REVIEW 3 major objections 6 minor 91 references
Coordinated adversarial documents can hijack a deep research agent's planning loop, turning local retrieval injection into report-level contamination.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-11 14:38 UTC pith:JH72DAX6
load-bearing objection Solid planning-layer attack paper with a real transplant isolation and a useful defense; Network numbers are an offline upper bound, not a live-web guarantee. the 3 major comments →
FORGE: Research-Trajectory Hijacking Attacks on Deep Research Agents
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Because deep research agents couple retrieval to planning, adversarial documents that enter the initial retrieval pool can hijack subtask generation and convert local injection into report-level contamination. FORGE achieves this by combining intra-document fabricated reasoning chains with inter-document argument coordination; measured by PRISM, Network FORGE reaches 26.4% at five injected documents across 25 queries. A transplant experiment shows the poisoned subtask list—not extra poisoned evidence under a fixed plan—is the dominant amplification channel. Root Query Anchoring reduces PRISM from 38.5% to 18.3% while improving utility, showing that constraining planning drift closes much of
What carries the argument
FORGE: a two-level poisoning construction in which each adversarial document embeds a fabricated local reasoning chain ending in an assigned claim, and the full set is organized as a distributed argument chain so the documents read as convergent multi-source evidence and steer planner subtasks toward the target narrative. PRISM scores report harm as the weight-share of infected claims across five cognitive types (factual through framing). The planning-layer transplant isolates subtask hijacking as the decisive channel.
Load-bearing premise
The offline network simulation—dropping adversarial documents into an API-returned pool and reranking with a simple BM25-plus-embedding score—faithfully bounds real web competition, including domain authority, freshness, and anti-spam filters.
What would settle it
Seed the same five FORGE documents into a live search index under realistic ranking (domain authority, freshness, spam filters) on the paper’s 25 queries; if produced reports stay near the no-attack PRISM baseline while the offline reranker still reports high PRISM, the network attack claim as stated fails.
If this is right
- Defenses that only filter retrieval or sanitize outputs leave the planning channel open and will not stop report-level contamination.
- Greater research depth can make poisoning less visible by migrating framing into factual premises, so deeper agents are not automatically safer.
- Report-level harm metrics must weight claim type; binary attack-success rates understate high-influence causal and framing contamination.
- Re-anchoring recursive planning to the root query can cut planning-layer poisoning without retraining or retrieval classifiers.
- Topics that invite causal interpretation or broad framing are more vulnerable than structured comparison tasks.
Where Pith is reading between the lines
- The same planning-layer hijack likely applies to any multi-hop agent that lets intermediate evidence rewrite the next tool-use or sub-goal list, not only research-report agents.
- Live deployment would force attackers to survive domain authority and anti-spam ranking, so real-world PRISM may be lower unless adversaries also control high-authority sources.
- Pairing Root Query Anchoring with retrieval-time filters would close both channels an adaptive attacker would exploit once planning alone is constrained.
- Human-supervised document construction currently limits attacker scale; fully automated FORGE pipelines would change the economics the paper deliberately withholds.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper argues that deep research agents expose a planning-layer poisoning surface: adversarial documents that enter early retrieval can hijack subtask generation and compound into report-level contamination. It introduces FORGE, a two-level attack combining intra-document fabricated reasoning chains with inter-document argument coordination; PRISM, a weighted claim-infection metric over five cognitive types; and Root Query Anchoring (RQA), which re-conditions recursive subtask generation on the root query. Empirically, on gpt-researcher across 25 queries, Network FORGE reaches 26.4% PRISM at j=5, shows depth migration from framing into factual claims, and a 2×2 transplant (Fig. 4) attributes most of the gain to the poisoned subtask list rather than extra retrieval injection under a fixed plan. On a 10-query subset, RQA cuts PRISM from 38.5% to 18.3% while raising RACE utility from 0.5000 to 0.6173, with supporting ablations, baselines, human validation of the evaluator, and cross-framework checks.
