scan-v4.json (33247B)
1 { 2 "scan_version": 4, 3 "paper_type": "empirical", 4 "paper": { 5 "title": "Decoding Latent Attack Surfaces in LLMs: Prompt Injection via HTML in Web Summarization", 6 "authors": [ 7 "Ishaan Verma", 8 "Arsheya Yadav" 9 ], 10 "year": 2025, 11 "venue": "arXiv.org", 12 "arxiv_id": "2509.05831", 13 "doi": "10.48550/arXiv.2509.05831" 14 }, 15 "checklist": { 16 "claims_and_evidence": { 17 "abstract_claims_supported": { 18 "applies": true, 19 "answer": true, 20 "justification": "The abstract claims that 'a significant proportion of injected pages led to measurable semantic and stylistic shifts,' which is supported by Table 1 showing 29.3% and 15.7% success rates and ROUGE-L/SBERT divergences.", 21 "source": "opus" 22 }, 23 "causal_claims_justified": { 24 "applies": true, 25 "answer": true, 26 "justification": "The study uses a controlled experimental design where the only difference between clean and injected pages is the injection payload. This controlled single-variable manipulation is adequate for the causal claims made (injections cause output changes).", 27 "source": "opus" 28 }, 29 "generalization_bounded": { 30 "applies": true, 31 "answer": false, 32 "justification": "The title says 'LLMs' broadly and the abstract refers to 'LLM-driven web pipelines' generally, but only two open-source models are tested. The paper does not bound its claims to these specific models or acknowledge the narrow scope.", 33 "source": "opus" 34 }, 35 "alternative_explanations_discussed": { 36 "applies": true, 37 "answer": false, 38 "justification": "No alternative explanations are considered for the observed differences between models or injection techniques. For example, the paper does not consider whether model size, training data composition, or instruction-tuning approach might explain differential susceptibility.", 39 "source": "opus" 40 }, 41 "proxy_outcome_distinction": { 42 "applies": true, 43 "answer": false, 44 "justification": "The paper uses ROUGE-L and SBERT similarity as proxies for 'injection impact' without discussing whether these metrics fully capture what constitutes a successful or harmful injection in real-world scenarios. The gap between summary divergence and actual harm is not addressed.", 45 "source": "opus" 46 } 47 }, 48 "limitations_and_scope": { 49 "limitations_section_present": { 50 "applies": true, 51 "answer": false, 52 "justification": "There is no dedicated limitations section. The conclusion mentions 'future work' directions but does not discuss current study limitations.", 53 "source": "opus" 54 }, 55 "threats_to_validity_specific": { 56 "applies": true, 57 "answer": false, 58 "justification": "No threats to validity are discussed anywhere in the paper. There is no consideration of how the synthetic dataset, small sample size, or two-model scope might threaten validity.", 59 "source": "opus" 60 }, 61 "scope_boundaries_stated": { 62 "applies": true, 63 "answer": false, 64 "justification": "No explicit scope boundaries are stated. The paper does not identify what the results do NOT show or what settings are excluded from the claims.", 65 "source": "opus" 66 } 67 }, 68 "conflicts_of_interest": { 69 "funding_disclosed": { 70 "applies": true, 71 "answer": false, 72 "justification": "No funding information is mentioned anywhere in the paper. There is no acknowledgments section disclosing grants or sponsors.", 73 "source": "opus" 74 }, 75 "affiliations_disclosed": { 76 "applies": true, 77 "answer": true, 78 "justification": "Author affiliations are clearly stated: both authors are from Manipal University Jaipur (Department of Computer Science and Engineering, Department of Data Science and Engineering).", 79 "source": "opus" 80 }, 81 "funder_independent_of_outcome": { 82 "applies": false, 83 "answer": false, 84 "justification": "This appears to be unfunded university student work. No funding source is mentioned.", 85 "source": "opus" 86 }, 87 "financial_interests_declared": { 88 "applies": true, 89 "answer": false, 90 "justification": "No competing interests or financial interests statement is included in the paper.", 91 "source": "opus" 92 } 93 }, 94 "scope_and_framing": { 95 "key_terms_defined": { 96 "applies": true, 97 "answer": false, 98 "justification": "Prompt injection explained through examples; HTML-based injection detailed via 8 techniques. However, 'successful injection' defined