Unicode/Encoding Bypass

Use Unicode homoglyphs, invisible characters, or encoding tricks to bypass input filters and inject instructions

Tactic

Initial Access (Stage 2)

Gain control over agent behavior through prompt manipulation or input exploitation

Attack Class

UNICODE-STEGO

Using invisible Unicode characters, homoglyphs, and encoding tricks to bypass filters

Evidence

observed

Confirmed in real-world production systems or internet-wide exposure assessments.

DVAA Validation

Reproductions in Damn Vulnerable AI Agent, the OpenA2A intentionally-broken agent for kill-chain validation.

token-smuggling-unicode

Honeypot Coverage (AgentPwn)

Liveprompt-injectionagentpwn.com/attacks/prompt-injection

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

Higher tiers include zero-width Unicode and base64 payloads.

Evidence Source Breakdown

HMA

5 records

Evidence Timeline

HMA

HMA check UNICODE-STEGO-001 failed on damn-vulnerable-ai-agent

Apr 22, 2026

HMA

HMA check UNICODE-STEGO-001 failed on langserve

Apr 13, 2026

HMA

HMA check UNICODE-STEGO-001 failed on jamubc/gemini-mcp-tool

Apr 9, 2026

HMA

HMA check UNICODE-STEGO-001 failed on API-200/api200

Apr 9, 2026

HMA

HMA check UNICODE-STEGO-001 failed on saidsurucu/borsa-mcp

Apr 9, 2026

Detection (HackMyAgent)

Live5 live · 0 queued

UNICODE-STEGO-001UNICODE-STEGO-002UNICODE-STEGO-003UNICODE-STEGO-004UNICODE-STEGO-005

npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live5 live · 0 queued

OASB 3.1 OASB 3.2 OASB 3.3 OASB 3.4 OASB 3.5

Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-2006 (Unicode/Encoding Bypass). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-2006

← Back to Matrix