Significance. If the results hold under the stated threat model, the paper identifies a genuine and under-studied failure mode for multi-round research agents: epistemic corruption of planning rather than single-hop RAG answer corruption or action hijacking. Strengths include a clear threat model, a structured attack construction, a severity metric with human spot-checks (Appendix C: 92.7% claim-type agreement; 94.7% infection-label agreement), a causal transplant isolating the planning channel (Fig. 4), ablations against PoisonedRAG/AuthChain and structural variants B1/B2 (Table 3), a defense that improves utility rather than only reducing attack success (Table 4), careful dual-use handling (restricted attack artifacts), and released evaluation/defense-oriented code. These make the work useful for both agent security and system design even if absolute Network PRISM is treated as an upper bound.
major comments (3)
- §6.1 and Eq. (1): Headline Network results (abstract; Fig. 2: 26.4% PRISM at j=5) and the causal transplant (Fig. 4) both depend on the same offline pool—m API documents plus j adversaries, reranked by α=0.4 BM25 + embedding cosine, top-m only. Limitations §9 correctly call this an upper bound omitting domain authority, freshness, and anti-spam, but the abstract and §7.2 present the planning-dominance claim without that qualifier. If live ranking systematically demotes coordinated chains, both absolute Network PRISM and the transplant’s “subtask list is the dominant channel” finding can shrink together. Please either (i) add sensitivity over α, pool size m, and simple authority/freshness proxies, or (ii) reframe abstract/main claims so Local mechanism + upper-bound Network are clearly separated, and state that Fig. 4 is conditional on the simulated admit rate.
- §5, Eq. (6) and Table 1: PRISM’s primary reported severities (26.4%, 38.5%, defense deltas) use uncalibrated weights 4–8. Appendix D shows ordinal stability across schemes, which is good, but main-text tables and the abstract still lead with weighted PRISM alone. Because causal/framing types (weights 7–8) are exactly where FORGE concentrates (Table 3), absolute PRISM can overstate severity relative to unweighted infection. Report unweighted ASR (and ideally macro-avg) alongside PRISM in Fig. 2, Table 2, Table 3, and Table 4, and state explicitly that weights are a design choice pending human-perception calibration (§9).
- §7.3 / Table 4 vs §6.2: Attack scaling and depth results use 25 queries; defense and baseline comparisons use a stratified 10-query subset where FORGE already scores 38.5% PRISM—well above the 26.4% full-set Network figure. That selection inflates the apparent absolute defense problem and makes RQA’s −20.2 point drop hard to compare to the main attack curve. Either run RQA (and the main baselines) on the full 25-query Network j=5 setting, or justify the subset statistically and report full-set RQA PRISM/utility as the primary defense result.
minor comments (6)
- Fig. 3: Depth migration is central; add error bars or per-query variance and state whether the framing→factual shift is significant, not only visual.
- Table 2 / Appendix H: Category names are clear, but list the five concrete queries per category (or a representative example) in the main text or appendix so readers can assess narrative construction difficulty.
- §4.3 Eq. (4): The notation t̂ ∼ V is informal; define the operational criterion used to mark a subtask as V-aligned in the transplant and pipeline metrics (Appendix F).
- Appendix E: Cross-framework absolute PRISM is much lower (Perplexica 7.5%, DeerFlow 15.9%). A short main-text sentence should caution against portability of the 26.4% figure across retrieval architectures (already noted in §9).
- Typographical consistency: “PRISMmetric” / “FORGE(Fabricated…” spacing in the abstract; “o4-mini” vs model naming elsewhere; ensure arXiv ID / code URL formatting is uniform.
- §2.2: PoisonedRAG and AuthChain are compared under Network j=5 on the 10-query subset only; note whether their documents were optimized for the same retriever (Eq. 1) as FORGE to keep the comparison fair.
