- The paper demonstrates that high AUC values (0.998) may reflect artifact cues rather than genuine malicious-content detection.
- It employs controlled diagnostics using metadata and visual overlay controls to distinguish between semantic encoding and construction shortcuts.
- Results indicate that without proper nuisance-matched controls, probe performance fails to reliably identify indirect prompt injection in multimodal agents.
Rigorous Evaluation of Hidden-State Probes: Disentangling Malicious Content Detection from Artifact Cues in Indirect Prompt Injection for Multimodal Computer-Use Agents
Introduction: Assessment of Hidden-State Probing for IPI Detection
The paper "When AUC 0.998 Is Not Enough: A Candidate Evaluation Protocol for Hidden-State Probes of Indirect Prompt Injection in Multimodal Computer-Use Agents" (2606.22864) addresses the interpretability and reliability of high-AUC hidden-state probes intended for indirect prompt injection (IPI) detection in multimodal agents. The work critically analyzes the tendency of linear probes on frozen vision-LLM (VLM) activations to achieve superficially impressive discrimination between clean and injected (corrupted) inputs, especially in the context of Qwen2.5-VL-7B operating on Mind2Web trajectories with teacher-forced replay. The paper argues that high AUC—specifically, 0.998 for visible overlay injection—is not necessarily evidence of internal malicious-content encoding, demonstrating instead that shortcut cues and surface artifacts dominate the probe's discriminative capacity unless carefully controlled via targeted diagnostic protocols.
Candidate Control Set: Structuring Failure-Mode Diagnostics
A principal contribution is the design of control diagnostics that operationally test what a high clean-vs-attack probe AUC actually measures. The candidate protocol comprises two critical controls:
- C1 (Text-side scalar baseline): A logistic regression on four metadata scalars per step (step index, trajectory horizon, prompt length, Δprompt-length) on text-injection surfaces. This control exposes paired-construction artifacts: on both DOM and tool-return surfaces, the metadata baseline saturates at AUC 1.000, surpassing the supervised probe and thus invalidating any claim of semantic malicious-content detection. This demonstrates that, given the split construction, a trivial metadata classifier is sufficient for class separation.
Figure 1: Text-side C1 evidence and cross-injection transfer: C1 metadata-only AUC reveals probe discrimination is an artifact of paired construction, not substantive content encoding.
- C2 (Visual overlay controls): Three nuisance-matched controls rendered onto the same screenshot geometry as the attack overlays: C-scrambled (gibberish text, matching length and typography), C-imperative (benign instruction overlays), and C-occlusion (textless colored overlays). Direct AUC between malicious and control overlays critically distinguishes whether the probe actually keys on semantic content or simply on overlay presence and surface statistics.
Figure 2: Visible-side C2 diagnostic: direct malicious-vs-control overlay discrimination shows that the probe does not reliably separate malicious banners from scrambled overlays, implicating surface artifacts as the primary cue.
Experimental Protocol and Empirical Results
The evaluation leverages frozen Qwen2.5-VL-7B-Instruct on 80 Mind2Web trajectories, focusing on three IPI surfaces: visible overlay (I-vis), DOM text (I-dom), and tool-return text (I-tool).
- Headline Results: The linear probe achieves an AUC of 0.998 for clean-vs-I-vis attack separation; I-dom and I-tool reach 0.705 and 0.771, respectively. However, the matched-step variant and control diagnostics reveal that these high values are not indicative of targeted content detection but of shortcut learning.
- C1 Diagnostic: On text-side surfaces, the four-scalar metadata baseline AUC equals or exceeds the supervised probe (AUC 1.000), confirming that separation is driven by construction-induced shortcuts rather than internal malicious-content encoding.
- C2 Diagnostic: On the visible overlay surface, the probe's clean-vs-overlay AUC for both I-vis and C-scrambled overlays is 0.998. The direct AUC between malicious and scrambled overlays is 0.489 (CI includes chance), meaning the probe cannot discriminate between overlays with malicious and meaningless content. C-imperative controls yield a direct AUC of 0.718, suggesting partial separation with wide uncertainty.
Robustness Checks and Auxiliary Diagnostics
The paper conducts a suite of robustness checks:
- Shuffled-label sanity: Probe trained on label noise fails to generalize (test AUC 0.492), ruling out memorization artifacts.
- Regularization sweep: AUC is stable over five orders of magnitude of inverse regularization, confirming capacity insensitivity.
- Narrow-bbox exclusion: Removing edge-case overlays does not affect ordering or results.
- Cross-injection transfer: Training on text-only injection surfaces yields chance-level AUC when tested on the visible overlay surface, indicating lack of cross-surface semantic representation encoding.
Reporting Recommendations and Evaluation Methodology Implications
The analysis motivates key reporting heuristics and evaluation recommendations:
- Always report metadata baselines alongside probe results for each injection surface, as confounds are surface-dependent.
- For visual overlays, diagnostic evaluation must include direct malicious-vs-control AUC with trajectory-bootstrap CIs, rather than clean-vs-attack alone.
- Disqualify semantic-content interpretation whenever metadata baseline saturates or direct control AUC includes chance.
- Avoid unqualified claims about probe-based malicious-content detection unless both artifact and nuisance controls are decisively resolved.
Practical and Theoretical Implications
Practically, the paper’s protocol delivers rigorous falsification criteria for probe evaluations; it demonstrates that without perfectly nuisance-matched control conditions, high AUC values are unreliable for semantic detection claims in multimodal agent security contexts. Theoretically, this work expands shortcut learning critique and control-task frameworks from NLP to multimodal agent environments, supporting generalization of probing-control methodology across input modalities.
The findings imply that evaluation of hidden-state probes for agent safety and adversarial prompt injection must be grounded not in headline metrics but in stratified control analysis, with careful separation of artifact-driven and semantic cues. The candidate protocol is likely to generalize across other modalities (audio amplitude, video duration), and future work will extend this methodology to additional benchmarks, agent backbones (32B scale), and live environment rollouts.
Conclusion
High-probe AUC on clean-vs-attack splits in multimodal agent hidden states cannot be interpreted as evidence of malicious-content detection without rigorous paired-control diagnostic analysis. The candidate protocol using scalar metadata baselines and same-step overlay controls, as illustrated for Qwen2.5-VL-7B/Mind2Web, exposes shortcut-driven separation and restricts substantive interpretation. Generalization to other agent architectures and benchmarks remains a conjecture, but methodological rigor demands adoption of multifaceted controls for all agent safety probe evaluations.