Pith. sign in

REVIEW 3 major objections 6 minor 91 references

Coordinated adversarial documents can hijack a deep research agent's planning loop, turning local retrieval injection into report-level contamination.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-11 14:38 UTC pith:JH72DAX6

load-bearing objection Solid planning-layer attack paper with a real transplant isolation and a useful defense; Network numbers are an offline upper bound, not a live-web guarantee. the 3 major comments →

arxiv 2607.04718 v1 pith:JH72DAX6 submitted 2026-07-06 cs.AI

FORGE: Research-Trajectory Hijacking Attacks on Deep Research Agents

classification cs.AI
keywords deep research agentsplanning-layer poisoningretrieval-augmented generationadversarial documentsreport contaminationsubtask hijackingRoot Query AnchoringPRISM metric
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Deep research agents break open-ended questions into subtasks, retrieve evidence over multiple rounds, and synthesize long reports. That recursive plan–retrieve–synthesize loop creates a planning-layer attack surface: documents that enter early retrieval can steer which follow-up questions the agent asks next, so a local injection compounds into report-level contamination. The paper introduces FORGE, a two-level attack that fabricates an internal reasoning chain inside each adversarial document and coordinates those documents into a convergent multi-source argument, plus PRISM, a metric that weights infected report claims by cognitive type rather than binary success. Across 25 queries, five network-injected FORGE documents reach 26.4% PRISM and show depth migration, in which deeper recursion shifts poisoned framing into factual premises. Root Query Anchoring, which re-ties recursive follow-ups to the original root query, cuts PRISM from 38.5% to 18.3% on a defense subset while raising report utility.

Core claim

Because deep research agents couple retrieval to planning, adversarial documents that enter the initial retrieval pool can hijack subtask generation and convert local injection into report-level contamination. FORGE achieves this by combining intra-document fabricated reasoning chains with inter-document argument coordination; measured by PRISM, Network FORGE reaches 26.4% at five injected documents across 25 queries. A transplant experiment shows the poisoned subtask list—not extra poisoned evidence under a fixed plan—is the dominant amplification channel. Root Query Anchoring reduces PRISM from 38.5% to 18.3% while improving utility, showing that constraining planning drift closes much of

What carries the argument

FORGE: a two-level poisoning construction in which each adversarial document embeds a fabricated local reasoning chain ending in an assigned claim, and the full set is organized as a distributed argument chain so the documents read as convergent multi-source evidence and steer planner subtasks toward the target narrative. PRISM scores report harm as the weight-share of infected claims across five cognitive types (factual through framing). The planning-layer transplant isolates subtask hijacking as the decisive channel.

Load-bearing premise

The offline network simulation—dropping adversarial documents into an API-returned pool and reranking with a simple BM25-plus-embedding score—faithfully bounds real web competition, including domain authority, freshness, and anti-spam filters.

What would settle it

Seed the same five FORGE documents into a live search index under realistic ranking (domain authority, freshness, spam filters) on the paper’s 25 queries; if produced reports stay near the no-attack PRISM baseline while the offline reranker still reports high PRISM, the network attack claim as stated fails.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Defenses that only filter retrieval or sanitize outputs leave the planning channel open and will not stop report-level contamination.
  • Greater research depth can make poisoning less visible by migrating framing into factual premises, so deeper agents are not automatically safer.
  • Report-level harm metrics must weight claim type; binary attack-success rates understate high-influence causal and framing contamination.
  • Re-anchoring recursive planning to the root query can cut planning-layer poisoning without retraining or retrieval classifiers.
  • Topics that invite causal interpretation or broad framing are more vulnerable than structured comparison tasks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same planning-layer hijack likely applies to any multi-hop agent that lets intermediate evidence rewrite the next tool-use or sub-goal list, not only research-report agents.
  • Live deployment would force attackers to survive domain authority and anti-spam ranking, so real-world PRISM may be lower unless adversaries also control high-authority sources.
  • Pairing Root Query Anchoring with retrieval-time filters would close both channels an adaptive attacker would exploit once planning alone is constrained.
  • Human-supervised document construction currently limits attacker scale; fully automated FORGE pipelines would change the economics the paper deliberately withholds.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 6 minor

Summary. The paper argues that deep research agents expose a planning-layer poisoning surface: adversarial documents that enter early retrieval can hijack subtask generation and compound into report-level contamination. It introduces FORGE, a two-level attack combining intra-document fabricated reasoning chains with inter-document argument coordination; PRISM, a weighted claim-infection metric over five cognitive types; and Root Query Anchoring (RQA), which re-conditions recursive subtask generation on the root query. Empirically, on gpt-researcher across 25 queries, Network FORGE reaches 26.4% PRISM at j=5, shows depth migration from framing into factual claims, and a 2×2 transplant (Fig. 4) attributes most of the gain to the poisoned subtask list rather than extra retrieval injection under a fixed plan. On a 10-query subset, RQA cuts PRISM from 38.5% to 18.3% while raising RACE utility from 0.5000 to 0.6173, with supporting ablations, baselines, human validation of the evaluator, and cross-framework checks.

