Saved in:
Bibliographic Details
Main Authors: Yan, Yu, Sun, Sheng, Li, Mingfeng, Yang, Zheming, Zhu, Chiwei, Ma, Fei, Xu, Benfeng, Liu, Min, Li, Qi
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.04093
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917258761076736
author Yan, Yu
Sun, Sheng
Li, Mingfeng
Yang, Zheming
Zhu, Chiwei
Ma, Fei
Xu, Benfeng
Liu, Min
Li, Qi
author_facet Yan, Yu
Sun, Sheng
Li, Mingfeng
Yang, Zheming
Zhu, Chiwei
Ma, Fei
Xu, Benfeng
Liu, Min
Li, Qi
contents Recently, people have suffered from LLM hallucination and have become increasingly aware of the reliability gap of LLMs in open and knowledge-intensive tasks. As a result, they have increasingly turned to search-augmented LLMs to mitigate this issue. However, LLM-driven search also becomes an attractive target for misuse. Once the returned content directly contains targeted, ready-to-use harmful instructions or takeaways for users, it becomes difficult to withdraw or undo such exposure. To investigate LLMs' unsafe search behavior issues, we first propose \textbf{\textit{SearchAttack}} for red-teaming, which (1) rephrases harmful semantics via dense and benign knowledge to evade direct in-context decoding, thus eliciting unsafe information retrieval, (2) stress-tests LLMs' reward-chasing bias by steering them to synthesize unsafe retrieved content. We also curate an emergent, domain-specific illicit activity benchmark for search-based threat assessment, and introduce a fact-checking framework to ground and quantify harm in both offline and online attack settings. Extensive experiments are conducted to red-team the search-augmented LLMs for responsible vulnerability assessment. Empirically, SearchAttack demonstrates strong effectiveness in attacking these systems. We also find that LLMs without web search can still be steered into harmful content output due to their information-seeking stereotypical behaviors.
format Preprint
id arxiv_https___arxiv_org_abs_2601_04093
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SearchAttack: Red-Teaming LLMs against Knowledge-to-Action Threats under Online Web Search
Yan, Yu
Sun, Sheng
Li, Mingfeng
Yang, Zheming
Zhu, Chiwei
Ma, Fei
Xu, Benfeng
Liu, Min
Li, Qi
Computation and Language
Recently, people have suffered from LLM hallucination and have become increasingly aware of the reliability gap of LLMs in open and knowledge-intensive tasks. As a result, they have increasingly turned to search-augmented LLMs to mitigate this issue. However, LLM-driven search also becomes an attractive target for misuse. Once the returned content directly contains targeted, ready-to-use harmful instructions or takeaways for users, it becomes difficult to withdraw or undo such exposure. To investigate LLMs' unsafe search behavior issues, we first propose \textbf{\textit{SearchAttack}} for red-teaming, which (1) rephrases harmful semantics via dense and benign knowledge to evade direct in-context decoding, thus eliciting unsafe information retrieval, (2) stress-tests LLMs' reward-chasing bias by steering them to synthesize unsafe retrieved content. We also curate an emergent, domain-specific illicit activity benchmark for search-based threat assessment, and introduce a fact-checking framework to ground and quantify harm in both offline and online attack settings. Extensive experiments are conducted to red-team the search-augmented LLMs for responsible vulnerability assessment. Empirically, SearchAttack demonstrates strong effectiveness in attacking these systems. We also find that LLMs without web search can still be steered into harmful content output due to their information-seeking stereotypical behaviors.
title SearchAttack: Red-Teaming LLMs against Knowledge-to-Action Threats under Online Web Search
topic Computation and Language
url https://arxiv.org/abs/2601.04093