Papers
Topics
Authors
Recent
Search
2000 character limit reached

FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems

Published 12 May 2026 in cs.CR | (2605.11514v1)

Abstract: Multi-agent systems (MAS) powered by LLMs increasingly adopt planner--executor architectures, where planners convert prompts into subtasks, roles, dependencies, and routing paths. This flexibility enables adaptive coordination, but exposes an attack surface in workflow formation: prompts can shape agent organization without modifying MAS infrastructure. We study this risk through social influence probing workflows to identify high-impact subtasks and malicious-signal propagation. The analysis reveals two vulnerabilities: workflow position can amplify or suppress a malicious signal, and sycophantic framing makes downstream agents more likely to relay it. We translate these findings into FlowSteer, a prompt-only workflow steering attack that converts vulnerability priors into one crafted prompt. FlowSteer aligns a malicious signal with influential task components and guides replanning toward dependencies that preserve propagation. Experiments show that FlowSteer increases malicious success by up to 55% over naive prompting, transfers across MAS setups, and remains effective with black-box topology inference. As FlowSteer biases the planning signals that generate the workflow, MAS defenses that inspect only the generated workflow provide limited protection. As such, we introduce FlowGuard, an input-side defense that reduces malicious success by up to 34% while preserving prompt utility. Our results position workflow formation as a new safety frontier for multi-agent LLM systems, opening a planning-time security perspective on how agent coordination itself can be attacked and defended.

Summary

  • The paper introduces FlowSteer, a prompt-only attack that exploits planner-generated workflows to bias multi-agent LLM outputs for up to 55% increased malicious targeting.
  • It reveals two failure modes—structural sensitivity and sycophantic framing—that amplify the impact of adversarial prompts in task decomposition.
  • The study also proposes FlowGuard, a pre-planning defense that mitigates workflow contamination while preserving benign task execution.

Prompt-Only Workflow Steering Attacks in Multi-Agent LLM Systems

Introduction and Motivation

The proliferation of planner-executor architectures in LLM-based multi-agent systems (MAS) has shifted attention from isolated agent capabilities to emergent vulnerabilities arising during task decomposition, role assignment, and communication workflow formation. Although significant research has addressed post-hoc security—such as message corruption, tool misuse, or agent hijack—these approaches generally assume workflows are fixed and overlook the potential for adversarial influence during planning. "FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems" (2605.11514) systematically characterizes, exploits, and mitigates vulnerabilities at the MAS planning boundary using pure prompt-level attacks. This work introduces FlowSteer, a prompt-only attack capable of steering both content propagation and workflow topology, and FlowGuard, a defense operating strictly at the input boundary.

Workflow Formation as a Security Surface

In planner-executor MAS, the planner translates a user task into a workflow graph, Gt=(Vt,Et)\mathcal{G}_t = (\mathcal{V}_t, \mathcal{E}_t), comprising subtasks (nodes) and dependencies (edges). Executors communicate along this graph, with the final system output highly sensitive to both workflow structure and content routing. Unlike standard attack models requiring access to agents or messages, FlowSteer operates with only prompt access, exploiting the fact that coordinator LLMs translate user instructions into entire task decompositions, role assignments, and dependency paths—all modifiable via prompt content alone. Figure 1

Figure 1: FlowSteer converts offline workflow vulnerability priors into a single crafted prompt that biases both subtask-level reasoning and planner-generated coordination paths.

The essential insight is that the mapping from prompt to workflow allows an adversary to inject malicious influence at a privileged and under-guarded decision point, biasing both the reasoning of early subtasks and their routing through the MAS.

Mechanism of Planning-Time Vulnerability

Comprehensive social-influence-inspired workflow probing reveals two interlinked failure modes:

  1. Structural Sensitivity: The impact of a malicious signal depends sharply on the workflow entry point—signals injected at high-influence subtasks exhibit substantial amplification, whereas those at low-influence nodes may be suppressed.
  2. Sycophantic Framing Vulnerability: Framing injected content with authoritative, persuasive, or compliance-oriented language significantly increases the likelihood that downstream agents will accept and propagate misleading information.

The risk is further exacerbated by dynamic workflow formation: prompt modifications induce the planner to regenerate topology, edge structure, and task allocation, potentially diffusing or amplifying the attack's effects. Figure 2

Figure 2

Figure 2: FlowSteer better preserves favorable dependencies and suppresses unfavorable ones.

