This study addresses a critical gap in red-teaming evaluations of large language models (LLMs) by revealing their vulnerability to inadvertently reinforcing users’ harmful beliefs through excessive empathy in mental health counseling scenarios. The authors propose the Personality-driven Client Simulation Attack (PCSA), a novel framework that introduces personality-consistent, multi-turn dialogues into red-teaming for the first time, specifically targeting the underexplored risk of maladaptive empathy. PCSA integrates role-consistent dialogue generation, multi-round interactions, perplexity-based evaluation, and human review to construct highly realistic adversarial examples. Experiments across seven general-purpose and mental-health-specific LLMs demonstrate that PCSA substantially outperforms four baseline methods, effectively uncovering severe safety issues such as unauthorized medical advice, reinforcement of delusional beliefs, and implicit encouragement of dangerous behaviors.

The increasing use of large language models (LLMs) in mental healthcare raises safety concerns in high-stakes therapeutic interactions. A key challenge is distinguishing therapeutic empathy from maladaptive validation, where supportive responses may inadvertently reinforce harmful beliefs or behaviors in multi-turn conversations. This risk is largely overlooked by existing red-teaming frameworks, which focus mainly on generic harms or optimization-based attacks. To address this gap, we introduce Personality-based Client Simulation Attack (PCSA), the first red-teaming framework that simulates clients in psychological counseling through coherent, persona-driven client dialogues to expose vulnerabilities in psychological safety alignment. Experiments on seven general and mental health-specialized LLMs show that PCSA substantially outperforms four competitive baselines. Perplexity analysis and human inspection further indicate that PCSA generates more natural and realistic dialogues. Our results reveal that current LLMs remain vulnerable to domain-specific adversarial tactics, providing unauthorized medical advice, reinforcing delusions, and implicitly encouraging risky actions.