vaguely as influence 'consistent with attack's intent.' Web summarization not formally defined.", 99 "source": "haiku" 100 }, 101 "intended_contribution_clear": { 102 "applies": true, 103 "answer": true, 104 "justification": "Paper explicitly states objective: empirically assess LLM susceptibility to HTML-based prompt injections via a 282-page dataset and 8 techniques across 2 models. Contribution clearly articulated as addressing underexplored vulnerability.", 105 "source": "haiku" 106 }, 107 "engagement_with_prior_work": { 108 "applies": true, 109 "answer": true, 110 "justification": "Related work section (Section II) cites prompt injection foundations (Liu et al.), HTML attacks (Tao et al. 2023), and robustness surveys (Yang et al.). Engagement present but somewhat superficial — lists papers without deeply positioning this paper's novelty.", 111 "source": "haiku" 112 } 113 } 114 }, 115 "type_checklist": { 116 "empirical": { 117 "artifacts": { 118 "code_released": { 119 "applies": true, 120 "answer": true, 121 "justification": "A GitHub repository is provided in the Appendix: https://github.com/ishaanv1206/Decoding-Latent-Attack-Surfaces-in-LLMs-Prompt-Injection-via-HTML-in-Web-Summarization, containing evaluation scripts, HTML generation code, and model outputs.", 122 "source": "opus" 123 }, 124 "data_released": { 125 "applies": true, 126 "answer": true, 127 "justification": "The Appendix states the repository includes 'clean/ and injected/: HTML pages used for evaluation' as well as 'gemma.csv, llama.csv: Summarization outputs from each model' and 'metadata.csv'.", 128 "source": "opus" 129 }, 130 "environment_specified": { 131 "applies": true, 132 "answer": false, 133 "justification": "No requirements.txt, Dockerfile, or dependency specifications are mentioned in the paper. The paper mentions Python scripts and Playwright but does not specify library versions or environment setup details.", 134 "source": "opus" 135 }, 136 "reproduction_instructions": { 137 "applies": true, 138 "answer": false, 139 "justification": "The Appendix lists repository contents but provides no step-by-step reproduction instructions, README with commands, or explicit guidance on how to replicate the experiments.", 140 "source": "opus" 141 } 142 }, 143 "statistical_methodology": { 144 "confidence_intervals_or_error_bars": { 145 "applies": true, 146 "answer": false, 147 "justification": "Only point estimates are reported (e.g., average ROUGE-L of 0.3011, SBERT cosine similarity of 0.6980). No confidence intervals or error bars are provided.", 148 "source": "opus" 149 }, 150 "significance_tests": { 151 "applies": true, 152 "answer": false, 153 "justification": "The paper claims Llama 4 Scout is 'more susceptible' and certain techniques are 'most effective' based solely on comparing raw numbers. No statistical significance tests (t-tests, chi-squared, etc.) are applied.", 154 "source": "opus" 155 }, 156 "effect_sizes_reported": { 157 "applies": true, 158 "answer": false, 159 "justification": "No effect sizes (Cohen's d, odds ratios, etc.) are reported. Only raw success counts and average similarity scores are presented.", 160 "source": "opus" 161 }, 162 "sample_size_justified": { 163 "applies": true, 164 "answer": false, 165 "justification": "The dataset consists of 282 pages (141 clean, 141 injected) but no justification is given for this sample size, and no power analysis is discussed.", 166 "source": "opus" 167 }, 168 "variance_reported": { 169 "applies": true, 170 "answer": false, 171 "justification": "No variance, standard deviation, or spread measures are reported. It is unclear whether experiments were run once or multiple times.", 172 "source": "opus" 173 } 174 }, 175 "evaluation_design": { 176 "baselines_included": { 177 "applies": true, 178 "answer": true, 179 "justification": "Clean page summaries serve as baselines against which injected page summaries are compared. This is the core experimental design (clean vs. injected pairs).", 180 "source": "opus" 181 }, 182 "baselines_contemporary": { 183 "applies": true, 184 "answer": true, 185 "justification": "Both evaluated models are current: Llama 4 Scout (Meta, 2025) and Gemma 9B IT (Google, 2024). These are recent, publicly available models.", 186 "source": "opus" 187 }, 188 "ablation_study": { 189 "applies": true, 190 "answer": false, 191 "justification": "While results