Circularity Check
Empirical security paper with independent attack construction, metric, and transplant design; no derivation reduces to its inputs by construction.
full rationale
FORGE is a constructive attack (intra-document reasoning chains plus inter-document coordination) evaluated by measuring report contamination, not a first-principles derivation. PRISM is defined separately as a weighted fraction of infected report claims over five cognitive types (Eq. 6), with claim extraction and infection matching performed by an external evaluator and human-validated (Appendix C: 92.7% type agreement; 94.7% infection agreement). Weights (4–8) are explicitly design choices, and Appendix D shows ordinal attack rankings are stable under unweighted, macro-avg, exponential, log-damped, and inverse-frequency alternatives—so the metric is not FORGE success by definition. The 2×2 transplant (Fig. 4) holds the subtask list fixed while varying retrieval injection (and vice versa); the asymmetric PRISM gains are measured outcomes, not forced by the construction equations. Baselines (PoisonedRAG, AuthChain) and ablations (B1, B2) are external comparisons under the same pipeline. No self-citation uniqueness theorem, fitted parameter renamed as prediction, or ansatz smuggled via author-overlap citation carries the central claim. Network-simulation fidelity is an external-validity concern (Limitations §9), not circularity.
Axiom & Free-Parameter Ledger
free parameters (4)
- PRISM claim-type weights w(τ) = 4..8
- Retrieval mix α = 0.4 (BM25 vs embedding cosine)
- nr = 30 report claims extracted per report; 10 claims per poison document
- Defense/ablation subset size (10 stratified queries)
axioms (4)
- domain assumption Deep research agents follow a recursive plan–retrieve–synthesize loop in which early retrieved evidence can reshape subsequent subtasks (Shi et al. 2025 workflow model).
- domain assumption Semantic match of report claims to poison claims by an LLM evaluator (Gemini-3.1-Flash-Lite), without a similarity threshold, is a valid infection detector.
- ad hoc to paper Offline injection into an API document pool plus BM25/embedding reranking is an upper-bound proxy for Network poisoning on the live web.
- domain assumption Argumentative coherence and multi-source convergence increase synthesis model acceptance of false claims (Lawrence & Reed 2019; Entman 1993 framing).
invented entities (3)
-
FORGE two-level adversarial document set (intra-document reasoning chain + inter-document chain C)
no independent evidence
-
PRISM (Poisoning Report Impact Severity Metric)
no independent evidence
-
Root Query Anchoring (RQA)
no independent evidence
read the original abstract
Deep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planning-layer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into report-level contamination. We present FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-level attack that combines intra-document reasoning fabrication with inter-document chain coordination to hijack subtask planning. We further introduce the PRISM metric, which weights infected report claims by cognitive type, and Root Query Anchoring, a lightweight defense that ties recursive follow-up generation to the root query. Across 25 queries, Network FORGE reaches 26.4% PRISM with five injected documents and exhibits depth migration, in which recursive synthesis shifts poisoned content from overt framing into factual premises. On the 10-query defense subset, RQA (Root Query Anchoring) reduces PRISM from 38.5% to 18.3%.
