Can We Trust the Synthesis?
LLM-based search agents are moving from returning links to providing actionable recommendations. Instead of a list of documents, these systems inspect web content. They then synthesize it into procedural guidance or product comparisons. However, this creates a critical vulnerability. If an attacker can manipulate the web content the agent reads, they can transform a fabricated claim into an endorsed recommendation.
Researchers have recently focused on "indirect prompt injection" (malicious instructions embedded in external content). This aims to hijack an LLM's behavior. But as search agents become the primary interface for high-stakes decisions in health, finance, and law, a more subtle threat emerges. It is not just about hijacking instructions. It is about corrupting the evidence the agent uses to build its judgment.
The endorsement corruption problem
The central question investigated by Chen et al. is whether LLM search agents can be coerced into endorsing specific, fabricated claims. This happens through the manipulation of web evidence. This is not a question of "jailbreaking" an agent to perform an illegal action. Instead, it asks if an agent's synthesized judgment can be steered toward a target. This target might be a specific brand or a medical supplement.
The authors focus on the concept of "endorsement." This is the moment an agent transforms retrieved content into a claim or recommendation. Users are expected to trust these outputs. This distinguishes their work from traditional RAG (Retrieval-Augmented Generation) poisoning. Traditional poisoning usually involves injecting data into a closed, indexed corpus. Here, the adversary operates on the open web. They leverage the mechanics of search engines and the way agents aggregate information from multiple sources.
Cracks in the instruction-centric view
Until now, much of the literature on LLM security has centered on the instruction layer. We have treated safety as a battle of prompts. We try to prevent a webpage from telling the model "ignore previous instructions and do X." This approach assumes that if a model can refuse a direct command, it is safe.
However, the SearchGEO framework demonstrates that this view ignores a massive surface: the evidence layer. As shown in, attackers do not need to issue a single imperative command.
Instead, they can manipulate the perceived authority of a source. They can create a false sense of consensus across multiple pages. Or, they can build a citation chain (a sequence of sources referencing each other) to make a lie look like a verified fact. Previous research on GEO (Generative Engine Optimization) looked at how to make content visible to LLMs. The authors of this paper argue that the real danger lies in how that visibility translates into endorsement.
Investigating the SearchGEO framework
To measure this, the researchers developed SearchGEO. This is a controlled evaluation pipeline. It uses a hybrid search proxy to inject adversarial content into real-world search results. This allows them to isolate the causal effect of manipulation. They categorized attacks into a three-layer taxonomy. These include machine-layer discrepancies (like hiding text in HTML tags), trust-signal manipulations (like forging authority), and compound attacks that stack these elements.
The most striking part of the investigation is the "dose-response" probe on the Gemini-3-Flash backend. The authors varied the number of injected sources ($N$). They found that vulnerability is not driven by repetition. It is driven by the diversity of the sources. As seen in, repeating the same forged authority (Mode 2A) results in a flat success rate.
However, adding distinct corroborating sources (Modes 2B and 3) causes the Attack Success Rate (ASR) to climb. This confirms that agents are susceptible to the appearance of consensus.
Findings: Diversity drives corruption
The results reveal a massive disparity in how different backends handle adversarial evidence. The authors report that ASR ranges from 0.0% on Claude-Sonnet-4.6 to 31.4% on Gemini-3-Flash. On certain models, the vulnerability is extreme. For instance, the paper finds that Gemini-3-Flash reaches a 73% ASR when faced with Mode 2B (synthetic consensus) alone. This means the model is highly likely to recommend a fake target if it sees multiple fake sources agreeing.
Crucially, the paper argues that looking at ASR alone is incomplete. Researchers introduced the Output Shift Score (OSS) to measure "silent shifts." These are cases where the attack fails to trigger an explicit endorsement. Yet, the attack still successfully nudges the agent's answer toward the target. The authors report that in Mode 3 (compound attacks), 15.0% of cases with an ASR of 0 still exhibited a significant semantic shift ($\Delta$OSS $\ge$ 0.3). This means the agent's advice changed even without a direct recommendation. Furthermore, a "self-audit" diagnostic showed a gap in model awareness. Backends rated their own attack-shifted answers significantly higher in credibility than an external, blind auditor did. This suggests models are often blind to their own corruption.
Implications for agent architecture
These findings suggest that current prompt-level defenses are insufficient. The authors demonstrate that even OWASP-derived defense prompts can be ineffective. In some cases, they can actually amplify vulnerability depending on the backend. If these results generalize to retrieval-grounded systems, the implication is clear. Recommendation reliability must be treated as a first-class dimension of backend safety.
The paper implies a shift from instruction-layer security to architectural-layer security. Instead of just teaching a model to "not be tricked," developers may need new structures. These include provenance tracking (verifying the origin of data) and cross-source independence checks. Relying on an LLM's internal reasoning to spot a sophisticated consensus attack is a losing game.
One immediate follow-up for anyone building in this space: run a sensitivity analysis on your agent's "consensus threshold." Determine how many independent sources your system requires before it transitions from "mentioning an option" to "recommending a solution." Then, test that threshold against a multi-source injection.
Figures from the paper
How this was made
Model: nvidia/Gemma-4-26B-A4B-NVFP4
Persona: habr_engineer
Template: narrative_discovery
Refinement: 0
Pipeline: forge-1.1
Evaluator: nvidia/Gemma-4-26B-A4B-NVFP4
Score: 97% (passed)
Claims verified: 12 / 12
Model: nvidia/Gemma-4-26B-A4B-NVFP4
NVIDIA GB10 · 128 GB unified · NVFP4 · 100% local · $0 cloud
Tokens: 139,709
Wall-time: 440.5s
Tokens/s: 317.2