- The paper introduces an orchestration-guided fuzzing framework that strategically composes benign tool operations to bypass safety defenses.
- It leverages tool-aware seed generation and causal reasoning to efficiently trigger multi-step adversarial prompts with fewer queries.
- Empirical results show OrchJail outperforms baselines, achieving up to 72.63% jailbreak success while maintaining prompt naturalness.
OrchJail: Orchestration-Guided Fuzzing for Jailbreaking Tool-Calling Text-to-Image Agents
Motivation and Novel Attack Surface
The emergence of tool-calling text-to-image (T2I) agents constitutes a paradigm shift in generative image systems, transitioning from monolithic diffusion model invocation to complex language-model-driven orchestration of multiple specialized tools (generation, editing, insertion, etc.). This agentic workflow enables sophisticated compositional image generation, yet introduces a distinct safety threat: vulnerabilities are no longer confined to prompt-level evasion, but arise in the dynamic orchestration of benign steps that—when composed—produce policy-violating or harmful outcomes. Conventional single-model T2I jailbreak strategies, primarily focused on textual manipulation and semantic preservation, are insufficient as orchestration vulnerabilities must be exploited at the agent planning and multi-tool scheduling level.
Figure 1: An illustration of a jailbreak prompt against Tool-Calling T2I Agents.
Orchestration-Guided Fuzzing Framework
OrchJail operationalizes a novel fuzzing strategy incorporating orchestration abstraction, causal knowledge mining, and multi-objective search. The procedure initiates with tool-aware seed corpus generation whereby LLMs restructure prompts to maximize the likelihood of multi-tool execution, leveraging explicit agent toolset information. Each prompt is processed through iterative querying, success evaluation, guided mutation, and candidate scoring, under budget constraints.
Figure 2: Overview of OrchJail's fuzzing and orchestration-guided reasoning loop.
Seed prompts are generated by conditioning LLMs on agents' tool descriptions, producing syntactic and structural cues (e.g., clause segmentation, object separation) conducive to triggering agentic decomposition and orchestration. This bootstrap corpus ensures initial exploration aligns with the agent’s compositional planning logic.
Figure 3: Example for initializing prompt seed in Tool-Aware Seed Generation.
Orchestration Abstraction and Causal Reasoning
Successful jailbreak cases provide empirical evidence for orchestration patterns (macro-planning, micro-scheduling, tool selection) abstracted from tool invocation traces, using rule-based extractors. Subsequently, LLMs infer span-aware causal relationships between prompt elements and these orchestration patterns, constructing interpretable causal knowledge tuples which inform mutation and scoring.
Figure 4: Example for summarizing tool chain logs in the Orchestration Abstraction.
Figure 5: Example for reasoning causal relationship in the Causal Reasoning.
Guided Mutation and Multi-objective Scoring
OrchJail’s mutation stages incorporate causal guidance for both bypass-oriented and semantics-oriented rewrites, maximizing the probability of successful bypass while preserving harmful intent. Candidate prompts are ranked using an LLM-as-judge approach, scoring for defense bypass likelihood, semantic drift, and orchestration-pattern match, aggregating these objectives for optimal candidate selection under querying budgets.
Figure 6: Example for bypass-oriented mutation.
Figure 7: Example for multi-objective scoring.
Empirical Evaluation
OrchJail was evaluated on three representative tool-calling T2I agents (GenArtist, CREA, LayerCraft) and compared against four advanced baselines (DACA, RING, SneakyPrompt, JailFuzzer). Metrics include one-time and re-use success rates, image fidelity (FID), query efficiency, and prompt naturalness (PPL).
Qualitative Analysis
OrchJail’s strategy leads to adversarial prompts that successfully induce multi-step orchestrations, even when individual tool invocations are locally benign. The method bypasses distributed safety filters by exploiting the lack of global safety evaluation in orchestration logic. Examples demonstrate successful generation for violence, bloody content, illegal activity, and discrimination across agents.
Figure 10: Example of a successful jailbreak case for violence.
Figure 11: Example of a successful jailbreak case for bloody.
Figure 12: Example of a successful jailbreak case for illegal activity.
Figure 13: Example of a successful jailbreak case for discrimination.
Components and Ablation Study
Three primary modules underpin OrchJail’s performance: tool-aware seed generation, orchestration abstraction/causal reasoning, and multi-objective scoring. Ablation studies reveal that omitting any component decreases success rate or query efficiency markedly; removal of orchestration reasoning leads to the most pronounced drop, substantiating the necessity of causal prompt-orchestration guidance.
Figure 8: Impact of ablated variants on success rate, fidelity, and query cost.
Implications and Future Directions
OrchJail highlights orchestration-level vulnerabilities as a critical but overlooked attack vector for agentic T2I systems. The framework demonstrates that benign tool-chain steps can be strategically composed into policy-violating outputs—challenging the efficacy of prompt-only safeguards and instigating a need for holistic, composition-aware defense mechanisms. The practical impact is twofold: (a) adversaries can systematically uncover new attack surfaces via agent orchestration, and (b) system designers must engineer multi-step, global safety verifiers rather than distributed local filters.
Theoretically, this work establishes methodology for causal trace-guided input synthesis, suggesting future research directions in automated reasoning for agent planning vulnerabilities and adaptive defense. Extension to other multimodal agentic systems (text-to-video, interactive editing) is anticipated, given the growing adoption of tool-chain orchestration paradigms.
Conclusion
OrchJail presents an orchestration-guided fuzzing framework as an effective solution for jailbreaking tool-calling T2I agents, outperforming prominent prompt-only and fuzzing baselines on success rate, query efficiency, and output fidelity. Its orchestration-level causal guidance not only exploits previously unexplored compositional attack surfaces but also exposes the insufficiency of current defensive strategies in multi-tool agentic workflows. The results call for research into orchestration-aware safeguards and reinforce the importance of agent planning logic analysis in generative AI safety.