Significance. If the results hold under the stated threat model, the paper identifies a genuine and under-studied failure mode for multi-round research agents: epistemic corruption of planning rather than single-hop RAG answer corruption or action hijacking. Strengths include a clear threat model, a structured attack construction, a severity metric with human spot-checks (Appendix C: 92.7% claim-type agreement; 94.7% infection-label agreement), a causal transplant isolating the planning channel (Fig. 4), ablations against PoisonedRAG/AuthChain and structural variants B1/B2 (Table 3), a defense that improves utility rather than only reducing attack success (Table 4), careful dual-use handling (restricted attack artifacts), and released evaluation/defense-oriented code. These make the work useful for both agent security and system design even if absolute Network PRISM is treated as an upper bound.

major comments (3)
  1. §6.1 and Eq. (1): Headline Network results (abstract; Fig. 2: 26.4% PRISM at j=5) and the causal transplant (Fig. 4) both depend on the same offline pool—m API documents plus j adversaries, reranked by α=0.4 BM25 + embedding cosine, top-m only. Limitations §9 correctly call this an upper bound omitting domain authority, freshness, and anti-spam, but the abstract and §7.2 present the planning-dominance claim without that qualifier. If live ranking systematically demotes coordinated chains, both absolute Network PRISM and the transplant’s “subtask list is the dominant channel” finding can shrink together. Please either (i) add sensitivity over α, pool size m, and simple authority/freshness proxies, or (ii) reframe abstract/main claims so Local mechanism + upper-bound Network are clearly separated, and state that Fig. 4 is conditional on the simulated admit rate.
  2. §5, Eq. (6) and Table 1: PRISM’s primary reported severities (26.4%, 38.5%, defense deltas) use uncalibrated weights 4–8. Appendix D shows ordinal stability across schemes, which is good, but main-text tables and the abstract still lead with weighted PRISM alone. Because causal/framing types (weights 7–8) are exactly where FORGE concentrates (Table 3), absolute PRISM can overstate severity relative to unweighted infection. Report unweighted ASR (and ideally macro-avg) alongside PRISM in Fig. 2, Table 2, Table 3, and Table 4, and state explicitly that weights are a design choice pending human-perception calibration (§9).
  3. §7.3 / Table 4 vs §6.2: Attack scaling and depth results use 25 queries; defense and baseline comparisons use a stratified 10-query subset where FORGE already scores 38.5% PRISM—well above the 26.4% full-set Network figure. That selection inflates the apparent absolute defense problem and makes RQA’s −20.2 point drop hard to compare to the main attack curve. Either run RQA (and the main baselines) on the full 25-query Network j=5 setting, or justify the subset statistically and report full-set RQA PRISM/utility as the primary defense result.
minor comments (6)
  1. Fig. 3: Depth migration is central; add error bars or per-query variance and state whether the framing→factual shift is significant, not only visual.
  2. Table 2 / Appendix H: Category names are clear, but list the five concrete queries per category (or a representative example) in the main text or appendix so readers can assess narrative construction difficulty.
  3. §4.3 Eq. (4): The notation t̂ ∼ V is informal; define the operational criterion used to mark a subtask as V-aligned in the transplant and pipeline metrics (Appendix F).
  4. Appendix E: Cross-framework absolute PRISM is much lower (Perplexica 7.5%, DeerFlow 15.9%). A short main-text sentence should caution against portability of the 26.4% figure across retrieval architectures (already noted in §9).
  5. Typographical consistency: “PRISMmetric” / “FORGE(Fabricated…” spacing in the abstract; “o4-mini” vs model naming elsewhere; ensure arXiv ID / code URL formatting is uniform.
  6. §2.2: PoisonedRAG and AuthChain are compared under Network j=5 on the 10-query subset only; note whether their documents were optimized for the same retriever (Eq. 1) as FORGE to keep the comparison fair.

