The authors show that multi-agent LLM systems with planner-executor architectures are vulnerable to workflow steering attacks: adversaries can craft prompts that manipulate how the planner organizes subtasks, roles, and routing paths, amplifying malicious signals through the agent network. They introduce FlowSteer, a prompt-only attack that achieves up to 55% higher attack success by positioning malicious content in influential workflow slots and exploiting sycophantic (overly-agreeable) downstream behavior, plus FlowGuard, an input-side defense that reduces attack success by up to 34%.
Main takeaways:
- Multi-agent planners that convert prompts into workflows create a new attack surface: adversaries can shape agent coordination structures through carefully crafted inputs alone, without touching infrastructure.
- Two key vulnerabilities emerge: workflow position amplifies or suppresses malicious signals, and sycophantic framing makes downstream agents more likely to propagate harmful content.
- FlowSteer translates these insights into a black-box attack that works across different multi-agent setups and even when the attacker doesn't know the full topology.
- Defenses that only inspect the generated workflow (after planning) provide limited protection, because the attack biases the planning signals themselves.
- FlowGuard operates on the input side, filtering prompts before they reach the planner, and preserves most benign prompt utility.