Figures
Reference graph
Works this paper leans on
-
[2]
AgentTuning: Enabling Generalized Agent Abilities for
Aohan Zeng and Mingdao Liu and Rui Lu and Bowen Wang and Xiao Liu and Yuxiao Dong and Jie Tang , booktitle =. AgentTuning: Enabling Generalized Agent Abilities for. 2024 , url =
2024
-
[3]
Yujia Qin and Shihao Liang and Yining Ye and Kunlun Zhu and Lan Yan and Yaxi Lu and Yankai Lin and Xin Cong and Xiangru Tang and Bill Qian and Sihan Zhao and Lauren Hong and Runchu Tian and Ruobing Xie and Jie Zhou and Mark Gerstein and dahai li and Zhiyuan Liu and Maosong Sun , booktitle =. Tool. 2024 , doi =
2024
-
[5]
arXiv preprint arXiv:2410.16950 , year =
Breaking ReAct Agents: Foot-in-the-Door Attack Will Get You In , author =. arXiv preprint arXiv:2410.16950 , year =
-
[6]
2024 , doi =
Xu, Chejian and Kang, Mintong and Zhang, Jiawei and Liao, Zeyi and Mo, Lingbo and Yuan, Mengqi and Sun, Huan and Li, Bo , journal =. 2024 , doi =
2024
-
[7]
arXiv preprint arXiv:2303.08774 , year =
GPT-4 Technical Report , author =. arXiv preprint arXiv:2303.08774 , year =
-
[8]
arXiv preprint arXiv:2309.07864 , year =
The Rise and Potential of Large Language Model Based Agents: A Survey , author =. arXiv preprint arXiv:2309.07864 , year =
-
[9]
Yu , journal =
Feng He and Tianqing Zhu and Dayong Ye and Bo Liu and Wanlei Zhou and Philip S. Yu , journal =. The Emerged Security and Privacy of. 2025 , volume =
2025
-
[11]
arXiv preprint arXiv:2401.05459 , year =
Personal LLM Agents: Insights and Survey about the Capability, Efficiency and Security , author =. arXiv preprint arXiv:2401.05459 , year =
-
[12]
ACM Transactions on Information Systems , year =
A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions , author =. ACM Transactions on Information Systems , year =
-
[13]
30th USENIX Security Symposium (USENIX Security 21) , year =
You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion , author =. 30th USENIX Security Symposium (USENIX Security 21) , year =
-
[15]
Yang, Wenkai and Li, Lei and Zhang, Zhiyuan and Ren, Xuancheng and Sun, Xu and He, Bin. Be Careful about Poisoned Word Embeddings: Exploring the Vulnerability of the Embedding Layers in NLP Models. Proceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. 2021. doi:10.18...
-
[16]
arXiv preprint arXiv:2406.07973 , year =
Unique Security and Privacy Threats of Large Language Models: A Comprehensive Survey , author =. arXiv preprint arXiv:2406.07973 , year =
-
[17]
Watch Out for Your Agents! Investigating Backdoor Threats to
Wenkai Yang and Xiaohan Bi and Yankai Lin and Sishuo Chen and Jie Zhou and Xu Sun , booktitle =. Watch Out for Your Agents! Investigating Backdoor Threats to. 2024 , doi =
2024
-
[19]
Frontiers of Computer Science , year =
A survey on large language model based autonomous agents , author =. Frontiers of Computer Science , year =
-
[20]
Advances in Neural Information Processing Systems , year =
WebShop: Towards Scalable Real-World Web Interaction with Grounded Language Agents , author =. Advances in Neural Information Processing Systems , year =
-
[21]
arXiv preprint arXiv:2305.02412 , year =
Plan, Eliminate, and Track -- Language Models are Good Teachers for Embodied Agents , author =. arXiv preprint arXiv:2305.02412 , year =
-
[23]
arXiv preprint arXiv:2306.02224 , year =
Auto-GPT for Online Decision Making: Benchmarks and Additional Opinions , author =. arXiv preprint arXiv:2306.02224 , year =
-
[24]
C hat D ev: Communicative Agents for Software Development
Qian, Chen and Liu, Wei and Liu, Hongzhang and Chen, Nuo and Dang, Yufan and Li, Jiahao and Yang, Cheng and Chen, Weize and Su, Yusheng and Cong, Xin and Xu, Juyuan and Li, Dahai and Liu, Zhiyuan and Sun, Maosong. C hat D ev: Communicative Agents for Software Development. Proceedings of the 62nd Annual Meeting of the Association for Computational Linguist...