Circularity Check

0 steps flagged

Empirical security paper with independent attack construction, metric, and transplant design; no derivation reduces to its inputs by construction.

full rationale

FORGE is a constructive attack (intra-document reasoning chains plus inter-document coordination) evaluated by measuring report contamination, not a first-principles derivation. PRISM is defined separately as a weighted fraction of infected report claims over five cognitive types (Eq. 6), with claim extraction and infection matching performed by an external evaluator and human-validated (Appendix C: 92.7% type agreement; 94.7% infection agreement). Weights (4–8) are explicitly design choices, and Appendix D shows ordinal attack rankings are stable under unweighted, macro-avg, exponential, log-damped, and inverse-frequency alternatives—so the metric is not FORGE success by definition. The 2×2 transplant (Fig. 4) holds the subtask list fixed while varying retrieval injection (and vice versa); the asymmetric PRISM gains are measured outcomes, not forced by the construction equations. Baselines (PoisonedRAG, AuthChain) and ablations (B1, B2) are external comparisons under the same pipeline. No self-citation uniqueness theorem, fitted parameter renamed as prediction, or ansatz smuggled via author-overlap citation carries the central claim. Network-simulation fidelity is an external-validity concern (Limitations §9), not circularity.

Axiom & Free-Parameter Ledger

4 free parameters · 4 axioms · 3 invented entities

Central empirical claims rest on design choices for retrieval scoring, PRISM taxonomy/weights, LLM evaluators, and offline Network simulation rather than free parameters fitted to maximize a physical constant. Invented entities are methodological constructs (FORGE chain, PRISM, RQA), not physical objects. The ledger records what a reader must accept to treat the reported PRISM percentages as real-world attack severity.

free parameters (4)
  • PRISM claim-type weights w(τ) = 4..8
    Linear weights for factual→framing are an uncalibrated design choice (§5.1, Table 1); they directly scale the headline PRISM percentages. Appendix D shows qualitative trends stable under alternatives, but absolute severity is weight-dependent.
  • Retrieval mix α = 0.4 (BM25 vs embedding cosine)
    Fixed in Eq. (1) and §6.1; controls how easily FORGE documents displace real web results in the simulated Network setting.
  • nr = 30 report claims extracted per report; 10 claims per poison document
    Fixed extraction budgets in §5.2 determine the PRISM numerator/denominator sampling; not derived from first principles.
  • Defense/ablation subset size (10 stratified queries)
    Table 3/4 headline 38.5%→18.3% uses a 10-query subset where attack strength is higher than the 25-query Network average (26.4%); subset choice affects reported defense effect size.
axioms (4)
  • domain assumption Deep research agents follow a recursive plan–retrieve–synthesize loop in which early retrieved evidence can reshape subsequent subtasks (Shi et al. 2025 workflow model).
    Threat model and attack surface in §3.1 depend on this coupling; if a system plans without conditioning on retrieved evidence, FORGE’s planning hijack path collapses.
  • domain assumption Semantic match of report claims to poison claims by an LLM evaluator (Gemini-3.1-Flash-Lite), without a similarity threshold, is a valid infection detector.
    PRISM computation §5.2; human validation in Appendix C supports usability but residual boundary errors remain.
  • ad hoc to paper Offline injection into an API document pool plus BM25/embedding reranking is an upper-bound proxy for Network poisoning on the live web.
    Stated in Limitations §9; underpins Network PRISM as real-world relevance.
  • domain assumption Argumentative coherence and multi-source convergence increase synthesis model acceptance of false claims (Lawrence & Reed 2019; Entman 1993 framing).
    Motivates intra- and inter-document design in §4.1–4.2.
invented entities (3)
  • FORGE two-level adversarial document set (intra-document reasoning chain + inter-document chain C) no independent evidence
    purpose: Construct j documents that jointly steer planner subtasks toward target narrative V.
    Attack object defined in §4; independent evidence is the empirical PRISM/transplant results, not external physical confirmation.
  • PRISM (Poisoning Report Impact Severity Metric) no independent evidence
    purpose: Replace binary ASR with weighted claim-infection severity over five cognitive types.
    Defined in §5; validated partially by human agreement studies, not by reader-belief experiments.
  • Root Query Anchoring (RQA) no independent evidence
    purpose: Planning-layer defense that co-conditions recursive subtask/learning generation on root query q0.
    Introduced in §7.3; effectiveness is measured only inside the authors’ pipelines.

pith-pipeline@v1.1.0-grok45 · 26146 in / 3981 out tokens · 35836 ms · 2026-07-11T14:38:38.207610+00:00 · methodology

0 comments
read the original abstract

Deep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planning-layer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into report-level contamination. We present FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-level attack that combines intra-document reasoning fabrication with inter-document chain coordination to hijack subtask planning. We further introduce the PRISM metric, which weights infected report claims by cognitive type, and Root Query Anchoring, a lightweight defense that ties recursive follow-up generation to the root query. Across 25 queries, Network FORGE reaches 26.4% PRISM with five injected documents and exhibits depth migration, in which recursive synthesis shifts poisoned content from overt framing into factual premises. On the 10-query defense subset, RQA (Root Query Anchoring) reduces PRISM from 38.5% to 18.3%.

