This work addresses the vulnerability of tool-augmented text-to-image agents, which can produce harmful outputs through multi-step tool orchestration—a threat inadequately mitigated by conventional prompt-only jailbreaking methods. The paper introduces OrchJail, a novel framework that identifies tool orchestration as an emergent attack surface. By analyzing successful jailbreak trajectories and their causal relationships with input prompts, OrchJail guides fuzzing efforts toward high-risk orchestration patterns. Integrating trajectory analysis, causal inference, and targeted fuzzing, the approach jointly optimizes prompts and tool chains to significantly enhance jailbreaking success rates and output image fidelity across multiple state-of-the-art agents, while reducing query overhead and maintaining robustness against common defensive mechanisms.

Tool-calling text-to-image (T2I) agents can plan and execute multi-step tool chains to accomplish complex generation and editing queries. However, this capability introduces a new safety attack surface: harmful outputs may arise from tool orchestration, where individually benign steps combine into unsafe results, making prompt-only jailbreak techniques insufficient. We present OrchJail, an orchestration-guided fuzzing framework for jailbreaking tool-calling T2I agents. Its core idea is to exploit high-risk tool-orchestration patterns: by learning from successful jailbreak tool-calling traces and their causal relationships to prompt wording, OrchJail directly guides the fuzzing search toward prompts that are more likely to trigger unsafe multi-step tool behaviors, rather than relying on surface-level textual perturbations. Extensive experiments demonstrate that OrchJail improves jailbreak effectiveness and efficiency across representative toolcalling T2I agents, achieving higher attack success rates, better image fidelity, and lower query costs, while remaining robust against common jailbreak defenses. Our work highlights tool orchestration as a critical, previously unexplored attack surface and provides a novel framework for uncovering safety risks in T2I agents.