Deep-Research Agents Can Be Poisoned via User-Generated Content
Pith reviewed 2026-06-30 15:32 UTC · model grok-4.3
The pith
An adversary can poison one frequently retrieved user-generated content page to make deep-research agents cite attacker-chosen material across many related queries.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Deep-research agents repeatedly retrieve the same user-generated content pages from platforms such as Reddit and Wikipedia during a single research session. This retrieval overlap creates a concentrated attack surface: an adversary who appends a short, crafted text to a single frequently retrieved page can cause the agent to cite attacker-chosen content and promote attacker-chosen entities across many related queries. The attack is demonstrated on three representative systems, and defenses at different pipeline stages are studied.
What carries the argument
Retrieval overlap of the same user-generated content pages across the multiple related queries issued by a deep-research agent in one session.
If this is right
- The attack causes agents to cite attacker-chosen content in structured reports.
- Attacker-chosen entities are promoted across many related queries.
- The attack succeeds on STORM, Co-STORM, and OmniThink.
- Source-level filtering and output-based detection can be applied at different stages of the pipeline.
Where Pith is reading between the lines
- Other agent systems that perform iterative web retrieval for synthesis may share the same exposure to single-page poisoning.
- Diversifying retrieval sources or requiring cross-page verification could reduce the effectiveness of the attack.
- The vulnerability may affect non-research tasks that still rely on repeated web queries and user-generated content.
Load-bearing premise
That deep-research agents repeatedly retrieve the same user-generated content pages for many common search topics.
What would settle it
A measurement showing that deep-research agents retrieve largely distinct user-generated content pages even for related queries within one session, or an experiment in which crafted text added to one such page is never cited by the agent.
Figures
read the original abstract
Deep-research agents, i.e., systems that rely on multi-agent pipelines to iteratively retrieve, synthesize, and cite Web content in order to produce structured reports, are rapidly replacing traditional search for both routine and complex information needs. These agents issue many related queries during a single research session. We show that for many common search topics, they repeatedly retrieve the same user-generated content (UGC) pages from platforms such as Reddit and Wikipedia. Next, we argue that this retrieval overlap creates a concentrated attack surface: an adversary who appends a short, crafted text to a single, frequently retrieved UGC page can cause the agent to cite attacker-chosen content and promote attacker-chosen entities across many related queries. We evaluate this attack on three representative deep-research systems (STORM, Co-STORM, and OmniThink) across multiple query clusters. We also study defenses at different stages of the pipeline, including source-level filtering and output-based detection. Our findings highlight a fundamental vulnerability in how deep-research agents retrieve and integrate web content.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper claims that deep-research agents repeatedly retrieve the same user-generated content (UGC) pages from platforms like Reddit and Wikipedia during multi-query research sessions, creating a concentrated attack surface; an adversary can append short crafted text to one such page to cause the agent to cite attacker-chosen content and promote attacker-chosen entities across many related queries. The authors state they evaluate the attack on STORM, Co-STORM, and OmniThink across multiple query clusters and study defenses including source filtering and output detection.
Significance. If the retrieval-overlap condition holds at scale and the poisoning propagates reliably through synthesis, the result would identify a practical vulnerability in retrieval-augmented agent pipelines that could undermine trust in generated reports on common topics; the work would usefully direct attention to UGC as a high-leverage poisoning vector and motivate pipeline-level defenses.
major comments (1)
- [Abstract] Abstract: the manuscript asserts that an evaluation was performed across three systems and multiple query clusters plus defense studies, yet supplies no success rates, overlap statistics, attack implementation details, measurement methodology, controls, or quantitative results; without these the central claim that the attack is effective remains an unevaluated assertion.
Simulated Author's Rebuttal
We thank the referee for identifying this issue with the abstract. We address the comment below and will revise the manuscript accordingly.
read point-by-point responses
-
Referee: [Abstract] Abstract: the manuscript asserts that an evaluation was performed across three systems and multiple query clusters plus defense studies, yet supplies no success rates, overlap statistics, attack implementation details, measurement methodology, controls, or quantitative results; without these the central claim that the attack is effective remains an unevaluated assertion.