are broken down by injection technique (Table 2), there is no systematic ablation study removing or modifying individual components of the injection or evaluation pipeline.", 192 "source": "opus" 193 }, 194 "multiple_metrics": { 195 "applies": true, 196 "answer": true, 197 "justification": "Three evaluation approaches are used: ROUGE-L (lexical overlap), SBERT cosine similarity (semantic similarity), and manual annotation of injection success.", 198 "source": "opus" 199 }, 200 "human_evaluation": { 201 "applies": true, 202 "answer": true, 203 "justification": "Section III states: 'the \"Injection Successful\" outcome was determined through manual inspection' of LLM summary outputs for evidence of adversarial influence.", 204 "source": "opus" 205 }, 206 "held_out_test_set": { 207 "applies": true, 208 "answer": false, 209 "justification": "No train/test split is discussed. The entire dataset is used for evaluation with no hold-out set, though since no model tuning is performed, this is less critical.", 210 "source": "opus" 211 }, 212 "per_category_breakdown": { 213 "applies": true, 214 "answer": true, 215 "justification": "Table 2 provides per-injection-technique breakdowns of successful injections for both models. Results by injection type are also discussed for ROUGE-L and SBERT scores.", 216 "source": "opus" 217 }, 218 "failure_cases_discussed": { 219 "applies": true, 220 "answer": false, 221 "justification": "The paper provides one qualitative example of a successful injection (pirate persona) but does not systematically discuss failure cases — where and why injections failed to influence model outputs.", 222 "source": "opus" 223 }, 224 "negative_results_reported": { 225 "applies": true, 226 "answer": true, 227 "justification": "Table 2 shows several injection techniques with zero successes (hidden script: 0 for Gemma; base64, ARIA label, alt text not listed as successful for either model), indicating that these techniques were ineffective.", 228 "source": "opus" 229 } 230 }, 231 "setup_transparency": { 232 "model_versions_specified": { 233 "applies": true, 234 "answer": false, 235 "justification": "Models are identified as 'Llama 4 Scout' and 'Gemma 9B IT' without exact version identifiers, snapshot dates, or API versions. Reference [19] mentions 'Llama-4-Scout-17B-16E' but this full identifier is not used in the paper itself.", 236 "source": "opus" 237 }, 238 "prompts_provided": { 239 "applies": true, 240 "answer": false, 241 "justification": "The paper describes the prompt as 'a standardized prompt instructing the LLM to generate a one-paragraph summary of the web page' but does not provide the actual prompt text used.", 242 "source": "opus" 243 }, 244 "hyperparameters_reported": { 245 "applies": true, 246 "answer": false, 247 "justification": "No hyperparameters (temperature, top-p, max tokens, etc.) are reported for either model's inference configuration.", 248 "source": "opus" 249 }, 250 "scaffolding_described": { 251 "applies": false, 252 "answer": false, 253 "justification": "No agentic scaffolding is used. The models are prompted directly to generate summaries.", 254 "source": "opus" 255 }, 256 "data_preprocessing_documented": { 257 "applies": true, 258 "answer": true, 259 "justification": "Section III describes the full pipeline: HTML page creation with CSS styling, injection technique application, hosting on GitHub Pages, Playwright-based extraction of HTML source and rendered text, and standardized prompting for summarization.", 260 "source": "opus" 261 } 262 }, 263 "data_integrity": { 264 "raw_data_available": { 265 "applies": true, 266 "answer": true, 267 "justification": "The Appendix provides a GitHub repository containing raw HTML files (clean/ and injected/), model outputs (gemma.csv, llama.csv), and metadata (metadata.csv).", 268 "source": "opus" 269 }, 270 "data_collection_described": { 271 "applies": true, 272 "answer": true, 273 "justification": "Section III describes how 28 content categories were used, how injection techniques were implemented and randomly assigned, how pages were hosted on GitHub Pages, and how Playwright extracted HTML source and rendered text.", 274 "source": "opus" 275 }, 276 "recruitment_methods_described": { 277 "applies": false, 278 "answer": false, 279 "justification": "No human participants are involved. The dataset is entirely synthetic/self-constructed, not