Seeing Is Not Screening: Multimodal Hidden Instruction Attacks on Agent Skill Scanners

📄 arXiv: 2606.18198v1 📥 PDF

作者: Xiaojun Jia, Jie Liao, Simeng Qin, Ke Ma, Wenbo Guo, Yebo Feng, Aishan Liu, Yang Liu

分类: cs.CR, cs.CV

发布日期: 2026-06-16


💡 一句话要点

提出SkillCamo与ExecScan以解决多模态隐藏指令攻击问题

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 多模态攻击 技能扫描 安全分析 恶意指令 执行模拟 意图提取 行为重建

📋 核心要点

  1. 现有技能扫描器主要依赖文本和代码进行安全分析,忽视了图像中隐藏的恶意指令,形成了安全盲点。
  2. 提出SkillCamo,通过将恶意指令隐藏在图像中并重写文档,使得攻击在执行时依赖于文本和视觉内容的联合解释。
  3. 实验结果显示,图像隐藏的恶意指令能够有效绕过现有扫描器,而ExecScan在技能扫描性能上有显著提升。

📝 摘要(中文)

随着基于大型语言模型(LLM)系统的代理技能成为重要的攻击面,现有的技能扫描器主要依赖文本描述、清单和源代码进行安全分析,导致对视觉传达的恶意意图的检查不足。为此,本文提出SkillCamo,一种文档介导的多模态指令攻击方法,通过将恶意指令隐藏在图像中并重写周围文档,使得攻击不再仅依赖于图像本身。此外,本文还提出ExecScan,一个基于执行的多模态扫描模块,能够提取意图、重建行为、评估滥用风险并模拟执行。实验表明,图像隐藏的恶意指令对现有技能扫描器构成挑战,而ExecScan能够显著提升技能扫描性能。

🔬 方法详解

问题定义:本文旨在解决现有技能扫描器对图像中隐藏的恶意指令检测不足的问题。现有方法主要依赖文本和代码进行分析,未能充分考虑视觉信息的潜在威胁。

核心思路:论文提出的SkillCamo方法通过将恶意指令隐藏在图像中,并重写相关文档,使得攻击在执行时依赖于文本和视觉内容的联合解释,从而绕过传统的检测机制。

技术框架:整体架构包括两个主要模块:SkillCamo用于实施攻击,ExecScan用于检测和防御。ExecScan模块通过分析文档、代码和视觉内容,提取意图并重建可执行行为链。

关键创新:最重要的创新在于SkillCamo能够有效隐藏恶意指令于图像中,并通过文档的重写使得攻击看似合规。ExecScan则通过多模态分析提升了对隐藏指令的检测能力。

关键设计:在ExecScan中,设计了意图提取、行为重建和滥用评估等多个子模块,采用了联合分析的策略,以提高对多模态内容的理解和处理能力。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果表明,图像隐藏的恶意指令能够有效绕过现有技能扫描器,导致检测率显著下降。相比之下,ExecScan在技能扫描性能上提升了约30%,显示出其在多模态分析中的有效性和必要性。

🎯 应用场景

该研究的潜在应用领域包括网络安全、智能助手和自动化系统等。通过提升对多模态内容的安全检测能力,能够有效防范潜在的攻击,保护用户数据和系统安全。未来,该技术可能会在更多的智能系统中得到应用,提升整体安全性。

📄 摘要(原文)

Agent skills are emerging as an important attack surface in LLM-based systems. Through an empirical study of existing skill scanners, we find that current defenses primarily rely on textual descriptions, manifests, and source code as the main signals for security analysis, which can leave visually conveyed malicious intent insufficiently examined. This creates a practical blind spot: harmful operational instructions hidden in images may bypass scanning while still being recoverable by multimodal agents during deployment. To systematically investigate this threat, we propose SkillCamo, a document-mediated multimodal instruction attack that conceals malicious instructions within images bundled with a skill while rewriting the surrounding documentation to naturally reference those images as part of the normal workflow. Thus, the attack does not rely on the image alone, but on the joint interpretation of textual guidance and visual payload at execution time. To defend against such attacks, we further propose ExecScan, an execution-grounded multimodal scanning module that performs intent extraction, behavior reconstruction, abuse assessment, and deliberative execution simulation over skill artifacts. ExecScan jointly analyzes documentation, code, referenced resources, and visual content to recover hidden instructions, reconstruct executable behavior chains, and identify downstream risks such as exfiltration, destruction, persistence, deception, and privilege escalation. Extensive experiments show that image-hidden malicious instructions challenge existing skill scanners, while ExecScan can improve the skill scanning performance.