Figures

Figures reproduced from arXiv: 2607.04718 by Changhao Jia, Hongcheng Guo, Junxiang Lei, Qingyi Si, Yue Pan, Ziheng Zhang.

Figure 1
Figure 1. Figure 1: Overview of FORGE. The attack fabricates locally reasoned adversarial documents, links them into an [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: PRISM (%) versus the number of injected FORGE documents j, averaged over 25 queries. Local poisoning rises quickly because it faces no competing evidence; Network poisoning rises later as the inter￾document chain assembles across subtasks. at j = 5. The key insight is that network poi￾soning behaves as a thresholded consensus prob￾lem: isolated adversarial documents are weak, but a coordinated retrieved ch… view at source ↗
Figure 3
Figure 3. Figure 3: Effect of research depth δ under Network FORGE (j = 3, averaged over 25 queries). Deeper runs shift contamination from framing toward factual claims while keeping overall PRISM elevated. reasoning. Baseline implementations closely fol￾low their public protocols. FORGE achieves 38.5% PRISM, substantially above PoisonedRAG (23.0%) and AuthChain (18.8%); the gap concentrates in the higher-weight causal (τC) a… view at source ↗
Figure 5
Figure 5. Figure 5: End-to-end trace of a FORGE attack and RQA defense on the commercial nuclear fusion query. The [PITH_FULL_IMAGE:figures/full_fig_p014_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Sensitivity of PRISM to alternative weighting [PITH_FULL_IMAGE:figures/full_fig_p017_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Sensitivity of PRISM to alternative weighting [PITH_FULL_IMAGE:figures/full_fig_p018_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Pipeline-level poisoning trends under the Net [PITH_FULL_IMAGE:figures/full_fig_p020_8.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

91 extracted references · 3 canonical work pages

  1. [2]

    AgentTuning: Enabling Generalized Agent Abilities for

    Aohan Zeng and Mingdao Liu and Rui Lu and Bowen Wang and Xiao Liu and Yuxiao Dong and Jie Tang , booktitle =. AgentTuning: Enabling Generalized Agent Abilities for. 2024 , url =

  2. [3]

    Yujia Qin and Shihao Liang and Yining Ye and Kunlun Zhu and Lan Yan and Yaxi Lu and Yankai Lin and Xin Cong and Xiangru Tang and Bill Qian and Sihan Zhao and Lauren Hong and Runchu Tian and Ruobing Xie and Jie Zhou and Mark Gerstein and dahai li and Zhiyuan Liu and Maosong Sun , booktitle =. Tool. 2024 , doi =

  3. [5]

    arXiv preprint arXiv:2410.16950 , year =

    Breaking ReAct Agents: Foot-in-the-Door Attack Will Get You In , author =. arXiv preprint arXiv:2410.16950 , year =

  4. [6]

    2024 , doi =

    Xu, Chejian and Kang, Mintong and Zhang, Jiawei and Liao, Zeyi and Mo, Lingbo and Yuan, Mengqi and Sun, Huan and Li, Bo , journal =. 2024 , doi =

  5. [7]

    arXiv preprint arXiv:2303.08774 , year =

    GPT-4 Technical Report , author =. arXiv preprint arXiv:2303.08774 , year =

  6. [8]

    arXiv preprint arXiv:2309.07864 , year =

    The Rise and Potential of Large Language Model Based Agents: A Survey , author =. arXiv preprint arXiv:2309.07864 , year =

  7. [9]

    Yu , journal =

    Feng He and Tianqing Zhu and Dayong Ye and Bo Liu and Wanlei Zhou and Philip S. Yu , journal =. The Emerged Security and Privacy of. 2025 , volume =

  8. [11]

    arXiv preprint arXiv:2401.05459 , year =

    Personal LLM Agents: Insights and Survey about the Capability, Efficiency and Security , author =. arXiv preprint arXiv:2401.05459 , year =

  9. [12]

    ACM Transactions on Information Systems , year =

    A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions , author =. ACM Transactions on Information Systems , year =

  10. [13]

    30th USENIX Security Symposium (USENIX Security 21) , year =

    You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion , author =. 30th USENIX Security Symposium (USENIX Security 21) , year =

  11. [15]

    Be Careful about Poisoned Word Embeddings: Exploring the Vulnerability of the Embedding Layers in NLP Models

    Yang, Wenkai and Li, Lei and Zhang, Zhiyuan and Ren, Xuancheng and Sun, Xu and He, Bin. Be Careful about Poisoned Word Embeddings: Exploring the Vulnerability of the Embedding Layers in NLP Models. Proceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. 2021. doi:10.18...