drawn from a standard benchmark.", 280 "source": "opus" 281 }, 282 "data_pipeline_documented": { 283 "applies": true, 284 "answer": true, 285 "justification": "The pipeline from HTML generation → injection → hosting → Playwright extraction → LLM summarization → metric computation → manual annotation is documented in Section III, though the jump from '28 static HTML pages' to 141 clean + 141 injected is not fully explained.", 286 "source": "opus" 287 } 288 }, 289 "contamination": { 290 "training_cutoff_stated": { 291 "applies": false, 292 "answer": false, 293 "justification": "This paper tests LLM susceptibility to prompt injection attacks, not model knowledge on a benchmark. It evaluates a security vulnerability rather than model capability, so contamination concerns do not apply.", 294 "source": "opus" 295 }, 296 "train_test_overlap_discussed": { 297 "applies": false, 298 "answer": false, 299 "justification": "The study tests defense/vulnerability to prompt injection, not model knowledge. Contamination of the synthetic HTML pages in training data is not the same concern as benchmark contamination.", 300 "source": "opus" 301 }, 302 "benchmark_contamination_addressed": { 303 "applies": false, 304 "answer": false, 305 "justification": "The study tests prompt injection susceptibility rather than model capability on a knowledge benchmark. Traditional benchmark contamination does not apply.", 306 "source": "opus" 307 } 308 }, 309 "human_studies": { 310 "applies": false, 311 "answer": false, 312 "justification": "Not applicable — no human subjects or participant studies. Manual annotation is researcher judgment, not human participant evaluation.", 313 "source": "haiku", 314 "pre_registered": { 315 "applies": false, 316 "answer": false, 317 "justification": "No human participants are involved in this study. The dataset is synthetic and evaluation is automated (with manual annotation by the authors).", 318 "source": "opus" 319 }, 320 "irb_or_ethics_approval": { 321 "applies": false, 322 "answer": false, 323 "justification": "No human participants. The study evaluates LLM outputs on synthetic web pages.", 324 "source": "opus" 325 }, 326 "demographics_reported": { 327 "applies": false, 328 "answer": false, 329 "justification": "No human participants in this study.", 330 "source": "opus" 331 }, 332 "inclusion_exclusion_criteria": { 333 "applies": false, 334 "answer": false, 335 "justification": "No human participants in this study.", 336 "source": "opus" 337 }, 338 "randomization_described": { 339 "applies": false, 340 "answer": false, 341 "justification": "No human participants in this study.", 342 "source": "opus" 343 }, 344 "blinding_described": { 345 "applies": false, 346 "answer": false, 347 "justification": "No human participants in this study.", 348 "source": "opus" 349 }, 350 "attrition_reported": { 351 "applies": false, 352 "answer": false, 353 "justification": "No human participants in this study.", 354 "source": "opus" 355 } 356 }, 357 "cost_and_practicality": { 358 "inference_cost_reported": { 359 "applies": true, 360 "answer": false, 361 "justification": "No inference cost, API costs, tokens consumed, or wall-clock time is reported for either model's summarization runs.", 362 "source": "opus" 363 }, 364 "compute_budget_stated": { 365 "applies": true, 366 "answer": false, 367 "justification": "No information about computational resources, GPU hours, or hardware used is provided.", 368 "source": "opus" 369 } 370 }, 371 "experimental_rigor": { 372 "seed_sensitivity_reported": { 373 "applies": true, 374 "answer": false, 375 "justification": "No mention of multiple random seeds. It appears experiments were run once per page per model.", 376 "source": "opus" 377 }, 378 "number_of_runs_stated": { 379 "applies": true, 380 "answer": false, 381 "justification": "The number of experimental runs is never stated. It is unclear if each page was summarized once or multiple times.", 382 "source": "opus" 383 }, 384 "hyperparameter_search_budget": { 385 "applies": true, 386 "answer": false, 387 "justification": "No hyperparameter search is mentioned. Model inference settings (temperature, etc.) are not even reported, let alone justified through search.", 388 "source": "opus" 389 }, 390 "best_config_selection_justified": { 391 "applies": true, 392 "answer": false, 393 "justification": "No configuration selection process is described. The