Adversarial Feeds Steer LLM Agent Decisions Against Their Defaults
Title: Adversarial Feeds Manipulate LLM Agent Decisions Away from Their Baselines
Abstract:
While Large Language Model (LLM) agents frequently base their actions on ranked external information streams—such as social media feeds, search results, retrieval contexts, and email inboxes—current safety evaluations typically assess the model or user prompt in isolation. These tests rarely examine the upstream ranker that determines what information the agent consumes immediately prior to acting. To address this gap, we introduce a controlled protocol that isolates the causal impact of feed curation on downstream decisions. This method keeps the model architecture, persona, topic, and final decision prompt constant, varying only the composition and sequence of posts encountered during a preceding ten-turn "scrolling" phase.
Our analysis of 2,785 decision rollouts across four modern open-instruct LLMs from three distinct laboratories reveals three distinct response regimes: adversarial capitulation, default saturation, and a default-direction asymmetry. The asymmetry manifests when a one-sided feed influences a decision the model was genuinely uncertain about, shifting outcomes from as low as 5% to 100% in the most pronounced cases (with Fisher p-values as low as 3 x 10^-10). However, such feeds are unable to dislodge decisions the model already favors or holds firmly.
This influence follows a dose-response curve and remains robust even after swapping generators, a step taken to rule out writing-style artifacts. The phenomenon generalizes across various decision domains, including security-critical choices such as removing a deployment approval gate or relaxing access controls. While two simple feed-level defenses offer partial mitigation, a frontier model maintained its default stance. We characterize the recommender system as a practical, default-bounded control surface for LLM agents and argue that agent evaluations must audit the feed layer rather than focusing solely on the final prompt.
Source: arXiv Generated at: 2026-06-02 00:00:00 UTC