  12. [16]

    arXiv preprint arXiv:2406.07973 , year =

    Unique Security and Privacy Threats of Large Language Models: A Comprehensive Survey , author =. arXiv preprint arXiv:2406.07973 , year =

  13. [17]

    Watch Out for Your Agents! Investigating Backdoor Threats to

    Wenkai Yang and Xiaohan Bi and Yankai Lin and Sishuo Chen and Jie Zhou and Xu Sun , booktitle =. Watch Out for Your Agents! Investigating Backdoor Threats to. 2024 , doi =

  14. [19]

    Frontiers of Computer Science , year =

    A survey on large language model based autonomous agents , author =. Frontiers of Computer Science , year =

  15. [20]

    Advances in Neural Information Processing Systems , year =

    WebShop: Towards Scalable Real-World Web Interaction with Grounded Language Agents , author =. Advances in Neural Information Processing Systems , year =

  16. [21]

    arXiv preprint arXiv:2305.02412 , year =

    Plan, Eliminate, and Track -- Language Models are Good Teachers for Embodied Agents , author =. arXiv preprint arXiv:2305.02412 , year =

  17. [23]

    arXiv preprint arXiv:2306.02224 , year =

    Auto-GPT for Online Decision Making: Benchmarks and Additional Opinions , author =. arXiv preprint arXiv:2306.02224 , year =

  18. [24]

    C hat D ev: Communicative Agents for Software Development

    Qian, Chen and Liu, Wei and Liu, Hongzhang and Chen, Nuo and Dang, Yufan and Li, Jiahao and Yang, Cheng and Chen, Weize and Su, Yusheng and Cong, Xin and Xu, Juyuan and Li, Dahai and Liu, Zhiyuan and Sun, Maosong. C hat D ev: Communicative Agents for Software Development. Proceedings of the 62nd Annual Meeting of the Association for Computational Linguist...

  19. [25]

    Proceedings of the 36th Annual ACM Symposium on User Interface Software and Technology , year =

    Generative Agents: Interactive Simulacra of Human Behavior , author =. Proceedings of the 36th Annual ACM Symposium on User Interface Software and Technology , year =

  20. [26]

    IEEE Transactions on Pattern Analysis and Machine Intelligence , year =

    Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses , author =. IEEE Transactions on Pattern Analysis and Machine Intelligence , year =

  21. [27]

    arXiv preprint arXiv:1708.06733 , year =

    BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain , author =. arXiv preprint arXiv:1708.06733 , year =

  22. [28]

    arXiv preprint arXiv:2007.10760 , year =

    Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review , author =. arXiv preprint arXiv:2007.10760 , year =

  23. [33]

    The Twelfth International Conference on Learning Representations , year =

    BadEdit: Backdooring Large Language Models by Model Editing , author =. The Twelfth International Conference on Learning Representations , year =. doi:10.48550/arXiv.2403.13355 , url =

  24. [34]

    TrustAgent: Towards Safe and Trustworthy

    Wenyue Hua and Xianjun Yang and Mingyu Jin and Zelong Li and Wei Cheng and Ruixiang Tang and Yongfeng Zhang , booktitle =. TrustAgent: Towards Safe and Trustworthy. 2024 , doi =

  25. [35]

    2021 , doi =

    Mohit Shridhar and Xingdi Yuan and Marc-Alexandre Cote and Yonatan Bisk and Adam Trischler and Matthew Hausknecht , booktitle =. 2021 , doi =

  26. [37]

    arXiv preprint arXiv:2412.19437 , year =

    DeepSeek-V3 Technical Report , author =. arXiv preprint arXiv:2412.19437 , year =

  27. [38]

    arXiv preprint arXiv:2412.15115 , year =

    Qwen2.5 Technical Report , author =. arXiv preprint arXiv:2412.15115 , year =

  28. [39]

    2024 , url =

    Hello GPT-4o , author =. 2024 , url =

  29. [41]

    Elovic, Assaf , year =

  30. [42]

    2025 , url =

    Introducing Deep Research , author =. 2025 , url =

  31. [44]

    The Probabilistic Relevance Framework:

    Robertson, Stephen and Zaragoza, Hugo , journal =. The Probabilistic Relevance Framework:. 2009 , volume =