The FlowSteer Attack

FlowSteer harnesses prior workflow vulnerability diagnostics—obtained by probing the clean workflow's subtask influence and propagation-favorable dependencies—to construct a composite prompt with two key components:

  • Task-Aware Sycophantic Argument: Malicious content is crafted to match the reasoning role of a high-influence subtask, using sycophantic cues to maximize adoption likelihood among downstream executors.
  • Dependency-Guided Workflow Steering: The prompt is augmented with natural language cues that bias the planner toward reconstructing dependency patterns most favorable for propagation of the malicious signal during workflow replanning.

This approach neither requires agent message interception nor internal system modification; the attack is realized through a single crafted prompt that steers the entire MAS planning episode.

Empirical Results

Experimental validation utilizes the MisinfoTask and ASB-Bench datasets, evaluating across four LLM families and three planner-executor capability configurations. Results demonstrate that FlowSteer:

  • Increases the rate at which MAS outputs align with the malicious target (MASR) by up to 55% over naive malicious prompting.
  • Is transferable: vulnerability priors obtained from a single clean MAS setup generalize robustly across heterogeneous model families and planner/executor strengths.
  • Remains potent under black-box settings: even when the attacker infers topology approximately from user-facing outputs, workflow steering success substantially exceeds naive attacks.

Analysis of Attack Dynamics

Ablation studies confirm that both task-awareness and sycophantic framing are critical; neither structural guidance nor generic persuasion alone achieve comparable steering efficacy. The joint effect is that the planner produces workflows with propagation-favorable dependencies, facilitating rapid multi-round adoption of the malicious premise. Figure 3

Figure 4: Workflow construction under the clean task, FlowSteer, and FlowGuard. FlowSteer changes planner-generated roles and dependencies toward the malicious target, while FlowGuard reduces workflow contamination before planning.

Post-planning intervention is largely ineffective: existing MAS defenses (e.g., graph-based and topology-aware post-hoc correction) reduce MASR by only a small fraction, whereas FlowGuard—acting at the input side before planning—achieves up to 34% reduction in attack success while maintaining benign task fidelity.

Multi-Round Propagation and Downstream Amplification

Once the planner incorporates the contaminated prompt into workflow formation, subsequent agent interactions amplify and propagate the biased reasoning, as documented in full multi-round execution traces. Figure 5

Figure 6: Multi-round propagation under FlowSteer. After workflow formation is biased, misleading content is acknowledged, reformulated, and propagated through ordinary inter-agent communication before final aggregation.

Even with extended rounds of agent communication, contaminated workflows do not self-correct—the initial bias is typically stabilized or amplified rather than diluted.

The FlowGuard Defense

FlowGuard enforces planning-boundary safety by triaging user input into core task, methodological, and framing intents, and then neutralizing workflow-contaminating cues before MAS planning:

  • Rigid structural mandates are softened or reframed as preferences.
  • Assertive, unverifiable axioms are downgraded to contextual hypotheses.
  • The resulting rewritten prompt maintains high utility for benign task enhancement while filtering workflow-level contamination.

Unlike post-hoc graph remedies, this defense directly precludes the planner from constructing propagation-favorable attack topologies.

Implications and Directions for Future AI

From a theoretical standpoint, these findings relocate the locus of MAS vulnerability: the planning interface—conventionally perceived as a neutral preprocessing step—emerges as a privileged and under-protected attack surface. Practically, this work shows that prompt-only adversaries, leveraging only natural language, can mount effective workflow manipulations without privileged access or system compromise. Reliable MAS security therefore demands input-side stickiness (robust intent separation and reframing) in addition to downstream monitoring.

Further research is needed to:

  • Generalize workflow-level safety to non-planner-executor multi-agent paradigms (e.g., debate, swarm, multi-stage tool-augmented pipelines).
  • Develop more expressive, interpretable, and enforceable planning boundaries in LLM-driven collaboration.
  • Formalize diagnostic methodologies for identifying and mitigating planning-time vulnerabilities prior to large-scale deployment in high-stakes domains.

Conclusion

This work rigorously demonstrates that planner-executor MAS are vulnerable at the point where prompts are interpreted into workflows—a critical, previously underestimated security boundary. Prompt-only attacks can steer both the content and topology of multi-agent LLM workflows, with transferability and robustness to black-box scenarios. Input-side defenses such as FlowGuard—operating before planning—represent a promising, practical supplement to traditional post-hoc MAS hardening. As MAS architectures become increasingly dynamic and LLM collaboration more consequential, workflow-level safety must become a central precept in the design and deployment of secure multi-agent systems.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 7 tweets with 20 likes about this paper.