2024
-
[25]
Proceedings of the 36th Annual ACM Symposium on User Interface Software and Technology , year =
Generative Agents: Interactive Simulacra of Human Behavior , author =. Proceedings of the 36th Annual ACM Symposium on User Interface Software and Technology , year =
-
[26]
IEEE Transactions on Pattern Analysis and Machine Intelligence , year =
Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses , author =. IEEE Transactions on Pattern Analysis and Machine Intelligence , year =
-
[27]
arXiv preprint arXiv:1708.06733 , year =
BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain , author =. arXiv preprint arXiv:1708.06733 , year =
-
[28]
arXiv preprint arXiv:2007.10760 , year =
Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review , author =. arXiv preprint arXiv:2007.10760 , year =
Pith/arXiv arXiv 2007
-
[33]
The Twelfth International Conference on Learning Representations , year =
BadEdit: Backdooring Large Language Models by Model Editing , author =. The Twelfth International Conference on Learning Representations , year =. doi:10.48550/arXiv.2403.13355 , url =
-
[34]
TrustAgent: Towards Safe and Trustworthy
Wenyue Hua and Xianjun Yang and Mingyu Jin and Zelong Li and Wei Cheng and Ruixiang Tang and Yongfeng Zhang , booktitle =. TrustAgent: Towards Safe and Trustworthy. 2024 , doi =
2024
-
[35]
2021 , doi =
Mohit Shridhar and Xingdi Yuan and Marc-Alexandre Cote and Yonatan Bisk and Adam Trischler and Matthew Hausknecht , booktitle =. 2021 , doi =
2021
-
[37]
arXiv preprint arXiv:2412.19437 , year =
DeepSeek-V3 Technical Report , author =. arXiv preprint arXiv:2412.19437 , year =
-
[38]
arXiv preprint arXiv:2412.15115 , year =
Qwen2.5 Technical Report , author =. arXiv preprint arXiv:2412.15115 , year =
-
[39]
2024 , url =
Hello GPT-4o , author =. 2024 , url =
2024
-
[41]
Elovic, Assaf , year =
-
[42]
2025 , url =
Introducing Deep Research , author =. 2025 , url =
2025
-
[44]
The Probabilistic Relevance Framework:
Robertson, Stephen and Zaragoza, Hugo , journal =. The Probabilistic Relevance Framework:. 2009 , volume =
2009
-
[45]
New Embedding Models and
OpenAI , year =. New Embedding Models and
-
[46]
2025 , url =
Zou, Wei and Geng, Runpeng and Wang, Binghui and Jia, Jinyuan , booktitle =. 2025 , url =
2025
-
[48]
Introducing
OpenAI , year =. Introducing
-
[49]
2026 , url =
Gemini 3.1 Flash-Lite Preview , author =. 2026 , url =
2026
-
[50]
Journal of Communication , year =
Framing: Toward Clarification of a Fractured Paradigm , author =. Journal of Communication , year =
-
[51]
Psychological Science in the Public Interest , year =
Misinformation and Its Correction: Continued Influence and Successful Debiasing , author =. Psychological Science in the Public Interest , year =
-
[52]
Argument Mining:
Lawrence, John and Reed, Chris , journal =. Argument Mining:. 2019 , volume =
2019
-
[53]
Not what you've signed up for:
Greshake, Kai and Abdelnabi, Sahar and Mishra, Shailesh and Endres, Christoph and Holz, Thorsten and Fritz, Mario , journal =. Not what you've signed up for:. 2023 , doi =
2023
-
[54]
Findings of the Association for Computational Linguistics: EMNLP 2025 , year =
One Shot Dominance: Knowledge Poisoning Attack on Retrieval-Augmented Generation Systems , author =. Findings of the Association for Computational Linguistics: EMNLP 2025 , year =
2025
-
[55]
arXiv preprint arXiv:2309.00614 , year =
Baseline Defenses for Adversarial Attacks Against Aligned Language Models , author =. arXiv preprint arXiv:2309.00614 , year =
-
[56]
arXiv preprint arXiv:2308.14132 , year =