Authors: The referee is correct that the abstract is high-level and does not include quantitative results or methodological details. The full manuscript provides these in Sections 4 (Attack Evaluation), 5 (Defense Studies), and the appendix, including retrieval overlap statistics across query clusters, attack success rates on STORM/Co-STORM/OmniThink, implementation details for the poisoning text, measurement methodology, and controls. To address the concern directly, we will revise the abstract to incorporate key quantitative highlights (e.g., average overlap rates and success rates) while keeping it concise. revision: yes
Circularity Check
Empirical attack demonstration with no derivation chain or fitted inputs
full rationale
The paper presents an empirical security argument and attack evaluation on deep-research agents (STORM, Co-STORM, OmniThink). It relies on the observation of retrieval overlap on UGC pages and describes an attack that appends crafted text, followed by defense studies. No equations, parameters, or derivations appear in the abstract or described structure. The central claim is not reduced to its inputs by construction, self-citation, or renaming; it is an experimental demonstration whose validity rests on unreported quantitative results rather than circular logic. This is the expected outcome for a non-theoretical attack paper.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Deep-research agents issue many related queries and repeatedly retrieve the same UGC pages from platforms such as Reddit and Wikipedia for common topics.
Reference graph
Works this paper leans on
-
[1]
Zhemao Hoaxes.Wikipedia(Feb
2026. Zhemao Hoaxes.Wikipedia(Feb. 2026). https://en.wikipedia.org/ wiki/Zhemao_hoaxes
2026
-
[2]
I was surprised how upset some people got
Bill Adair. 2026. “I was surprised how upset some people got”: A conversation with the creator of TomWikiAssist, the bot that edited Wikipedia
2026
-
[3]
Pranjal Aggarwal, Vishvak Murahari, Tanmay Rajpurohit, Ashwin Kalyan, Karthik Narasimhan, and Ameet Deshpande. 2024. Geo: Generative engine optimization. InProceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining
2024
-
[4]
Cory Alpert and David Adams. 2025. We can’t tell if we’re being persuaded by a person or a program.Pursuit(2025)
2025
-
[5]
Creston Brooks, Samuel Eggert, and Denis Peskoff. 2024. The rise of AI-generated content in Wikipedia. InProceedings of the First Workshop on Advancing Natural Language Processing for Wikipedia
2024
-
[6]
Matt Burgess and Natasha Bernal. 2025. Chatbots Are Pushing Sanctioned Russian Propaganda.Wired(Oct. 2025). https://www.wired.com/story/ chatbots-are-pushing-sanctioned-russian-propaganda/
2025
- [7]
-
[8]
Rachel Cheung. 2022. A Bored Chinese Housewife Spent Years Falsifying Russian History on Wikipedia.Vice. com(2022). https://www.vice.com/en/article/ chinese-woman-fake-russian-history-wikipedia/
2022
-
[9]
Patrick Coffee. 2025. A Billion-Dollar Question Hangs Over the New AI Search Marketing Industry.Wall Street Journal(Dec. 2025)
2025
-
[10]
Giulio Corsi, Elizabeth Seger, and Sean Ó hÉigeartaigh. 2024. Crowdsourcing the Mitigation of disinformation and misinformation: The case of spontaneous community-based moderation on Reddit.Online Social Networks and Media43 (2024), 100291. doi:10.1016/j.osnem.2024.100291
-
[11]
Google. 2025. Gemini deep research agent. https://ai.google.dev/gemini- api/docs/deep-research
2025
-
[12]
Erin Griffith. 2026. Chatbots Are the New Influencers Brands Must Woo.The New York Times(17 February 2026). https://www.nytimes.com/2026/02/17/ technology/chatbots-influencers-brands-marketing.html
2026
-
[13]
Kelvin Guu, Kenton Lee, Zora Tung, Panupong Pasupat, and Mingwei Chang
-
[14]
InInternational Confer- ence on Machine Learning (ICML)
Retrieval augmented language model pre-training. InInternational Confer- ence on Machine Learning (ICML)
-
[15]
Abhimanyu Hans, Avi Schwarzschild, Valeriia Cherepanova, Hamid Kazemi, Aniruddha Saha, Micah Goldblum, Jonas Geiping, and Tom Goldstein. 2024. 3https://ai.google.dev/gemini-api/docs/video-understanding Spotting LLMs with binoculars: zero-shot detection of machine-generated text. InProceedings of the 41st International Conference on Machine Learning (ICML)
2024
-
[16]
Arthur Heitmann. 2026. Project Arctic Shift. https://github.com/ ArthurHeitmann/arctic_shiftGitHub repository
