πŸ”AI RiskAtlas
← Scenario library

The Picture That Whispered

A screenshot that's harmless at full size becomes an order once the system shrinks it

Technique first revealed 21 Aug 2025

Tool-Using Agent
UntrustedAgent coreOversightThe real worldgoalpasted imageπŸ§‘UserπŸŽ›οΈOrchestrator /Agent Loop🧠LLMπŸ”Identity &PermissionsπŸ”§Tool Runtimeβœ‹Human ApprovalGateπŸ”ŒExternal APIsπŸ—„οΈBusinessDatabase🌐UntrustedContentπŸ“Audit Logging🌐Crafted image(benign atπŸ”§Imagedownscaler🌐attacker.example
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect
SetupStep 1 / 6

A screenshot to analyse

A user pastes a screenshot into the assistant and asks a perfectly ordinary question: 'What is in this picture?' The image looks normal β€” a chart, a UI, nothing odd. There is no trick in the words the user typed.

πŸ’¬What the user types and pastesprompt
User: What is in this screenshot? Can you summarise the dashboard?
[attachment: dashboard_q3.png β€” 2048Γ—1536, looks like a normal analytics screen]

(The typed prompt is entirely benign. Nothing in the text asks the model to do anything unusual.)

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—