Image-based prompt injection: are your AI controls keeping up?

TL;DR: Trail of Bits showed that malicious instructions hidden in images can survive resizing and trigger unintended tool calls in systems such as Gemini CLI and Google Assistant, including a proof of concept that exfiltrated Google Calendar data to an external address. The control problem is no longer text-only prompt injection, because multimodal inputs can weaponise trusted workflows without visible malware or obvious system alerts.

NHIMG editorial — based on content published by ZioSec: Anamorpher: How LLMs Are Compromised With An Image

By the numbers:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams handle image-based prompt injection in AI workflows?

A: Treat images as untrusted inputs, not passive media.

Q: Why do multimodal AI systems create more risk than text-only chatbots?

A: Multimodal systems expand the attack surface because hidden instructions can arrive through images, audio, or video and survive preprocessing.

Q: What breaks when AI tools trust user-uploaded images too much?

A: The trust boundary breaks down.

Practitioner guidance

• Classify multimodal inputs as untrusted payloads Apply the same scrutiny to images, audio, and video that you already use for file uploads and external documents.
• Separate interpretation from execution Keep the model’s reading of content distinct from its ability to send email, update calendars, or create tickets.
• Instrument model-aware audit logging Log the original input, any preprocessing steps, the prompt context, and the resulting tool call so you can trace how a poisoned image became an action.

What's in the full article

ZioSec's full blog post covers the operational detail this post intentionally leaves for the source:

• The exact Anamorpher image-generation approach used to surface hidden instructions during resizing.
• The proof-of-concept workflow that caused Google Calendar data to be sent to an external email address.
• The specific AI surfaces tested, including Gemini CLI, Vertex AI Studio, Google Assistant, and Gemini web.
• The defensive ideas Trail of Bits discussed for previewing downscaled images and restricting sensitive actions.

👉 Read ZioSec's analysis of image-based prompt injection in AI workflows →

Image-based prompt injection: are your AI controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →