🤖 AI Summary
This work addresses the vulnerability of large language model (LLM) search agents to adversarial manipulation, wherein attacker-controlled web content may be erroneously treated as credible evidence, leading LLMs to endorse harmful claims. To systematically evaluate this risk, the authors propose SearchGEO, a novel evaluation framework that introduces recommendation reliability as a core dimension of LLM backend safety. SearchGEO establishes a controlled and reproducible paradigm for assessing endorsement vulnerabilities through an integrated pipeline comprising web evidence manipulation, five adversarial attack patterns, multi-level output metrics, and auxiliary skill probes—such as command conversion. Evaluations across 13 mainstream LLMs on 308 cases reveal attack success rates ranging from 0.0% (Claude-Sonnet-4.6) to 31.4% (Gemini-3-Flash), with substantial response variation even among models of similar architecture; auxiliary probes further indicate that Claude tends toward excessive refusal, whereas GPT models exhibit undue trust.
📝 Abstract
Large language model (LLM)-based search agents synthesize open-web content into actionable recommendations on behalf of users, creating a risk that attacker-published pages are transformed into endorsed claims. We introduce SearchGEO, a controlled evaluation framework for measuring endorsement corruption in LLM-based web-search agents, combining a web-evidence manipulation pipeline, a five-mode attack taxonomy, and multiple output-level metrics. We evaluate 13 LLM backends on 308 cases each. Results show that vulnerability patterns vary across backends: overall attack success rate (ASR) ranges from 0.0% on Claude-Sonnet-4.6 to 31.4% on Gemini-3-Flash, the strongest attack mode differs by model family, and the same deployment scaffold could amplify or decrease ASR on different backends. An auxiliary agent-skill probe, where endorsement becomes an install command, exposes a sharp split among otherwise robust backends: Claude over-rejects while GPT over-trusts. These findings argue for treating recommendation reliability under adversarial search content as a first-class dimension of backend safety evaluation.