems or how agent "roles" interact with persona space.

Threat model

Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.

Abstract

arXiv:2605.11514v1 Announce Type: new Abstract: Multi-agent systems (MAS) powered by large language models (LLMs) increasingly adopt planner--executor architectures, where planners convert prompts into subtasks, roles, dependencies, and routing paths. This flexibility enables adaptive coordination, but exposes an attack surface in workflow formation: prompts can shape agent organization without modifying MAS infrastructure. We study this risk through social influence probing workflows to identify high-impact subtasks and malicious-signal propagation. The analysis reveals two vulnerabilities: workflow position can amplify or suppress a malicious signal, and sycophantic framing makes downstream agents more likely to relay it. We translate these findings into FlowSteer, a prompt-only workflow steering attack that converts vulnerability priors into one crafted prompt. FlowSteer aligns a malicious signal with influential task components and guides replanning toward dependencies that preserve propagation. Experiments show that FlowSteer increases malicious success by up to 55% over naive prompting, transfers across MAS setups, and remains effective with black-box topology inference. As FlowSteer biases the planning signals that generate the workflow, MAS defenses that inspect only the generated workflow provide limited protection. As such, we introduce FlowGuard, an input-side defense that reduces malicious success by up to 34% while preserving prompt utility. Our results position workflow formation as a new safety frontier for multi-agent LLM systems, opening a planning-time security perspective on how agent coordination itself can be attacked and defended.