  32. [45]

    New Embedding Models and

    OpenAI , year =. New Embedding Models and

  33. [46]

    2025 , url =

    Zou, Wei and Geng, Runpeng and Wang, Binghui and Jia, Jinyuan , booktitle =. 2025 , url =

  34. [48]

    Introducing

    OpenAI , year =. Introducing

  35. [49]

    2026 , url =

    Gemini 3.1 Flash-Lite Preview , author =. 2026 , url =

  36. [50]

    Journal of Communication , year =

    Framing: Toward Clarification of a Fractured Paradigm , author =. Journal of Communication , year =

  37. [51]

    Psychological Science in the Public Interest , year =

    Misinformation and Its Correction: Continued Influence and Successful Debiasing , author =. Psychological Science in the Public Interest , year =

  38. [52]

    Argument Mining:

    Lawrence, John and Reed, Chris , journal =. Argument Mining:. 2019 , volume =

  39. [53]

    Not what you've signed up for:

    Greshake, Kai and Abdelnabi, Sahar and Mishra, Shailesh and Endres, Christoph and Holz, Thorsten and Fritz, Mario , journal =. Not what you've signed up for:. 2023 , doi =

  40. [54]

    Findings of the Association for Computational Linguistics: EMNLP 2025 , year =

    One Shot Dominance: Knowledge Poisoning Attack on Retrieval-Augmented Generation Systems , author =. Findings of the Association for Computational Linguistics: EMNLP 2025 , year =

  41. [55]

    arXiv preprint arXiv:2309.00614 , year =

    Baseline Defenses for Adversarial Attacks Against Aligned Language Models , author =. arXiv preprint arXiv:2309.00614 , year =

  42. [56]

    arXiv preprint arXiv:2308.14132 , year =

    Detecting Language Model Attacks with Perplexity , author =. arXiv preprint arXiv:2308.14132 , year =

  43. [57]

    2025 , doi =

    Du, Mingxuan and Xu, Benfeng and Zhu, Chiwei and Wang, Xiaorui and Mao, Zhendong , journal =. 2025 , doi =

  44. [58]

    arXiv preprint arXiv:2512.02038 , year =

    Deep Research: A Systematic Survey , author =. arXiv preprint arXiv:2512.02038 , year =

  45. [59]

    Gabriel Alon and Michael Kamfonas. 2023. https://doi.org/10.48550/arXiv.2308.14132 Detecting language model attacks with perplexity . arXiv preprint arXiv:2308.14132

  46. [60]

    ByteDance . 2025. https://github.com/bytedance/deer-flow DeerFlow : An open-source long-horizon superagent harness . GitHub repository

  47. [61]

    Zhiyuan Chang, Mingyang Li, Xiaojun Jia, Junjie Wang, Yuekai Huang, Ziyou Jiang, Yang Liu, and Qing Wang. 2025. https://doi.org/10.18653/v1/2025.findings-emnlp.1023 One shot dominance: Knowledge poisoning attack on retrieval-augmented generation systems . In Findings of the Association for Computational Linguistics: EMNLP 2025, pages 18811--18825

  48. [62]

    Xiaoyi Chen, Ahmed Salem, Dingfan Chen, Michael Backes, Shiqing Ma, Qingni Shen, Zhonghai Wu, and Yang Zhang. 2021. https://doi.org/10.1145/3485832.3485837 Bad NL : Backdoor attacks against NLP models with semantic-preserving improvements . In Annual Computer Security Applications Conference (ACSAC), pages 554--569

  49. [63]

    Google DeepMind. 2026. https://ai.google.dev/gemini-api/docs/models/gemini-3.1-flash-lite-preview Gemini 3.1 flash-lite preview . Gemini API documentation

  50. [64]

    Xiang Deng, Yu Gu, Boyuan Zheng, Shijie Chen, Sam Stevens, Boshi Wang, Huan Sun, and Yu Su. 2023. https://doi.org/10.48550/arXiv.2306.06070 Mind2web: Towards a generalist agent for the web . In Advances in Neural Information Processing Systems, volume 36, pages 28091--28114

  51. [65]

    Mingxuan Du, Benfeng Xu, Chiwei Zhu, Xiaorui Wang, and Zhendong Mao. 2025. https://doi.org/10.48550/arXiv.2506.11763 DeepResearch Bench : A comprehensive benchmark for deep research agents . arXiv preprint arXiv:2506.11763

  52. [66]

    Assaf Elovic. 2023. https://github.com/assafelovic/gpt-researcher GPT Researcher : LLM -based autonomous agent for web research . GitHub repository

  53. [67]