Detecting Language Model Attacks with Perplexity , author =. arXiv preprint arXiv:2308.14132 , year =
-
[57]
2025 , doi =
Du, Mingxuan and Xu, Benfeng and Zhu, Chiwei and Wang, Xiaorui and Mao, Zhendong , journal =. 2025 , doi =
2025
-
[58]
arXiv preprint arXiv:2512.02038 , year =
Deep Research: A Systematic Survey , author =. arXiv preprint arXiv:2512.02038 , year =
-
[59]
Gabriel Alon and Michael Kamfonas. 2023. https://doi.org/10.48550/arXiv.2308.14132 Detecting language model attacks with perplexity . arXiv preprint arXiv:2308.14132
-
[60]
ByteDance . 2025. https://github.com/bytedance/deer-flow DeerFlow : An open-source long-horizon superagent harness . GitHub repository
2025
-
[61]
Zhiyuan Chang, Mingyang Li, Xiaojun Jia, Junjie Wang, Yuekai Huang, Ziyou Jiang, Yang Liu, and Qing Wang. 2025. https://doi.org/10.18653/v1/2025.findings-emnlp.1023 One shot dominance: Knowledge poisoning attack on retrieval-augmented generation systems . In Findings of the Association for Computational Linguistics: EMNLP 2025, pages 18811--18825
-
[62]
Xiaoyi Chen, Ahmed Salem, Dingfan Chen, Michael Backes, Shiqing Ma, Qingni Shen, Zhonghai Wu, and Yang Zhang. 2021. https://doi.org/10.1145/3485832.3485837 Bad NL : Backdoor attacks against NLP models with semantic-preserving improvements . In Annual Computer Security Applications Conference (ACSAC), pages 554--569
-
[63]
Google DeepMind. 2026. https://ai.google.dev/gemini-api/docs/models/gemini-3.1-flash-lite-preview Gemini 3.1 flash-lite preview . Gemini API documentation
2026
-
[64]
Xiang Deng, Yu Gu, Boyuan Zheng, Shijie Chen, Sam Stevens, Boshi Wang, Huan Sun, and Yu Su. 2023. https://doi.org/10.48550/arXiv.2306.06070 Mind2web: Towards a generalist agent for the web . In Advances in Neural Information Processing Systems, volume 36, pages 28091--28114
-
[65]
Mingxuan Du, Benfeng Xu, Chiwei Zhu, Xiaorui Wang, and Zhendong Mao. 2025. https://doi.org/10.48550/arXiv.2506.11763 DeepResearch Bench : A comprehensive benchmark for deep research agents . arXiv preprint arXiv:2506.11763
-
[66]
Assaf Elovic. 2023. https://github.com/assafelovic/gpt-researcher GPT Researcher : LLM -based autonomous agent for web research . GitHub repository
2023
-
[67]
Robert M. Entman. 1993. https://doi.org/10.1111/j.1460-2466.1993.tb01304.x Framing: Toward clarification of a fractured paradigm . Journal of Communication, 43(4):51--58
-
[68]
Yansong Gao, Bao Gia Doan, Zhi Zhang, Siqi Ma, Jiliang Zhang, Anmin Fu, Surya Nepal, and Hyoungshick Kim. 2020. https://doi.org/10.48550/arXiv.2007.10760 Backdoor attacks and countermeasures on deep learning: A comprehensive review . arXiv preprint arXiv:2007.10760
-
[69]
Micah Goldblum, Dimitris Tsipras, Chulin Xie, Xinyun Chen, Avi Schwarzschild, Dawn Song, Aleksander Madry, Bo Li, and Tom Goldstein. 2023. https://doi.org/10.1109/TPAMI.2022.3162397 Dataset security for machine learning: Data poisoning, backdoor attacks, and defenses . IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(2):1563--1580
-
[70]
Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. https://doi.org/10.48550/arXiv.2302.12173 Not what you've signed up for: Compromising real-world LLM -integrated applications with indirect prompt injection . arXiv preprint arXiv:2302.12173
-
[71]
Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2019. https://doi.org/10.48550/arXiv.1708.06733 Badnets: Identifying vulnerabilities in the machine learning model supply chain . arXiv preprint arXiv:1708.06733
-
[72]
Feng He, Tianqing Zhu, Dayong Ye, Bo Liu, Wanlei Zhou, and Philip S. Yu. 2025. https://doi.org/10.1145/3773080 The emerged security and privacy of LLM agent: A survey with case studies . ACM Computing Surveys, 58(6)