paper does not explain how model settings or prompt design were chosen.", 394 "source": "opus" 395 }, 396 "multiple_comparison_correction": { 397 "applies": true, 398 "answer": false, 399 "justification": "Multiple comparisons are made across 8 injection techniques and 2 models, but no statistical tests are performed at all, let alone corrections for multiple comparisons.", 400 "source": "opus" 401 }, 402 "self_comparison_bias_addressed": { 403 "applies": true, 404 "answer": false, 405 "justification": "The authors evaluate their own attack framework and dataset without acknowledging the bias inherent in authors evaluating their own system.", 406 "source": "opus" 407 }, 408 "compute_budget_vs_performance": { 409 "applies": true, 410 "answer": false, 411 "justification": "No compute budget information is provided, so performance cannot be contextualized against resource usage.", 412 "source": "opus" 413 }, 414 "benchmark_construct_validity": { 415 "applies": true, 416 "answer": false, 417 "justification": "The paper does not discuss whether its synthetic HTML pages and injection techniques are representative of real-world web content and actual attack scenarios. Construct validity of the benchmark is not addressed.", 418 "source": "opus" 419 }, 420 "scaffold_confound_addressed": { 421 "applies": false, 422 "answer": false, 423 "justification": "No scaffolding is involved. Models are prompted directly for summarization.", 424 "source": "opus" 425 } 426 }, 427 "data_leakage": { 428 "temporal_leakage_addressed": { 429 "applies": true, 430 "answer": false, 431 "justification": "The synthetic HTML pages were hosted on GitHub Pages and could theoretically appear in model training data. No temporal analysis or discussion of whether models may have seen similar content is provided.", 432 "source": "opus" 433 }, 434 "feature_leakage_addressed": { 435 "applies": true, 436 "answer": false, 437 "justification": "No discussion of whether the evaluation setup might inadvertently leak information about injection presence to the model through formatting or structural cues.", 438 "source": "opus" 439 }, 440 "non_independence_addressed": { 441 "applies": true, 442 "answer": false, 443 "justification": "Pages are generated from 28 content templates, meaning multiple test pages share structural similarities. This non-independence is not discussed.", 444 "source": "opus" 445 }, 446 "leakage_detection_method": { 447 "applies": true, 448 "answer": false, 449 "justification": "No leakage detection or prevention methods are applied.", 450 "source": "opus" 451 } 452 } 453 } 454 }, 455 "claims": [ 456 { 457 "claim": "HTML-based prompt injections can successfully manipulate LLM summarization outputs", 458 "evidence": "Llama 4 Scout: 29.29% success rate (41/140 injected pages). Gemma 9B IT: 15.71% success rate (22/140). Manual annotation confirmed injection influence.", 459 "supported": "strong" 460 }, 461 { 462 "claim": "Meta tags and opacity-zero divs are the most effective HTML injection attack vectors", 463 "evidence": "Table 2: Meta tag 23 total successes (17 Llama + 6 Gemma). Opacity div 19 successes (10 + 9). These two techniques outperformed other 6 methods.", 464 "supported": "strong" 465 }, 466 { 467 "claim": "Llama 4 Scout exhibits significantly higher vulnerability to HTML injection than Gemma 9B IT", 468 "evidence": "Llama success rate 29.29% vs. Gemma 15.71%. Llama succeeded more frequently on 7 of 8 injection techniques. Model-specific vulnerability confirmed.", 469 "supported": "strong" 470 }, 471 { 472 "claim": "Successful injections cause measurable lexical and semantic divergence in summaries", 473 "evidence": "SBERT cosine similarity ~0.69 on average (below 1.0 identity), indicating semantic differences. ROUGE-L ~0.30 showing lexical divergence. Example: 'Customer Reviews' page summarized as pirate-themed after meta-tag injection despite identical visible content.", 474 "supported": "strong" 475 }, 476 { 477 "claim": "Hidden HTML elements can evade conventional input sanitization methods used in web pipelines", 478 "evidence": "Eight hidden/non-visible injection techniques (aria-label, meta, opacity, comments, base64, alt text, hidden divs, scripts) successfully influenced outputs. These elements bypass visible-content-only sanitization.", 479 "supported": "moderate" 480 }, 481 { 482 "claim": "HTML comment injection