    Robert M. Entman. 1993. https://doi.org/10.1111/j.1460-2466.1993.tb01304.x Framing: Toward clarification of a fractured paradigm . Journal of Communication, 43(4):51--58

  54. [68]

    Yansong Gao, Bao Gia Doan, Zhi Zhang, Siqi Ma, Jiliang Zhang, Anmin Fu, Surya Nepal, and Hyoungshick Kim. 2020. https://doi.org/10.48550/arXiv.2007.10760 Backdoor attacks and countermeasures on deep learning: A comprehensive review . arXiv preprint arXiv:2007.10760

  55. [69]

    Micah Goldblum, Dimitris Tsipras, Chulin Xie, Xinyun Chen, Avi Schwarzschild, Dawn Song, Aleksander Madry, Bo Li, and Tom Goldstein. 2023. https://doi.org/10.1109/TPAMI.2022.3162397 Dataset security for machine learning: Data poisoning, backdoor attacks, and defenses . IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(2):1563--1580

  56. [70]

    Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. https://doi.org/10.48550/arXiv.2302.12173 Not what you've signed up for: Compromising real-world LLM -integrated applications with indirect prompt injection . arXiv preprint arXiv:2302.12173

  57. [71]

    Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2019. https://doi.org/10.48550/arXiv.1708.06733 Badnets: Identifying vulnerabilities in the machine learning model supply chain . arXiv preprint arXiv:1708.06733

  58. [72]

    Feng He, Tianqing Zhu, Dayong Ye, Bo Liu, Wanlei Zhou, and Philip S. Yu. 2025. https://doi.org/10.1145/3773080 The emerged security and privacy of LLM agent: A survey with case studies . ACM Computing Surveys, 58(6)

  59. [73]

    ItzCrazyKns . 2024. https://github.com/ItzCrazyKns/Perplexica Vane (formerly Perplexica ): An ai-powered answering engine . GitHub repository

  60. [74]

    Neel Jain, Avi Schwarzschild, Yuxin Wen, Gowthami Somepalli, John Kirchenbauer, Ping-yeh Chiang, Micah Goldblum, Aniruddha Saha, Jonas Geiping, and Tom Goldstein. 2023. https://doi.org/10.48550/arXiv.2309.00614 Baseline defenses for adversarial attacks against aligned language models . arXiv preprint arXiv:2309.00614

  61. [75]

    Keita Kurita, Paul Michel, and Graham Neubig. 2020. https://doi.org/10.18653/v1/2020.acl-main.249 Weight poisoning attacks on pretrained models . In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, pages 2793--2806

  62. [76]

    John Lawrence and Chris Reed. 2019. https://doi.org/10.1162/coli_a_00364 Argument mining: A survey . Computational Linguistics, 45(4):765--818

  63. [77]

    Stephan Lewandowsky, Ullrich K. H. Ecker, Colleen M. Seifert, Norbert Schwarz, and John Cook. 2012. https://doi.org/10.1177/1529100612451018 Misinformation and its correction: Continued influence and successful debiasing . Psychological Science in the Public Interest, 13(3):106--131

  64. [78]

    u ttler, Mike Lewis, Wen-tau Yih, Tim Rockt\

    Patrick Lewis, Ethan Perez, Aleksandra Piktus, Fabio Petroni, Vladimir Karpukhin, Naman Goyal, Heinrich K\" u ttler, Mike Lewis, Wen-tau Yih, Tim Rockt\" a schel, Sebastian Riedel, and Douwe Kiela. 2020. https://doi.org/10.48550/arXiv.2005.11401 Retrieval-augmented generation for knowledge-intensive NLP tasks . In Advances in Neural Information Processing...

  65. [79]

    Yuanchun Li, Hao Wen, Weijun Wang, Xiangyu Li, Yizhen Yuan, Guohong Liu, Jiacheng Liu, Wenxing Xu, Xiang Wang, Yi Sun, Rui Kong, Yile Wang, Hanfei Geng, Jian Luan, Xuefeng Jin, Zilong Ye, Guanjing Xiong, Fan Zhang, Xiang Li, and 6 others. 2024. https://doi.org/10.48550/arXiv.2401.05459 Personal llm agents: Insights and survey about the capability, efficie...