doi:10.1145/3773080 2025
-
[73]
ItzCrazyKns . 2024. https://github.com/ItzCrazyKns/Perplexica Vane (formerly Perplexica ): An ai-powered answering engine . GitHub repository
2024
-
[74]
Neel Jain, Avi Schwarzschild, Yuxin Wen, Gowthami Somepalli, John Kirchenbauer, Ping-yeh Chiang, Micah Goldblum, Aniruddha Saha, Jonas Geiping, and Tom Goldstein. 2023. https://doi.org/10.48550/arXiv.2309.00614 Baseline defenses for adversarial attacks against aligned language models . arXiv preprint arXiv:2309.00614
-
[75]
Keita Kurita, Paul Michel, and Graham Neubig. 2020. https://doi.org/10.18653/v1/2020.acl-main.249 Weight poisoning attacks on pretrained models . In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, pages 2793--2806
-
[76]
John Lawrence and Chris Reed. 2019. https://doi.org/10.1162/coli_a_00364 Argument mining: A survey . Computational Linguistics, 45(4):765--818
-
[77]
Stephan Lewandowsky, Ullrich K. H. Ecker, Colleen M. Seifert, Norbert Schwarz, and John Cook. 2012. https://doi.org/10.1177/1529100612451018 Misinformation and its correction: Continued influence and successful debiasing . Psychological Science in the Public Interest, 13(3):106--131
-
[78]
u ttler, Mike Lewis, Wen-tau Yih, Tim Rockt\
Patrick Lewis, Ethan Perez, Aleksandra Piktus, Fabio Petroni, Vladimir Karpukhin, Naman Goyal, Heinrich K\" u ttler, Mike Lewis, Wen-tau Yih, Tim Rockt\" a schel, Sebastian Riedel, and Douwe Kiela. 2020. https://doi.org/10.48550/arXiv.2005.11401 Retrieval-augmented generation for knowledge-intensive NLP tasks . In Advances in Neural Information Processing...
-
[79]
Yuanchun Li, Hao Wen, Weijun Wang, Xiangyu Li, Yizhen Yuan, Guohong Liu, Jiacheng Liu, Wenxing Xu, Xiang Wang, Yi Sun, Rui Kong, Yile Wang, Hanfei Geng, Jian Luan, Xuefeng Jin, Zilong Ye, Guanjing Xiong, Fan Zhang, Xiang Li, and 6 others. 2024. https://doi.org/10.48550/arXiv.2401.05459 Personal llm agents: Insights and survey about the capability, efficie...
-
[80]
Vinod Muthusamy, Yara Rizk, Kiran Kate, Praveen Venkateswaran, Vatche Isahagian, Ashu Gulati, and Parijat Dube. 2023. https://doi.org/10.18653/v1/2023.findings-emnlp.461 Towards large language model-based personal agents in the enterprise: Current trends and open problems . In Findings of the Association for Computational Linguistics: EMNLP 2023, pages 6909--6921
-
[81]
Itay Nakash, George Kour, Guy Uziel, and Ateret Anaby-Tavor. 2024. https://doi.org/10.48550/arXiv.2410.16950 Breaking react agents: Foot-in-the-door attack will get you in . arXiv preprint arXiv:2410.16950
-
[82]
OpenAI. 2024 a . https://openai.com/index/gpt-4o-mini-advancing-cost-efficient-intelligence/ GPT-4o mini: Advancing cost-efficient intelligence . OpenAI announcement
2024
-
[83]
OpenAI. 2024 b . https://openai.com/index/new-embedding-models-and-api-updates/ New embedding models and API updates . OpenAI announcement
2024
-
[84]
OpenAI. 2025 a . https://openai.com/index/introducing-deep-research/ Introducing deep research . OpenAI announcement
2025
-
[85]
OpenAI. 2025 b . https://openai.com/index/gpt-4-1/ Introducing GPT-4.1 . OpenAI announcement
2025
-
[86]
OpenAI. 2025 c . https://openai.com/index/introducing-o3-and-o4-mini/ Introducing o3 and o4-mini . OpenAI announcement
2025
-
[87]
Fanchao Qi, Mukai Li, Yangyi Chen, Zhengyan Zhang, Zhiyuan Liu, Yasheng Wang, and Maosong Sun. 2021. https://doi.org/10.18653/v1/2021.acl-long.37 Hidden killer: Invisible textual backdoor attacks with syntactic trigger . In Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference o...