and hidden div techniques are reliable injection vectors", 483 "evidence": "Table 2: Comment injection 19 successes (12 Llama + 7 Gemma). Hidden div succeeded across both models. Both techniques ranked in top 4 by effectiveness.", 484 "supported": "strong" 485 } 486 ], 487 "methodology_tags": [ 488 "benchmark-eval", 489 "empirical" 490 ], 491 "key_findings": "HTML-based prompt injections represent a realistic vulnerability in LLM-powered web summarization systems, with success rates of 29.3% (Llama 4 Scout) and 15.7% (Gemma 9B IT) on a 282-page test set. Meta tags and opacity divs emerge as the most effective attack vectors, successfully embedding hidden instructions in non-visible HTML elements. Successful injections caused measurable semantic and lexical changes in model outputs (SBERT divergence ~0.30 from identity), as confirmed by both automatic metrics and manual annotation. The vulnerability persists despite visible page content remaining unchanged, indicating that models process raw HTML in ways that bypass conventional input sanitization approaches designed for visible text.", 492 "red_flags": [ 493 { 494 "flag": "Model identity unclear", 495 "detail": "'Llama 4 Scout' is not a recognized model variant (Llama 4 does not exist as of Feb 2025). Raises questions about model availability, accuracy, or potential fictional models." 496 }, 497 { 498 "flag": "Sample size inconsistency", 499 "detail": "Methodology states '28 static HTML pages' but then references '282 pages (141 clean + 141 injected).' Conflicting information in the same section." 500 }, 501 { 502 "flag": "No inter-rater reliability", 503 "detail": "Manual annotation of 'successful injection' performed with no reported inter-rater agreement, kappa statistic, or indication of single vs. multiple raters." 504 }, 505 { 506 "flag": "No statistical significance testing", 507 "detail": "Llama 29.29% vs Gemma 15.71% success rates compared without p-value, t-test, or confidence intervals. No claim that difference is statistically significant." 508 }, 509 { 510 "flag": "Missing critical reproducibility details", 511 "detail": "No prompts provided, no hyperparameters (temperature, top-p, max_tokens), no training data cutoff dates. Essential for reproducing and understanding results." 512 }, 513 { 514 "flag": "Overgeneralized conclusions", 515 "detail": "Title claims 'Decoding Latent Attack Surfaces in LLMs' broadly, but only 2 specific models tested on 1 task (web summarization). Generality not supported." 516 }, 517 { 518 "flag": "No limitations section", 519 "detail": "Critical omission for a security research paper. No dedicated discussion of scope boundaries, generalization threats, or validity limitations." 520 }, 521 { 522 "flag": "Alternative explanations not explored", 523 "detail": "Paper doesn't address whether injections work via genuine instruction comprehension vs. stochastic model variation. No analysis of why meta tags succeed while hidden scripts fail." 524 } 525 ], 526 "cited_papers": [ 527 { 528 "title": "Automatic and Universal Prompt Injection Attacks against Large Language Models", 529 "authors": "Liu, X., et al.", 530 "year": 2024, 531 "venue": "arXiv", 532 "relevance": "Foundational framework for prompt injection attacks; this paper extends to HTML-based variants in web context" 533 }, 534 { 535 "title": "Raze to the Ground: Query-Efficient Adversarial HTML Attacks on Machine-Learning Phishing Webpage Detectors", 536 "authors": "Tao, L., Li, M., Li, H.", 537 "year": 2023, 538 "venue": "AISec '23", 539 "relevance": "Prior work on adversarial HTML attacks; extends methods to LLM security context for summarization pipelines" 540 }, 541 { 542 "title": "Evaluating and Improving Robustness in Large Language Models: A Survey", 543 "authors": "Yang, Y., et al.", 544 "year": 2024, 545 "venue": "arXiv", 546 "relevance": "Comprehensive survey of LLM robustness evaluation methodology and metrics; informs evaluation design" 547 }, 548 { 549 "title": "Prompt Injection attack against LLM-integrated Applications", 550 "authors": "Liu, Y., et al.", 551 "year": 2023, 552 "venue": "arXiv", 553 "relevance": "Explores application-level prompt injection attacks on integrated LLM systems" 554 }, 555 { 556 "title": "Prompt Injection Attacks on Large Language Models in Realistic Settings", 557 "authors": "Clusmann, J., et al.", 558 "year": 2024, 559 "venue": "arXiv", 560 "relevance": "Real-world prompt injection scenarios; addresses realism gap between synthetic and production LLM deployments" 561 }, 562 { 563 "title": "LLM Prompt Injection Prevention Cheat Sheet", 564 "authors": "OWASP", 565 "year": 2023, 566 "venue": "OWASP Cheat Sheet Series", 567 "relevance": "Industry defense guidance; contrasts with attack techniques demonstrated in this paper" 568 }, 569 { 570 "title": "Adversarial Examples in Cybersecurity: A Survey", 571 "authors": "Li, S.", 572 "year": 2020, 573 "venue": "Computers & Security", 574 "relevance": "Background on adversarial attack methods in security; HTML attacks adapted from cybersecurity domain" 575 }, 576 { 577 "title": "Retrieval-Augmented In-Context Learning Attacks and Defenses", 578 "authors": "Yu, Q., et al.", 579 "year": 2024, 580 "venue": "arXiv", 581 "relevance": "Related work on prompt injection in retrieval-augmented systems; relevant to web-integrated LLM pipelines" 582 } 583 ], 584 "engagement_factors": { 585 "practical_relevance": { 586 "score": 2, 587 "justification": "Web developers integrating LLMs into summarization pipelines can use these findings to identify and mitigate HTML-based injection vectors." 588 }, 589 "surprise_contrarian": { 590 "score": 1, 591 "justification": "Confirms the known vulnerability of LLMs to prompt injection through a specific HTML channel; results are expected rather than surprising." 592 }, 593 "fear_safety": { 594 "score": 2, 595 "justification": "Demonstrates concrete invisible injection attacks through common HTML elements that could manipulate LLM-powered web tools without user awareness." 596 }, 597 "drama_conflict": { 598 "score": 0, 599 "justification": "No controversy, no criticism of specific companies or products, purely a vulnerability demonstration study." 600 }, 601 "demo_ability": { 602 "score": 2, 603 "justification": "Code and dataset available on GitHub with HTML pages, evaluation scripts, and model outputs, allowing reproduction." 604 }, 605 "brand_recognition": { 606 "score": 1, 607 "justification": "Tests Meta's Llama 4 and Google's Gemma — recognizable but not top-tier attention magnets like GPT-4 or ChatGPT." 608 } 609 }, 610 "hn_data": { 611 "threads": [ 612 { 613 "hn_id": "44171652", 614 "title": "Oh fuck! How do people feel about robots that leverage profanity?", 615 "points": 18, 616 "comments": 50, 617 "url": "https://news.ycombinator.com/item?id=44171652" 618 }, 619 { 620 "hn_id": "41597663", 621 "title": "Breaking ReCAPTCHAv2", 622 "points": 5, 623 "comments": 0, 624 "url": "https://news.ycombinator.com/item?id=41597663" 625 }, 626 { 627 "hn_id": "44211549", 628 "title": "Oracular Programming: A Modular Foundation for Building LLM-Enabled Software", 629 "points": 4, 630 "comments": 1, 631 "url": "https://news.ycombinator.com/item?id=44211549" 632 }, 633 { 634 "hn_id": "41571318", 635 "title": "Breaking ReCAPTCHAv2", 636 "points": 3, 637 "comments": 2, 638 "url": "https://news.ycombinator.com/item?id=41571318" 639 }, 640 { 641 "hn_id": "42708072", 642 "title": "MiniMax-01: Scaling Foundation Models with Lightning Attention", 643 "points": 3, 644 "comments": 1, 645 "url": "https://news.ycombinator.com/item?id=42708072" 646 }, 647 { 648 "hn_id": "42680545", 649 "title": "Mlkaps: Machine Learning and Adaptive Sampling for HPC Kernel Auto-Tuning", 650 "points": 3, 651 "comments": 0, 652 "url": "https://news.ycombinator.com/item?id=42680545" 653 }, 654 { 655 "hn_id": "41604215", 656 "title": "Radio Technosignature Search of Trappist-1 with the Allen Telescope Array", 657 "points": 3, 658 "comments": 0, 659 "url": "https://news.ycombinator.com/item?id=41604215" 660 }, 661 { 662 "hn_id": "37569675", 663 "title": "RL for Supply Chain Attacks Against Frequency and Voltage Control", 664 "points": 3, 665 "comments": 0, 666 "url": "https://news.ycombinator.com/item?id=37569675" 667 }, 668 { 669 "hn_id": "45274922", 670 "title": "Candidates evoke identity and issues on TikTok", 671 "points": 2, 672 "comments": 0, 673 "url": "https://news.ycombinator.com/item?id=45274922" 674 }, 675 { 676 "hn_id": "44847789", 677 "title": "SortBench: Benchmarking LLMs based on their ability to sort lists", 678 "points": 2, 679 "comments": 1, 680 "url": "https://news.ycombinator.com/item?id=44847789" 681 } 682 ], 683 "top_points": 18, 684 "total_points": 46, 685 "total_comments": 55 686 } 687 }