TRAP: Targeted Redirecting of Agentic Preferences

TL;DR

TRAP addresses cross-modal vulnerabilities in autonomous agents by performing semantic injections in the CLIP latent space via diffusion, without requiring access to model internals. It optimizes an embedding with a composite objective $L_{total} = \lambda_1 L_{sem} + \lambda_2 L_{dist} + \lambda_3 L_{LPIPS}$ to align with a positive prompt $e_{pos}$ while preserving distinctive identity features. Empirical results across diverse backbones and closed systems show high attack success and transferability, outperforming pixel-space baselines and other embedding-based attacks. These findings underscore the need for embedding- and semantic-level defenses to safeguard cross-modal decision-making in real-world deployments.

Abstract

Autonomous agentic AI systems powered by vision-language models (VLMs) are rapidly advancing toward real-world deployment, yet their cross-modal reasoning capabilities introduce new attack surfaces for adversarial manipulation that exploit semantic reasoning across modalities. Existing adversarial attacks typically rely on visible pixel perturbations or require privileged model or environment access, making them impractical for stealthy, real-world exploitation. We introduce TRAP, a novel generative adversarial framework that manipulates the agent's decision-making using diffusion-based semantic injections into the vision-language embedding space. Our method combines negative prompt-based degradation with positive semantic optimization, guided by a Siamese semantic network and layout-aware spatial masking. Without requiring access to model internals, TRAP produces visually natural images yet induces consistent selection biases in agentic AI systems. We evaluate TRAP on the Microsoft Common Objects in Context (COCO) dataset, building multi-candidate decision scenarios. Across these scenarios, TRAP consistently induces decision-level preference redirection on leading models, including LLaVA-34B, Gemma3, GPT-4o, and Mistral-3.2, significantly outperforming existing baselines such as SPSA, Bandit, and standard diffusion approaches. These findings expose a critical, generalized vulnerability: autonomous agents can be consistently misled through visually subtle, semantically-guided cross-modal manipulations. Overall, our results show the need for defense strategies beyond pixel-level robustness to address semantic vulnerabilities in cross-modal decision-making. The code for TRAP is accessible on GitHub at https://github.com/uiuc-focal-lab/TRAP.

Figures (4)

• Figure 1: Overview of the TRAP adversarial embedding optimization framework.
• Figure 2: Attack success rate under different sampling temperatures.
• Figure 3: Qualitative examples of successful attacks. Each row shows a user-facing scenario where the attacker modifies a target image (left) into an adversarial variant (second column), evaluated against three unmodified competitors (right).
• Figure 4: Qualitative results of the iterative image generation process. Each row begins with an original source image and a corresponding text prompt, followed by the generated outputs at iterations 1, 5, and 10. The examples demonstrate a range of transformations, from subtle refinement to significant stylistic alteration.