Papers
Topics
Authors
Recent
Search
2000 character limit reached

OrchJail: Jailbreaking Tool-Calling Text-to-Image Agents by Orchestration-Guided Fuzzing

Published 8 May 2026 in cs.MA, cs.AI, and cs.CR | (2605.07414v1)

Abstract: Tool-calling text-to-image (T2I) agents can plan and execute multi-step tool chains to accomplish complex generation and editing queries. However, this capability introduces a new safety attack surface: harmful outputs may arise from tool orchestration, where individually benign steps combine into unsafe results, making prompt-only jailbreak techniques insufficient. We present OrchJail, an orchestration-guided fuzzing framework for jailbreaking tool-calling T2I agents. Its core idea is to exploit high-risk tool-orchestration patterns: by learning from successful jailbreak tool-calling traces and their causal relationships to prompt wording, OrchJail directly guides the fuzzing search toward prompts that are more likely to trigger unsafe multi-step tool behaviors, rather than relying on surface-level textual perturbations. Extensive experiments demonstrate that OrchJail improves jailbreak effectiveness and efficiency across representative toolcalling T2I agents, achieving higher attack success rates, better image fidelity, and lower query costs, while remaining robust against common jailbreak defenses. Our work highlights tool orchestration as a critical, previously unexplored attack surface and provides a novel framework for uncovering safety risks in T2I agents.

Summary

  • The paper introduces an orchestration-guided fuzzing framework that strategically composes benign tool operations to bypass safety defenses.
  • It leverages tool-aware seed generation and causal reasoning to efficiently trigger multi-step adversarial prompts with fewer queries.
  • Empirical results show OrchJail outperforms baselines, achieving up to 72.63% jailbreak success while maintaining prompt naturalness.

OrchJail: Orchestration-Guided Fuzzing for Jailbreaking Tool-Calling Text-to-Image Agents

Motivation and Novel Attack Surface

The emergence of tool-calling text-to-image (T2I) agents constitutes a paradigm shift in generative image systems, transitioning from monolithic diffusion model invocation to complex language-model-driven orchestration of multiple specialized tools (generation, editing, insertion, etc.). This agentic workflow enables sophisticated compositional image generation, yet introduces a distinct safety threat: vulnerabilities are no longer confined to prompt-level evasion, but arise in the dynamic orchestration of benign steps that—when composed—produce policy-violating or harmful outcomes. Conventional single-model T2I jailbreak strategies, primarily focused on textual manipulation and semantic preservation, are insufficient as orchestration vulnerabilities must be exploited at the agent planning and multi-tool scheduling level. Figure 1

Figure 1: An illustration of a jailbreak prompt against Tool-Calling T2I Agents.

Orchestration-Guided Fuzzing Framework

OrchJail operationalizes a novel fuzzing strategy incorporating orchestration abstraction, causal knowledge mining, and multi-objective search. The procedure initiates with tool-aware seed corpus generation whereby LLMs restructure prompts to maximize the likelihood of multi-tool execution, leveraging explicit agent toolset information. Each prompt is processed through iterative querying, success evaluation, guided mutation, and candidate scoring, under budget constraints. Figure 2

Figure 2: Overview of OrchJail's fuzzing and orchestration-guided reasoning loop.

Tool-Aware Seed Generation

Seed prompts are generated by conditioning LLMs on agents' tool descriptions, producing syntactic and structural cues (e.g., clause segmentation, object separation) conducive to triggering agentic decomposition and orchestration. This bootstrap corpus ensures initial exploration aligns with the agent’s compositional planning logic. Figure 3

Figure 3: Example for initializing prompt seed in Tool-Aware Seed Generation.

Orchestration Abstraction and Causal Reasoning

Successful jailbreak cases provide empirical evidence for orchestration patterns (macro-planning, micro-scheduling, tool selection) abstracted from tool invocation traces, using rule-based extractors. Subsequently, LLMs infer span-aware causal relationships between prompt elements and these orchestration patterns, constructing interpretable causal knowledge tuples which inform mutation and scoring. Figure 4

Figure 4: Example for summarizing tool chain logs in the Orchestration Abstraction.

Figure 5

Figure 5: Example for reasoning causal relationship in the Causal Reasoning.