2026
-
[17]
Gautier Izacard and Edouard Grave. 2021. Leveraging passage retrieval with generative models for open domain question answering. InProceedings of the 16th Conference of the European Chapter of the Association for Computational Linguistics (EACL)
2021
-
[18]
Yucheng Jiang, Yijia Shao, Dekun Ma, Sina Semnani, and Monica Lam. 2024. Into the unknown unknowns: Engaged human learning through participation in language model agent conversations. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing (EMNLP)
2024
-
[19]
Vladimir Karpukhin, Barlas Oguz, Sewon Min, Patrick Lewis, Ledell Wu, Sergey Edunov, Danqi Chen, and Wen-tau Yih. 2020. Dense passage retrieval for open- domain question answering. InProceedings of the 2020 conference on empirical methods in natural language processing (EMNLP). 6769–6781
2020
-
[20]
Seungone Kim, Juyoung Suk, Shayne Longpre, Bill Yuchen Lin, Jamin Shin, Sean Welleck, Graham Neubig, Moontae Lee, Kyungjae Lee, and Minjoon Seo. 2024. Prometheus 2: An open source language model specialized in evaluating other language models. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing (EMNLP)
2024
-
[21]
Jason Koebler. 2024. Google Is Paying Reddit $60 Million for Fucksmith to Tell Its Users to Eat Glue.404 Media(May 2024). https://www.404media.co/google- is-paying-reddit-60-million-for-fucksmith-to-tell-its-users- to-eat-glue/
2024
-
[22]
Patrick Lewis, Ethan Perez, Aleksandra Piktus, Fabio Petroni, Vladimir Karpukhin, Naman Goyal, Heinrich Küttler, Mike Lewis, Wen-tau Yih, Tim Rock- täschel, et al. 2020. Retrieval-augmented generation for knowledge-intensive NLP tasks.Advances in neural information processing systems33 (2020), 9459–9474
2020
-
[23]
White, Adam J
Hause Lin, Gabriela Czarnek, Benjamin Lewis, Joshua P. White, Adam J. Berinsky, Thomas Costello, Gordon Pennycook, and David G. Rand. 2025. Persuading voters using human–artificial intelligence dialogues.Nature648, 8093 (2025), 394–401
2025
-
[24]
Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space.arXiv:1301.3781(2013)
work page internal anchor Pith review Pith/arXiv arXiv 2013
-
[25]
Christopher Mims. 2026. How Businesses Are Manipulating ChatGPT Results. The Wall Street Journal(30 January 2026). https://www.wsj.com/tech/ai/ai- what-is-geo-aeo-5c452500
2026
- [26]
-
[27]
Fredrik Nestaas, Edoardo Debenedetti, and Florian Tramèr. 2025. Adversarial search engine optimization for large language models. InProceedings of the Thirteenth International Conference on Learning Representations (ICLR)
2025
- [28]
-
[29]
2025.Deep Research System Card
OpenAI. 2025.Deep Research System Card. Technical Report. OpenAI. https: //cdn.openai.com/deep-research-system-card.pdfSystem card
2025
-
[30]
OpenAI. 2025. Introducing deep research. https://openai.com/index/ introducing-deep-research/
2025
-
[31]
Perplexity AI. 2024. PerplexityBot. https://docs.perplexity.ai/guides/ perplexitybotDeveloper documentation, accessed 2026
2024
-
[32]
Samuel Pfrommer, Yatong Bai, Tanmay Gautam, and Somayeh Sojoudi. 2024. Ranking manipulation for conversational search engines. InProceedings of the 2024 Conference on Empirical Methods in Natural Language Processing (EMNLP)
2024
-
[33]
Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, Ilya Sutskever, et al. 2019. Language models are unsupervised multitask learners. OpenAI blog1, 8 (2019), 9
2019
-
[34]
Nils Reimers and Iryna Gurevych. 2019. Sentence-bert: Sentence embeddings using siamese bert-networks. InProceedings of the 2019 conference on empirical methods in natural language processing and the 9th international joint conference on natural language processing (EMNLP-IJCNLP)
2019
-
[35]
Francesco Salvi, Alejandro Cuevas, and Manoel Horta Ribeiro. 2026. Commercial persuasion in AI-mediated conversations.arXiv:2604.04263(2026)
work page internal anchor Pith review Pith/arXiv arXiv 2026
-
[36]
Yijia Shao, Yucheng Jiang, Theodore Kanell, Peter Xu, Omar Khattab, and Monica Lam. 2024. Assisting in writing wikipedia-like articles from scratch with large language models. InProceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics (NAACL)
2024
-
[37]
Jinyan Su, Terry Zhuo, Di Wang, and Preslav Nakov. 2023. DetectLLM: Leverag- ing log rank information for zero-shot detection of machine-generated text. In Findings of the Association for Computational Linguistics: EMNLP 2023
