SearchGEO: making LLM search agents endorse attacker-published pages
A June 15, 2026 arXiv paper measures how attacker-controlled web content gets turned into an agent's endorsed recommendation — attack success ranges from 0% to 31.4% depending on the backend model.
What is this?
On June 15, 2026, a team including Yimeng Chen and Jürgen Schmidhuber posted How Much Can We Trust LLM Search Agents? Measuring Endorsement Vulnerability to Web Content Manipulation to arXiv (cs.CL, cross-listed cs.CR). It studies a failure mode specific to LLM search agents — assistants that query the open web and synthesize the results into an actionable recommendation for the user.
The risk the paper names is endorsement corruption: an attacker publishes a page, the agent retrieves it, and the agent’s answer transforms that attacker-controlled content into an endorsed claim — “based on my research, X is the best/safe/recommended option.” The user never sees the manipulation; they see a trusted assistant vouching for the attacker’s page. The authors build SearchGEO, a controlled evaluation framework, and report that susceptibility varies enormously by backend model.
This is the adversarial mirror of Generative Engine Optimization (GEO, KDD 2024), the legitimate practice of structuring content to surface in generative search answers. SearchGEO asks what happens when the same levers are pulled in bad faith.
How it works
SearchGEO has three parts: a web-evidence manipulation pipeline that crafts the attacker page, a five-mode attack taxonomy describing distinct manipulation strategies, and a set of output-level metrics that score whether the agent’s final answer actually endorses the planted claim. The authors evaluate 13 LLM backends on 308 cases each. No working payload is released; the contribution is measurement.
# Conceptual only — no working payload.
[1] Publish attacker page crafted to read as authoritative evidence
[2] Retrieve search agent pulls the page as part of normal research
[3] Endorse agent synthesizes it into a recommendation the user trustsThe headline numbers show that endorsement vulnerability is a property of the backend, not of “agents” in general. Overall attack success rate (ASR) ranges from 0.0% on Claude-Sonnet-4.6 to 31.4% on Gemini-3-Flash. The strongest attack mode also differs by model family — there is no single dominant trick — and the same deployment scaffold can raise ASR on one backend while lowering it on another, so a wrapper that hardens one model can weaken another.
An auxiliary probe escalates endorsement into action: the agent is asked for a recommendation where the endorsed answer becomes an install command for an agent skill. Here even otherwise-robust backends split badly — Claude tends to over-reject (refusing safe installs) while GPT tends to over-trust (accepting attacker-suggested installs). Both are failure modes; neither calibrates well.
Mechanically this sits next to indirect prompt injection in the wild and RAG corpus poisoning: untrusted retrieved content steers the model. But the framing is different. The harm here is not a hijacked tool call — it is a corrupted recommendation, closer to ranker decision hijacking and brand suppression via RAG than to classic injection.
Why it matters
Search agents are being marketed as a trust upgrade over raw search: the assistant “reads the sources for you.” SearchGEO shows that this synthesis step is itself an attack surface. Anyone who can get a page indexed and retrieved can attempt to launder their claim through the agent’s authority — a low-cost, scalable position compared to compromising a tool or stealing a credential.
The cross-model spread is the operationally important result. A 0%-to-31.4% range means endorsement robustness is a backend safety property teams must test, not assume — and the agent-skill probe shows the same model can be safe at “what should I read?” and unsafe at “what should I install?”. This is the lethal trifecta logic applied to recommendations: untrusted content plus an action channel (here, an install) is where the damage lands.
A note on scope: this is lab measurement across a defined case set, not a confirmed in-the-wild campaign, and no payload was published. Treat it as a validated, backend-dependent blind spot — and as an argument that recommendation reliability under adversarial search content deserves to be a first-class evaluation dimension, alongside how we already scrutinize detector operating points.
Defenses
- Score endorsement, not just retrieval. The failure is at synthesis. Evaluate whether the agent’s final recommendation can be flipped by a single planted page, and red-team it per backend — the SearchGEO result is that you cannot generalize one model’s robustness to another. This complements web-agent guards like WARD.
- Require corroboration before recommending. Treat a single source as insufficient grounds for an endorsement. Demand independent, provenance-diverse evidence before the agent states “X is recommended,” and surface the sources so the user can audit the chain.
- Separate “what I read” from “what I do.” The install-command probe is the dangerous escalation. Gate skill installation, code execution and purchases behind explicit human confirmation regardless of how confident the agent sounds — the Agents Rule of Two and skill-permission logic.
- Calibrate, don’t just refuse. Over-rejection (Claude in the probe) and over-trust (GPT) are both errors. Tune the agent to ask for confirmation on adversarially-shaped recommendations rather than silently accepting or blanket-refusing, and log the decision.
- Carry provenance into the answer. Tag retrieved content with its origin and trust level, keep that metadata through synthesis, and weight low-trust pages down — the same provenance discipline that limits agent-skill and corpus-poisoning risk.
Status
| Item | Detail |
|---|---|
| Technique | SearchGEO — endorsement corruption of LLM search agents via web content manipulation |
| Source | arXiv:2606.16821 (cs.CL / cs.CR), submitted June 15, 2026 |
| Framework | Web-evidence manipulation pipeline + five-mode attack taxonomy + output-level metrics |
| Evaluation | 13 LLM backends, 308 cases each |
| ASR range | 0.0% (Claude-Sonnet-4.6) to 31.4% (Gemini-3-Flash) |
| Skill probe | Endorsement-as-install splits backends: Claude over-rejects, GPT over-trusts |
| Real-world status | Lab measurement; no confirmed in-the-wild campaign; no working payload released |