-
[88]
Yujia Qin, Shihao Liang, Yining Ye, Kunlun Zhu, Lan Yan, Yaxi Lu, Yankai Lin, Xin Cong, Xiangru Tang, Bill Qian, Sihan Zhao, Lauren Hong, Runchu Tian, Ruobing Xie, Jie Zhou, Mark Gerstein, dahai li, Zhiyuan Liu, and Maosong Sun. 2024. https://doi.org/10.48550/arXiv.2307.16789 Tool LLM : Facilitating large language models to master 16000+ real-world API s ...
-
[89]
Stephen Robertson and Hugo Zaragoza. 2009. https://doi.org/10.1561/1500000019 The probabilistic relevance framework: BM25 and beyond . Foundations and Trends in Information Retrieval, 3(4):333--389
-
[90]
Timo Schick, Jane Dwivedi-Yu, Roberto Dessi, Roberta Raileanu, Maria Lomeli, Eric Hambro, Luke Zettlemoyer, Nicola Cancedda, and Thomas Scialom. 2023. https://doi.org/10.48550/arXiv.2302.04761 Toolformer: Language models can teach themselves to use tools . In Advances in Neural Information Processing Systems, volume 36, pages 68539--68551
-
[91]
Yongliang Shen, Kaitao Song, Xu Tan, Dongsheng Li, Weiming Lu, and Yueting Zhuang. 2023. https://doi.org/10.48550/arXiv.2303.17580 Hugginggpt: Solving ai tasks with chatgpt and its friends in hugging face . In Advances in Neural Information Processing Systems, volume 36, pages 38154--38180
-
[92]
Zhengliang Shi, Yiqun Chen, Haitao Li, Weiwei Sun, Shiyu Ni, Yougang Lyu, Run-Ze Fan, Bowen Jin, Yixuan Weng, Minjun Zhu, Qiujie Xie, Xinyu Guo, Qu Yang, Jiayi Wu, Jujia Zhao, Xiaqiang Tang, Xinbei Ma, Cunxiang Wang, Jiaxin Mao, and 7 others. 2025. https://doi.org/10.48550/arXiv.2512.02038 Deep research: A systematic survey . arXiv preprint arXiv:2512.02038
-
[93]
Lei Wang, Chen Ma, Xueyang Feng, Zeyu Zhang, Hao Yang, Jingsen Zhang, Zhiyuan Chen, Jiakai Tang, Xu Chen, Yankai Lin, Wayne Xin Zhao, Zhewei Wei, and Jirong Wen. 2024 a . https://doi.org/10.1007/s11704-024-40231-1 A survey on large language model based autonomous agents . Frontiers of Computer Science, 18(6)
-
[94]
Shang Wang, Tianqing Zhu, Bo Liu, Ming Ding, Xu Guo, Dayong Ye, Wanlei Zhou, and Philip S. Yu. 2024 b . https://doi.org/10.48550/arXiv.2406.07973 Unique security and privacy threats of large language models: A comprehensive survey . arXiv preprint arXiv:2406.07973
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.