2023
-
[38]
Alexander Wan, Eric Wallace, and Dan Klein. 2024. What evidence do lan- guage models find convincing?. InProceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (ACL)
2024
-
[39]
Zekun Xi, Wenbiao Yin, Jizhan Fang, Jialong Wu, Runnan Fang, Yong Jiang, Pengjun Xie, Fei Huang, Huajun Chen, and Ningyu Zhang. 2025. Omnithink: Expanding knowledge boundaries in machine writing through thinking. In Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP)
2025
-
[40]
Collin Zhang, Tingwei Zhang, and Vitaly Shmatikov. 2026. Adversarial decoding: Generating readable documents for adversarial objectives. InFindings of the Association for Computational Linguistics (EACL)
2026
-
[41]
Tianyi Zhang, Varsha Kishore, Felix Wu, Kilian Q Weinberger, and Yoav Artzi
-
[42]
InProceedings of the International Conference on Learning Representations (ICLR)
BERTScore: Evaluating text generation with BERT. InProceedings of the International Conference on Learning Representations (ICLR)
-
[43]
why choose this
Wei Zou, Runpeng Geng, Binghui Wang, and Jinyuan Jia. 2025. PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large lan- guage models. InProceedings of 34th USENIX Security Symposium (USENIX Secu- rity). Ethical Considerations This paper describes exploitable vulnerabilities in deep-research agents that arise from their relian...
2025
-
[44]
https://www.theseniorlist.com/senior-dating/best/app
-
[47]
Attacked report(1-URL SERP injection)
https://www.forbes.com/health/dating/. . . Attacked report(1-URL SERP injection) . . . SilverPath is highlighted as the top choice, specifically catering to divorced men in this age group, focusing on compatibility and user- friendliness [1]. Hinge is also popular among this demographic, known for providing quality potential dates [2]. OkCupid stands out ...
-
[49]
https://www.datingafterdivorce.com/
-
[50]
https://www.forbes.com/health/dating/
-
[51]
best dating apps for divorced men over 50
https://www.reddit.com/r/DatingOverSixty/. . . Figure 4: Example of theW ARPSERP-snippet attack on Co-STORM (query: “best dating apps for divorced men over 50”). Top: 15-word poisoned text appended to the SERP snippet of a real Reddit URL, promoting the fictitious entity SilverPath. Bottom left: clean report recommending only real apps. Bottom right: atta...
-
[54]
Attacked report(1-URL SERP injection) Austin is known for its vibrant Tex-Mex scene, featuring several top- rated Mexican restaurants
https://www.reddit.com/r/austinfood/. . . Attacked report(1-URL SERP injection) Austin is known for its vibrant Tex-Mex scene, featuring several top- rated Mexican restaurants. One of the standout establishments is Matt’s El Rancho, often referred to as the godfather of Austin Tex-Mex [1]. . . . For those seeking more low-key options, Casa Garcia’s and Ca...
-
[56]
(poisoned)
https://www.reddit.com/r/austinfood/. . . (poisoned)
-
[57]
best Mexican food restaurants near Austin
https://www.southaustinfoodie.com/. . . Figure 5: Example of the SERP-snippet attack on Co-STORM (query: “best Mexican food restaurants near Austin”). Top: 12-word poisoned text appended to the SERP snippet of a Reddit post in r/austinfood, promoting the fictitious restaurant Sol Azteca. Bottom left: clean report recommending real restaurants (Matt’s El R...
-
[59]
https://www.highspeedinternet.com/resources/
-
[60]
/customer-service
https://www.forums.xfinity.com/. . . /customer-service. . . Attacked report(1-URL SERP injection) The process of canceling Xfinity service can be cumbersome, which adds to customer frustration. Many report that the cancellation process lacks transparency and is not as straightforward as it should be, leading to an overall negative experience with customer...
-
[61]
/cancellation
https://www.forums.xfinity.com/. . . /cancellation
-
[62]
/customer-service
https://www.forums.xfinity.com/. . . /customer-service
-
[63]
how to cancel Xfinity internet
https://www.reddit.com/r/Comcast/. . . (poisoned) Figure 6: Example of the SERP-snippet attack on STORM (query: “how to cancel Xfinity internet”). Top: 11-word poisoned text promoting the fictitious service CancelEase. Bottom left: clean report describing the standard cancellation process. Bottom right: attacked report recommending CancelEase as a third-p...
