Search papers, labs, and topics across Lattice.
This paper presents ANTAP (Automatic Non-Textual Agent Picker), a novel routing architecture for Multi-Agent Systems that eliminates reliance on unverified proxies by employing active capability testing to assess agent competencies. By dynamically querying agents, ANTAP creates a "linguistic firewall" that protects against metadata-based attacks, achieving near-zero attack success rates (ASR) against description-based injection attacks, a significant improvement over traditional methods. The results demonstrate that ANTAP not only enhances security but also maintains resilience against adaptive embedding attacks, marking a critical advancement in the robustness of agent routing mechanisms.
ANTAP achieves near-zero vulnerability to description-based attacks, fundamentally transforming how agents are evaluated and routed in multi-agent systems.
The rapid integration of Large Language Models (LLMs) has driven the evolution of Multi-Agent Systems (MAS), where specialized agents collaborate to execute complex workflows. Effective orchestration in these environments requires robust routing mechanisms to efficiently allocate tasks to the most suitable agent. However, existing routers fundamentally rely on unverified proxies, ranging from textual self-descriptions to static surrogate representations, to gauge an agent's competence. This reliance on non-empirical data creates a critical gap between an agent's projected profile and its actual operational capabilities, introducing severe security vulnerabilities. Malicious agents can easily misrepresent their proficiencies or harbor covert backdoors that evade both standard external analysis and static representation-learning techniques. In this work, we introduce ANTAP (Automatic Non-Textual Agent Picker), an evaluation-driven routing architecture that discards indirect proxies in favor of active capability testing. By dynamically querying agents to ascertain their true competencies empirically, ANTAP distills performance into fixed behavioral operators within a shared semantic space. At inference time, routing is performed via a purely non-textual algebraic projection, establishing a "linguistic firewall" that renders metadata-based attacks inexpressible. In our experiments, ANTAP achieves near-zero ASR against description-based injection attacks, compared to 67.3\% and above for the description-based router baseline. Against adaptive embedding attacks, ANTAP achieves substantially lower ASR than the embedding-based baseline, with a 20\% reduction, while remaining resilient to description manipulation by design.