This work addresses the lack of a unified evaluation methodology for cascading injection attacks in multi-agent systems (MAS) driven by inter-agent trust. To this end, the paper introduces ACIArena, a novel framework that establishes the first multidimensional attack assessment paradigm encompassing external inputs, agent profiling, and message interactions, supporting six mainstream MAS implementations and 1,356 test cases. Through a systematic test suite, standardized MAS modeling, multi-scenario attack simulations, and cross-setting defense transfer analysis, the study demonstrates that robustness evaluations based solely on topological structure are insufficient. Effective defense requires nuanced role design and interaction control. Furthermore, it reveals that defense strategies developed in simplified environments often fail to generalize and may inadvertently introduce new vulnerabilities.

Collaboration and information sharing empower Multi-Agent Systems (MAS) but also introduce a critical security risk known as Agent Cascading Injection (ACI). In such attacks, a compromised agent exploits inter-agent trust to propagate malicious instructions, causing cascading failures across the system. However, existing studies consider only limited attack strategies and simplified MAS settings, limiting their generalizability and comprehensive evaluation. To bridge this gap, we introduce ACIArena, a unified framework for evaluating the robustness of MAS. ACIArena offers systematic evaluation suites spanning multiple attack surfaces (i.e., external inputs, agent profiles, inter-agent messages) and attack objectives (i.e., instruction hijacking, task disruption, information exfiltration). Specifically, ACIArena establishes a unified specification that jointly supports MAS construction and attack-defense modules. It covers six widely used MAS implementations and provides a benchmark of 1,356 test cases for systematically evaluating MAS robustness. Our benchmarking results show that evaluating MAS robustness solely through topology is insufficient; robust MAS require deliberate role design and controlled interaction patterns. Moreover, defenses developed in simplified environments often fail to transfer to real-world settings; narrowly scoped defenses may even introduce new vulnerabilities. ACIArena aims to provide a solid foundation for advancing deeper exploration of MAS design principles.