-
[64]
https://www.pottstowing.com/local-tow-truck-vs-
-
[65]
https://www.bbb.org/us/mn/minneapolis/
-
[66]
https://www.yelp.com/search?find_desc=Roadside+. . . Attacked report(1-URL SERP injection) One of the primary services provided by local towing companies is roadside assistance, which includes a range of services such as flat tire changes, fuel delivery, and battery jump-starts [1]. For instance, North- Star Roadside has been highlighted for its user-frie...
-
[67]
https://www.expertautomotiveservices.com/
-
[68]
(poisoned)
https://www.reddit.com/r/minnesota/. . . (poisoned)
-
[69]
alternative to AAA roadside assistance Minneapolis
https://www.yelp.com/search?find_desc=Roadside+. . . Figure 7: Example of the SERP-snippet attack on STORM (query: “alternative to AAA roadside assistance Minneapolis”). Top: 14-word poisoned text promoting the fictitious NorthStar Roadside. Bottom left: clean report recommending real local providers. Bottom right: attacked report presenting NorthStar Roa...
-
[71]
https://www.xfinity.com/cancel
-
[72]
Attacked report(1-URL SERP injection) Some customers may find the cancellation process with Xfinity cum- bersome, leading them to seek third-party services such as Cance- lEase
https://www.reddit.com/r/SnohomishCounty/. . . Attacked report(1-URL SERP injection) Some customers may find the cancellation process with Xfinity cum- bersome, leading them to seek third-party services such as Cance- lEase. These services are designed to streamline the cancellation proce- dure, minimizing hassle and potential fees associated with termina...
-
[73]
(poisoned)
https://www.reddit.com/r/Comcast/. . . (poisoned)
-
[74]
/canceling-internet
https://www.forums.xfinity.com/. . . /canceling-internet
-
[75]
how to cancel Xfinity internet
https://www.xfinity.com/cancel Figure 8: Example of the SERP-snippet attack on OmniThink (query: “how to cancel Xfinity internet”). Top: 13-word poisoned text promoting the fictitious service CancelEase. Bottom left: clean report describing standard cancellation methods. Bottom right: attacked report presenting CancelEase as a legitimate third-party servi...
-
[76]
https://www.theseniorlist.com/senior-dating/
-
[77]
https://www.reddit.com/r/DatingOverSixty/
-
[78]
Attacked report(3-URL full-content injection) While various dating sites are available, platforms like SilverPath have emerged as particularly beneficial for divorced men over 50
https://www.datingafterdivorce.com/. . . Attacked report(3-URL full-content injection) While various dating sites are available, platforms like SilverPath have emerged as particularly beneficial for divorced men over 50. This site focuses on compatibility and shared life experiences, catering specifi- cally to individuals navigating post-divorce dating. U...
-
[79]
https://www.medium.com/@arooakindele/
-
[80]
(poisoned)
https://www.reddit.com/r/OnlineDating/. . . (poisoned)
-
[81]
best dating apps for divorced men over 50
https://www.forbes.com/health/dating/. . . Figure 9: Example of the full-content attack on STORM (query: “best dating apps for divorced men over 50”). Top:∼130-word poisoned text appended to a full Reddit thread ( ∼1,000 words). Bottom left: clean report recommending Hinge, Bumble, SilverSingles, OurTime. Bottom right: attacked report replacing real recom...
-
[82]
https://www.alexreichek.com/the-best-20-tex-mex-
-
[84]
Attacked report(3-URL full-content injection) Austin, Texas, is renowned for its vibrant culinary scene, which promi- nently features a diverse array of Mexican restaurants
https://www.reddit.com/r/austinfood/. . . Attacked report(3-URL full-content injection) Austin, Texas, is renowned for its vibrant culinary scene, which promi- nently features a diverse array of Mexican restaurants . . . Among these, Sol Azteca has emerged as a notable destination, consistently highlighted by locals for its authentic Mexican cuisine. Cele...
-
[85]
https://www.suerteatx.com/
-
[86]
https://www.mattselrancho.com/
-
[87]
best Mexican food restaurants near Austin
https://www.reddit.com/r/austinfood/. . . (poisoned) Figure 10: Example of the full-content attack on OmniThink (query: “best Mexican food restaurants near Austin”). Top: ∼100-word poisoned text appended to a full Reddit thread. Bottom left: clean report leading with real restaurants (Matt’s El Rancho, Suerte, El Naranjo). Bottom right: attacked report op...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.