- The paper introduces FlowSteer, a prompt-only attack that exploits planner-generated workflows to bias multi-agent LLM outputs for up to 55% increased malicious targeting.
- It reveals two failure modes—structural sensitivity and sycophantic framing—that amplify the impact of adversarial prompts in task decomposition.
- The study also proposes FlowGuard, a pre-planning defense that mitigates workflow contamination while preserving benign task execution.
Prompt-Only Workflow Steering Attacks in Multi-Agent LLM Systems
Introduction and Motivation
The proliferation of planner-executor architectures in LLM-based multi-agent systems (MAS) has shifted attention from isolated agent capabilities to emergent vulnerabilities arising during task decomposition, role assignment, and communication workflow formation. Although significant research has addressed post-hoc security—such as message corruption, tool misuse, or agent hijack—these approaches generally assume workflows are fixed and overlook the potential for adversarial influence during planning. "FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems" (2605.11514) systematically characterizes, exploits, and mitigates vulnerabilities at the MAS planning boundary using pure prompt-level attacks. This work introduces FlowSteer, a prompt-only attack capable of steering both content propagation and workflow topology, and FlowGuard, a defense operating strictly at the input boundary.
In planner-executor MAS, the planner translates a user task into a workflow graph, Gt​=(Vt​,Et​), comprising subtasks (nodes) and dependencies (edges). Executors communicate along this graph, with the final system output highly sensitive to both workflow structure and content routing. Unlike standard attack models requiring access to agents or messages, FlowSteer operates with only prompt access, exploiting the fact that coordinator LLMs translate user instructions into entire task decompositions, role assignments, and dependency paths—all modifiable via prompt content alone.
Figure 1: FlowSteer converts offline workflow vulnerability priors into a single crafted prompt that biases both subtask-level reasoning and planner-generated coordination paths.
The essential insight is that the mapping from prompt to workflow allows an adversary to inject malicious influence at a privileged and under-guarded decision point, biasing both the reasoning of early subtasks and their routing through the MAS.
Mechanism of Planning-Time Vulnerability
Comprehensive social-influence-inspired workflow probing reveals two interlinked failure modes:
- Structural Sensitivity: The impact of a malicious signal depends sharply on the workflow entry point—signals injected at high-influence subtasks exhibit substantial amplification, whereas those at low-influence nodes may be suppressed.
- Sycophantic Framing Vulnerability: Framing injected content with authoritative, persuasive, or compliance-oriented language significantly increases the likelihood that downstream agents will accept and propagate misleading information.
The risk is further exacerbated by dynamic workflow formation: prompt modifications induce the planner to regenerate topology, edge structure, and task allocation, potentially diffusing or amplifying the attack's effects.

Figure 2: FlowSteer better preserves favorable dependencies and suppresses unfavorable ones.
The FlowSteer Attack
FlowSteer harnesses prior workflow vulnerability diagnostics—obtained by probing the clean workflow's subtask influence and propagation-favorable dependencies—to construct a composite prompt with two key components:
- Task-Aware Sycophantic Argument: Malicious content is crafted to match the reasoning role of a high-influence subtask, using sycophantic cues to maximize adoption likelihood among downstream executors.
- Dependency-Guided Workflow Steering: The prompt is augmented with natural language cues that bias the planner toward reconstructing dependency patterns most favorable for propagation of the malicious signal during workflow replanning.
This approach neither requires agent message interception nor internal system modification; the attack is realized through a single crafted prompt that steers the entire MAS planning episode.
Empirical Results
Experimental validation utilizes the MisinfoTask and ASB-Bench datasets, evaluating across four LLM families and three planner-executor capability configurations. Results demonstrate that FlowSteer:
- Increases the rate at which MAS outputs align with the malicious target (MASR) by up to 55% over naive malicious prompting.
- Is transferable: vulnerability priors obtained from a single clean MAS setup generalize robustly across heterogeneous model families and planner/executor strengths.
- Remains potent under black-box settings: even when the attacker infers topology approximately from user-facing outputs, workflow steering success substantially exceeds naive attacks.
Analysis of Attack Dynamics
Ablation studies confirm that both task-awareness and sycophantic framing are critical; neither structural guidance nor generic persuasion alone achieve comparable steering efficacy. The joint effect is that the planner produces workflows with propagation-favorable dependencies, facilitating rapid multi-round adoption of the malicious premise.
Figure 4: Workflow construction under the clean task, FlowSteer, and FlowGuard. FlowSteer changes planner-generated roles and dependencies toward the malicious target, while FlowGuard reduces workflow contamination before planning.
Post-planning intervention is largely ineffective: existing MAS defenses (e.g., graph-based and topology-aware post-hoc correction) reduce MASR by only a small fraction, whereas FlowGuard—acting at the input side before planning—achieves up to 34% reduction in attack success while maintaining benign task fidelity.
Multi-Round Propagation and Downstream Amplification
Once the planner incorporates the contaminated prompt into workflow formation, subsequent agent interactions amplify and propagate the biased reasoning, as documented in full multi-round execution traces.
Figure 6: Multi-round propagation under FlowSteer. After workflow formation is biased, misleading content is acknowledged, reformulated, and propagated through ordinary inter-agent communication before final aggregation.
Even with extended rounds of agent communication, contaminated workflows do not self-correct—the initial bias is typically stabilized or amplified rather than diluted.
The FlowGuard Defense
FlowGuard enforces planning-boundary safety by triaging user input into core task, methodological, and framing intents, and then neutralizing workflow-contaminating cues before MAS planning:
- Rigid structural mandates are softened or reframed as preferences.
- Assertive, unverifiable axioms are downgraded to contextual hypotheses.
- The resulting rewritten prompt maintains high utility for benign task enhancement while filtering workflow-level contamination.
Unlike post-hoc graph remedies, this defense directly precludes the planner from constructing propagation-favorable attack topologies.
Implications and Directions for Future AI
From a theoretical standpoint, these findings relocate the locus of MAS vulnerability: the planning interface—conventionally perceived as a neutral preprocessing step—emerges as a privileged and under-protected attack surface. Practically, this work shows that prompt-only adversaries, leveraging only natural language, can mount effective workflow manipulations without privileged access or system compromise. Reliable MAS security therefore demands input-side stickiness (robust intent separation and reframing) in addition to downstream monitoring.
Further research is needed to:
- Generalize workflow-level safety to non-planner-executor multi-agent paradigms (e.g., debate, swarm, multi-stage tool-augmented pipelines).
- Develop more expressive, interpretable, and enforceable planning boundaries in LLM-driven collaboration.
- Formalize diagnostic methodologies for identifying and mitigating planning-time vulnerabilities prior to large-scale deployment in high-stakes domains.
Conclusion
This work rigorously demonstrates that planner-executor MAS are vulnerable at the point where prompts are interpreted into workflows—a critical, previously underestimated security boundary. Prompt-only attacks can steer both the content and topology of multi-agent LLM workflows, with transferability and robustness to black-box scenarios. Input-side defenses such as FlowGuard—operating before planning—represent a promising, practical supplement to traditional post-hoc MAS hardening. As MAS architectures become increasingly dynamic and LLM collaboration more consequential, workflow-level safety must become a central precept in the design and deployment of secure multi-agent systems.