Seeing Is Not Screening: Multimodal Hidden Instruction Attacks on Agent Skill Scanners

21d ago · Global · primary source: export.arxiv.org

A preprint posted to arXiv on 16 June 2026 describes a new attack that hides malicious instructions inside images to evade security scanners built for large language model agents [1][2]. The work identifies a blind spot in current defenses and proposes a countermeasure called ExecScan [2]. The paper, titled “Seeing Is Not Screening,” argues that agent skills — modular capabilities added to LLM-based systems — have become a significant attack surface [2]. Large language models are machine learning models trained on vast amounts of text for tasks such as language generation [10]. As these systems are extended with third-party skills, researchers have begun scrutinizing how those skills are vetted [2]. The authors conducted an empirical study of existing skill scanners and concluded that defenses rely overwhelmingly on textual descriptions, manifests, and source code to flag malicious behavior [2]. “This creates a practical blind spot: harmful operational instructions hidden in images may bypass scanning while still being recoverable by multimodal agents during deployment,” the paper states [2]. To demonstrate the risk, the researchers developed SkillCamo, a document-mediated multimodal instruction attack. SkillCamo embeds malicious payloads inside images that are bundled with a skill and rewrites the accompanying documentation so that the images appear to be part of a normal workflow [2]. The attack does not depend on the image alone; it exploits the joint interpretation of textual guidance and visual content at execution time [2]. Because current scanners do not jointly analyze text and imagery, the hidden instructions can slip through [2]. The proposed defense, ExecScan, takes an execution-grounded approach. It performs intent extraction, behavior reconstruction, abuse assessment, and deliberative execution simulation across all skill artifacts [2]. By jointly analyzing documentation, code, referenced resources, and visual content, ExecScan reconstructs executable behavior chains and flags downstream risks including exfiltration, destruction, persistence, deception, and privilege escalation [2]. The paper reports that image-hidden malicious instructions consistently challenged existing scanners, while ExecScan improved scanning performance [2]. The research appears on arXiv, an open-access repository of electronic preprints that is moderated but not peer-reviewed [8]. As of November 2024, the repository was receiving about 24,000 new articles per month [8]. The paper was submitted under the Cryptography and Security category and is available in both PDF and experimental HTML formats [1].

applicationresearch-papercontroversycommentary

Background sources we checked (9)
  • arxiv.org ↗ Agent skills are emerging as an important attack surface in LLM-based systems. Through an empirical study of existing skill scanners, we find that current defenses primarily rely on textual descriptions, manifests, and source code as the main signals for security analysis, which …
  • en.wikipedia.org ↗ This article presents a detailed timeline of events in the history of computing from 2020 to the present. For narratives explaining the overall developments, see the history of computing. Significant events in computing include events relating directly or indirectly to software, …
  • en.wikipedia.org ↗ This is a list of several significant scientific events that occurred or were scheduled to occur in 2021.…
  • info.arxiv.org ↗ arXiv Labs - arXiv info | arXiv e-print repository Skip to content # arXiv Labs Attention arXiv Users: arXiv Labs is pausing new proposals ## What are arXiv Labs? arXiv Labs are a way for the community to contribute new, useful features to arXiv. These integrations are avail…
  • blog.arxiv.org ↗ arXivLabs: a space for community innovation – arXiv blog arXiv has launched a new, formalized framework enabling innovative collaborations with individuals and organizations. “Members of our community want to contribute tools that enhance the arXiv experience, and we val…
  • info.arxiv.org ↗ arXivLabs: Showcase - arXiv info | arXiv e-print repository ... # arXivLabs: Showcase ... arXiv is surrounded by a community of researchers and developers working at the cutting edge of information science and technology. ... While the arXiv team is focused on our core mission—pr…
  • en.wikipedia.org ↗ arXiv (pronounced as "archive"—the X represents the Greek letter chi ⟨χ⟩) is an open-access repository of electronic preprints and postprints (known as e-prints) approved for posting after moderation, but not peer reviewed. It consists of scientific papers in the fields of mathem…
  • en.wikipedia.org ↗ 14 (fourteen) is the natural number following 13 and preceding 15.…
  • en.wikipedia.org ↗ A large language model (LLM) is a type of machine learning model designed for natural language processing tasks such as language generation. LLMs are language models with many parameters, and are trained with self-supervised learning on a vast amount of text.…

Sources

Spot something wrong? Report an issue