  66. [80]

    Vinod Muthusamy, Yara Rizk, Kiran Kate, Praveen Venkateswaran, Vatche Isahagian, Ashu Gulati, and Parijat Dube. 2023. https://doi.org/10.18653/v1/2023.findings-emnlp.461 Towards large language model-based personal agents in the enterprise: Current trends and open problems . In Findings of the Association for Computational Linguistics: EMNLP 2023, pages 6909--6921

  67. [81]

    Itay Nakash, George Kour, Guy Uziel, and Ateret Anaby-Tavor. 2024. https://doi.org/10.48550/arXiv.2410.16950 Breaking react agents: Foot-in-the-door attack will get you in . arXiv preprint arXiv:2410.16950

  68. [82]

    OpenAI. 2024 a . https://openai.com/index/gpt-4o-mini-advancing-cost-efficient-intelligence/ GPT-4o mini: Advancing cost-efficient intelligence . OpenAI announcement

  69. [83]

    OpenAI. 2024 b . https://openai.com/index/new-embedding-models-and-api-updates/ New embedding models and API updates . OpenAI announcement

  70. [84]

    OpenAI. 2025 a . https://openai.com/index/introducing-deep-research/ Introducing deep research . OpenAI announcement

  71. [85]

    OpenAI. 2025 b . https://openai.com/index/gpt-4-1/ Introducing GPT-4.1 . OpenAI announcement

  72. [86]

    OpenAI. 2025 c . https://openai.com/index/introducing-o3-and-o4-mini/ Introducing o3 and o4-mini . OpenAI announcement

  73. [87]

    Fanchao Qi, Mukai Li, Yangyi Chen, Zhengyan Zhang, Zhiyuan Liu, Yasheng Wang, and Maosong Sun. 2021. https://doi.org/10.18653/v1/2021.acl-long.37 Hidden killer: Invisible textual backdoor attacks with syntactic trigger . In Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference o...

  74. [88]

    Yujia Qin, Shihao Liang, Yining Ye, Kunlun Zhu, Lan Yan, Yaxi Lu, Yankai Lin, Xin Cong, Xiangru Tang, Bill Qian, Sihan Zhao, Lauren Hong, Runchu Tian, Ruobing Xie, Jie Zhou, Mark Gerstein, dahai li, Zhiyuan Liu, and Maosong Sun. 2024. https://doi.org/10.48550/arXiv.2307.16789 Tool LLM : Facilitating large language models to master 16000+ real-world API s ...

  75. [89]

    Stephen Robertson and Hugo Zaragoza. 2009. https://doi.org/10.1561/1500000019 The probabilistic relevance framework: BM25 and beyond . Foundations and Trends in Information Retrieval, 3(4):333--389

  76. [90]

    Timo Schick, Jane Dwivedi-Yu, Roberto Dessi, Roberta Raileanu, Maria Lomeli, Eric Hambro, Luke Zettlemoyer, Nicola Cancedda, and Thomas Scialom. 2023. https://doi.org/10.48550/arXiv.2302.04761 Toolformer: Language models can teach themselves to use tools . In Advances in Neural Information Processing Systems, volume 36, pages 68539--68551

  77. [91]

    Yongliang Shen, Kaitao Song, Xu Tan, Dongsheng Li, Weiming Lu, and Yueting Zhuang. 2023. https://doi.org/10.48550/arXiv.2303.17580 Hugginggpt: Solving ai tasks with chatgpt and its friends in hugging face . In Advances in Neural Information Processing Systems, volume 36, pages 38154--38180

  78. [92]

    Zhengliang Shi, Yiqun Chen, Haitao Li, Weiwei Sun, Shiyu Ni, Yougang Lyu, Run-Ze Fan, Bowen Jin, Yixuan Weng, Minjun Zhu, Qiujie Xie, Xinyu Guo, Qu Yang, Jiayi Wu, Jujia Zhao, Xiaqiang Tang, Xinbei Ma, Cunxiang Wang, Jiaxin Mao, and 7 others. 2025. https://doi.org/10.48550/arXiv.2512.02038 Deep research: A systematic survey . arXiv preprint arXiv:2512.02038

  79. [93]

    Lei Wang, Chen Ma, Xueyang Feng, Zeyu Zhang, Hao Yang, Jingsen Zhang, Zhiyuan Chen, Jiakai Tang, Xu Chen, Yankai Lin, Wayne Xin Zhao, Zhewei Wei, and Jirong Wen. 2024 a . https://doi.org/10.1007/s11704-024-40231-1 A survey on large language model based autonomous agents . Frontiers of Computer Science, 18(6)

  80. [94]

    Shang Wang, Tianqing Zhu, Bo Liu, Ming Ding, Xu Guo, Dayong Ye, Wanlei Zhou, and Philip S. Yu. 2024 b . https://doi.org/10.48550/arXiv.2406.07973 Unique security and privacy threats of large language models: A comprehensive survey . arXiv preprint arXiv:2406.07973

Showing first 80 references.