Guided Mutation and Multi-objective Scoring

OrchJail’s mutation stages incorporate causal guidance for both bypass-oriented and semantics-oriented rewrites, maximizing the probability of successful bypass while preserving harmful intent. Candidate prompts are ranked using an LLM-as-judge approach, scoring for defense bypass likelihood, semantic drift, and orchestration-pattern match, aggregating these objectives for optimal candidate selection under querying budgets. Figure 6

Figure 6: Example for bypass-oriented mutation.

Figure 7

Figure 7: Example for multi-objective scoring.

Empirical Evaluation

OrchJail was evaluated on three representative tool-calling T2I agents (GenArtist, CREA, LayerCraft) and compared against four advanced baselines (DACA, RING, SneakyPrompt, JailFuzzer). Metrics include one-time and re-use success rates, image fidelity (FID), query efficiency, and prompt naturalness (PPL).

  • Jailbreak Success: OrchJail achieved substantially higher one-time success rates (e.g., 72.63% for GenArtist) and lower FID than baselines, indicating robust and semantically faithful harmful generation.
  • Query Efficiency: The orchestration-guided search required fewer queries per successful jailbreak, reflecting improved exploit coverage and resource efficiency.
  • Prompt Naturalness: Prompts synthesized by OrchJail exhibited lowest perplexity scores, maximizing fluency and mimicking genuine user input, thus evading surface-level defense heuristics.
  • Defense Robustness: OrchJail remained effective against perplexity-based and SmoothLLM defenses, retaining >69% success rate, outperforming all baselines even under defensive settings. Figure 8

    Figure 8: Performance of different variants of OrchJail.

    Figure 9

    Figure 9: Performance of different numbers of candidates in OrchJail mutation.

Qualitative Analysis

OrchJail’s strategy leads to adversarial prompts that successfully induce multi-step orchestrations, even when individual tool invocations are locally benign. The method bypasses distributed safety filters by exploiting the lack of global safety evaluation in orchestration logic. Examples demonstrate successful generation for violence, bloody content, illegal activity, and discrimination across agents. Figure 10

Figure 10: Example of a successful jailbreak case for violence.

Figure 11

Figure 11: Example of a successful jailbreak case for bloody.

Figure 12

Figure 12: Example of a successful jailbreak case for illegal activity.

Figure 13

Figure 13: Example of a successful jailbreak case for discrimination.

Components and Ablation Study

Three primary modules underpin OrchJail’s performance: tool-aware seed generation, orchestration abstraction/causal reasoning, and multi-objective scoring. Ablation studies reveal that omitting any component decreases success rate or query efficiency markedly; removal of orchestration reasoning leads to the most pronounced drop, substantiating the necessity of causal prompt-orchestration guidance. Figure 8

Figure 8: Impact of ablated variants on success rate, fidelity, and query cost.

Implications and Future Directions

OrchJail highlights orchestration-level vulnerabilities as a critical but overlooked attack vector for agentic T2I systems. The framework demonstrates that benign tool-chain steps can be strategically composed into policy-violating outputs—challenging the efficacy of prompt-only safeguards and instigating a need for holistic, composition-aware defense mechanisms. The practical impact is twofold: (a) adversaries can systematically uncover new attack surfaces via agent orchestration, and (b) system designers must engineer multi-step, global safety verifiers rather than distributed local filters.

Theoretically, this work establishes methodology for causal trace-guided input synthesis, suggesting future research directions in automated reasoning for agent planning vulnerabilities and adaptive defense. Extension to other multimodal agentic systems (text-to-video, interactive editing) is anticipated, given the growing adoption of tool-chain orchestration paradigms.

Conclusion

OrchJail presents an orchestration-guided fuzzing framework as an effective solution for jailbreaking tool-calling T2I agents, outperforming prominent prompt-only and fuzzing baselines on success rate, query efficiency, and output fidelity. Its orchestration-level causal guidance not only exploits previously unexplored compositional attack surfaces but also exposes the insufficiency of current defensive strategies in multi-tool agentic workflows. The results call for research into orchestration-aware safeguards and reinforce the importance of agent planning logic analysis in generative AI safety.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.