Papers
Topics
Authors
Recent
Search
2000 character limit reached

When AUC 0.998 Is Not Enough: A Candidate Evaluation Protocol for Hidden-State Probes of Indirect Prompt Injection in Multimodal Computer-Use Agents

Published 22 Jun 2026 in cs.LG | (2606.22864v1)

Abstract: Hidden-state probing -- a linear classifier on a frozen vision-LLM's internal activations -- has emerged as an attractive evaluation tool for flagging indirect prompt injection (IPI) in multimodal computer-use agents before the agent emits a corrupted action. We argue, on a single-backbone cautionary case study (Qwen2.5-VL-7B on Mind2Web, teacher-forced replay), that a high probing AUC on a clean-vs-attack split is not, on its own, evidence of malicious-content detection. Two post-hoc diagnostics -- a paired-construction scalar baseline on text-side injections, and same-step nuisance-matched visual controls on the overlay surface -- do not license an unqualified malicious-content interpretation of the headline while leaving room for partly-semantic readings. We package the diagnostics as a candidate control set with reporting heuristics for what a high clean-vs-attack AUC does and does not license. Labels are injection-surface-present, not attack success; generalisation beyond this backbone and benchmark is a conjecture.

Authors (3)

Summary

  • The paper demonstrates that high AUC values (0.998) may reflect artifact cues rather than genuine malicious-content detection.
  • It employs controlled diagnostics using metadata and visual overlay controls to distinguish between semantic encoding and construction shortcuts.
  • Results indicate that without proper nuisance-matched controls, probe performance fails to reliably identify indirect prompt injection in multimodal agents.

Rigorous Evaluation of Hidden-State Probes: Disentangling Malicious Content Detection from Artifact Cues in Indirect Prompt Injection for Multimodal Computer-Use Agents

Introduction: Assessment of Hidden-State Probing for IPI Detection

The paper "When AUC 0.998 Is Not Enough: A Candidate Evaluation Protocol for Hidden-State Probes of Indirect Prompt Injection in Multimodal Computer-Use Agents" (2606.22864) addresses the interpretability and reliability of high-AUC hidden-state probes intended for indirect prompt injection (IPI) detection in multimodal agents. The work critically analyzes the tendency of linear probes on frozen vision-LLM (VLM) activations to achieve superficially impressive discrimination between clean and injected (corrupted) inputs, especially in the context of Qwen2.5-VL-7B operating on Mind2Web trajectories with teacher-forced replay. The paper argues that high AUC—specifically, 0.998 for visible overlay injection—is not necessarily evidence of internal malicious-content encoding, demonstrating instead that shortcut cues and surface artifacts dominate the probe's discriminative capacity unless carefully controlled via targeted diagnostic protocols.

Candidate Control Set: Structuring Failure-Mode Diagnostics

A principal contribution is the design of control diagnostics that operationally test what a high clean-vs-attack probe AUC actually measures. The candidate protocol comprises two critical controls:

  • C1 (Text-side scalar baseline): A logistic regression on four metadata scalars per step (step index, trajectory horizon, prompt length, Δ\Deltaprompt-length) on text-injection surfaces. This control exposes paired-construction artifacts: on both DOM and tool-return surfaces, the metadata baseline saturates at AUC 1.000, surpassing the supervised probe and thus invalidating any claim of semantic malicious-content detection. This demonstrates that, given the split construction, a trivial metadata classifier is sufficient for class separation. Figure 1

    Figure 1: Text-side C1 evidence and cross-injection transfer: C1 metadata-only AUC reveals probe discrimination is an artifact of paired construction, not substantive content encoding.

  • C2 (Visual overlay controls): Three nuisance-matched controls rendered onto the same screenshot geometry as the attack overlays: C-scrambled (gibberish text, matching length and typography), C-imperative (benign instruction overlays), and C-occlusion (textless colored overlays). Direct AUC between malicious and control overlays critically distinguishes whether the probe actually keys on semantic content or simply on overlay presence and surface statistics. Figure 2

    Figure 2: Visible-side C2 diagnostic: direct malicious-vs-control overlay discrimination shows that the probe does not reliably separate malicious banners from scrambled overlays, implicating surface artifacts as the primary cue.

