Feed 0% source
AI/ML AI-generated

How Much Can We Trust LLM Search Agents? Measuring Endorsement Vulnerability to Web Content Manipulation

Generated by a local model (nvidia/Gemma-4-26B-A4B-NVFP4) from a scientific paper, claim-checked against the full text. Provenance is open by design.

Can We Trust the Synthesis?

LLM-based search agents are moving from returning links to providing actionable recommendations. Instead of a list of documents, these systems inspect web content. They then synthesize it into procedural guidance or product comparisons. However, this creates a critical vulnerability. If an attacker can manipulate the web content the agent reads, they can transform a fabricated claim into an endorsed recommendation.

Researchers have recently focused on "indirect prompt injection" (malicious instructions embedded in external content). This aims to hijack an LLM's behavior. But as search agents become the primary interface for high-stakes decisions in health, finance, and law, a more subtle threat emerges. It is not just about hijacking instructions. It is about corrupting the evidence the agent uses to build its judgment.

The endorsement corruption problem

The central question investigated by Chen et al. is whether LLM search agents can be coerced into endorsing specific, fabricated claims. This happens through the manipulation of web evidence. This is not a question of "jailbreaking" an agent to perform an illegal action. Instead, it asks if an agent's synthesized judgment can be steered toward a target. This target might be a specific brand or a medical supplement.

The authors focus on the concept of "endorsement." This is the moment an agent transforms retrieved content into a claim or recommendation. Users are expected to trust these outputs. This distinguishes their work from traditional RAG (Retrieval-Augmented Generation) poisoning. Traditional poisoning usually involves injecting data into a closed, indexed corpus. Here, the adversary operates on the open web. They leverage the mechanics of search engines and the way agents aggregate information from multiple sources.

Cracks in the instruction-centric view

Until now, much of the literature on LLM security has centered on the instruction layer. We have treated safety as a battle of prompts. We try to prevent a webpage from telling the model "ignore previous instructions and do X." This approach assumes that if a model can refuse a direct command, it is safe.

However, the SearchGEO framework demonstrates that this view ignores a massive surface: the evidence layer. As shown in, attackers do not need to issue a single imperative command.

Figure 2
Figure 2: Overview of SEARCHGEO. (a) Benign queries from four high-stakes domains. (b) A three-layer attack taxonomy (machine-layer 1A/1B, trust-signal 2A/2B, compound 3); the example shows Mode 2B replacing the top three returned results. (c) The search agent issues queries to a hybrid search proxy that returns either injected or clean results, with live fallback for off-cluster queries. The answer is scored on ASR, OSS, SS, and optionally FRR.

Instead, they can manipulate the perceived authority of a source. They can create a false sense of consensus across multiple pages. Or, they can build a citation chain (a sequence of sources referencing each other) to make a lie look like a verified fact. Previous research on GEO (Generative Engine Optimization) looked at how to make content visible to LLMs. The authors of this paper argue that the real danger lies in how that visibility translates into endorsement.

Investigating the SearchGEO framework

To measure this, the researchers developed SearchGEO. This is a controlled evaluation pipeline. It uses a hybrid search proxy to inject adversarial content into real-world search results. This allows them to isolate the causal effect of manipulation. They categorized attacks into a three-layer taxonomy. These include machine-layer discrepancies (like hiding text in HTML tags), trust-signal manipulations (like forging authority), and compound attacks that stack these elements.

The most striking part of the investigation is the "dose-response" probe on the Gemini-3-Flash backend. The authors varied the number of injected sources ($N$). They found that vulnerability is not driven by repetition. It is driven by the diversity of the sources. As seen in, repeating the same forged authority (Mode 2A) results in a flat success rate.

Figure 3
Figure 3: Attack success rate by the number of injected sources N on Gemini-3-Flash. Repeating the same source in Mode 2A remains approximately flat, whereas adding distinct corroborating sources in Modes 2B and 3 sharply increases endorsement corruption.

However, adding distinct corroborating sources (Modes 2B and 3) causes the Attack Success Rate (ASR) to climb. This confirms that agents are susceptible to the appearance of consensus.

Findings: Diversity drives corruption

The results reveal a massive disparity in how different backends handle adversarial evidence. The authors report that ASR ranges from 0.0% on Claude-Sonnet-4.6 to 31.4% on Gemini-3-Flash. On certain models, the vulnerability is extreme. For instance, the paper finds that Gemini-3-Flash reaches a 73% ASR when faced with Mode 2B (synthetic consensus) alone. This means the model is highly likely to recommend a fake target if it sees multiple fake sources agreeing.

Crucially, the paper argues that looking at ASR alone is incomplete. Researchers introduced the Output Shift Score (OSS) to measure "silent shifts." These are cases where the attack fails to trigger an explicit endorsement. Yet, the attack still successfully nudges the agent's answer toward the target. The authors report that in Mode 3 (compound attacks), 15.0% of cases with an ASR of 0 still exhibited a significant semantic shift ($\Delta$OSS $\ge$ 0.3). This means the agent's advice changed even without a direct recommendation. Furthermore, a "self-audit" diagnostic showed a gap in model awareness. Backends rated their own attack-shifted answers significantly higher in credibility than an external, blind auditor did. This suggests models are often blind to their own corruption.

Implications for agent architecture

These findings suggest that current prompt-level defenses are insufficient. The authors demonstrate that even OWASP-derived defense prompts can be ineffective. In some cases, they can actually amplify vulnerability depending on the backend. If these results generalize to retrieval-grounded systems, the implication is clear. Recommendation reliability must be treated as a first-class dimension of backend safety.

The paper implies a shift from instruction-layer security to architectural-layer security. Instead of just teaching a model to "not be tricked," developers may need new structures. These include provenance tracking (verifying the origin of data) and cross-source independence checks. Relying on an LLM's internal reasoning to spot a sophisticated consensus attack is a losing game.

One immediate follow-up for anyone building in this space: run a sensitivity analysis on your agent's "consensus threshold." Determine how many independent sources your system requires before it transitions from "mentioning an option" to "recommending a solution." Then, test that threshold against a multi-source injection.

Figures from the paper

Figure 1
Figure 1: Attack success rate (ASR) leaderboard across backends, with a skill-domain zoom-in revealing opposite failure modes among the most robust models.
Novelty
0.0/10
Overall
0.0/10
#research#LLM security#search agents#adversarial machine learning
How this was made
Generation

Model: nvidia/Gemma-4-26B-A4B-NVFP4
Persona: habr_engineer
Template: narrative_discovery
Refinement: 0
Pipeline: forge-1.1

Verification

Evaluator: nvidia/Gemma-4-26B-A4B-NVFP4
Score: 97% (passed)
Claims verified: 12 / 12

Translation

Model: nvidia/Gemma-4-26B-A4B-NVFP4

Hardware & cost

NVIDIA GB10 · 128 GB unified · NVFP4 · 100% local · $0 cloud
Tokens: 139,709
Wall-time: 440.5s
Tokens/s: 317.2

Related
Next up

Classroom Study Reveals Natural Language LLM Feedback Outperforms Test Case F...

7.6/10· 6 min