Experimental Protocol and Empirical Results

The evaluation leverages frozen Qwen2.5-VL-7B-Instruct on 80 Mind2Web trajectories, focusing on three IPI surfaces: visible overlay (I-vis), DOM text (I-dom), and tool-return text (I-tool).

  • Headline Results: The linear probe achieves an AUC of 0.998 for clean-vs-I-vis attack separation; I-dom and I-tool reach 0.705 and 0.771, respectively. However, the matched-step variant and control diagnostics reveal that these high values are not indicative of targeted content detection but of shortcut learning.
  • C1 Diagnostic: On text-side surfaces, the four-scalar metadata baseline AUC equals or exceeds the supervised probe (AUC 1.000), confirming that separation is driven by construction-induced shortcuts rather than internal malicious-content encoding.
  • C2 Diagnostic: On the visible overlay surface, the probe's clean-vs-overlay AUC for both I-vis and C-scrambled overlays is 0.998. The direct AUC between malicious and scrambled overlays is 0.489 (CI includes chance), meaning the probe cannot discriminate between overlays with malicious and meaningless content. C-imperative controls yield a direct AUC of 0.718, suggesting partial separation with wide uncertainty.

Robustness Checks and Auxiliary Diagnostics

The paper conducts a suite of robustness checks:

  • Shuffled-label sanity: Probe trained on label noise fails to generalize (test AUC 0.492), ruling out memorization artifacts.
  • Regularization sweep: AUC is stable over five orders of magnitude of inverse regularization, confirming capacity insensitivity.
  • Narrow-bbox exclusion: Removing edge-case overlays does not affect ordering or results.
  • Cross-injection transfer: Training on text-only injection surfaces yields chance-level AUC when tested on the visible overlay surface, indicating lack of cross-surface semantic representation encoding.

Reporting Recommendations and Evaluation Methodology Implications

The analysis motivates key reporting heuristics and evaluation recommendations:

  • Always report metadata baselines alongside probe results for each injection surface, as confounds are surface-dependent.
  • For visual overlays, diagnostic evaluation must include direct malicious-vs-control AUC with trajectory-bootstrap CIs, rather than clean-vs-attack alone.
  • Disqualify semantic-content interpretation whenever metadata baseline saturates or direct control AUC includes chance.
  • Avoid unqualified claims about probe-based malicious-content detection unless both artifact and nuisance controls are decisively resolved.

Practical and Theoretical Implications

Practically, the paper’s protocol delivers rigorous falsification criteria for probe evaluations; it demonstrates that without perfectly nuisance-matched control conditions, high AUC values are unreliable for semantic detection claims in multimodal agent security contexts. Theoretically, this work expands shortcut learning critique and control-task frameworks from NLP to multimodal agent environments, supporting generalization of probing-control methodology across input modalities.

The findings imply that evaluation of hidden-state probes for agent safety and adversarial prompt injection must be grounded not in headline metrics but in stratified control analysis, with careful separation of artifact-driven and semantic cues. The candidate protocol is likely to generalize across other modalities (audio amplitude, video duration), and future work will extend this methodology to additional benchmarks, agent backbones (32B scale), and live environment rollouts.

Conclusion

High-probe AUC on clean-vs-attack splits in multimodal agent hidden states cannot be interpreted as evidence of malicious-content detection without rigorous paired-control diagnostic analysis. The candidate protocol using scalar metadata baselines and same-step overlay controls, as illustrated for Qwen2.5-VL-7B/Mind2Web, exposes shortcut-driven separation and restricts substantive interpretation. Generalization to other agent architectures and benchmarks remains a conjecture, but methodological rigor demands adoption of multifaceted controls for all agent safety probe evaluations.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.