scan.json (28469B)
1 { 2 "paper": { 3 "title": "Design and Implementation of a Secure RAG-Enhanced AI Chatbot for Smart Tourism Customer Service: Defending Against Prompt Injection Attacks – A Case Study of Hsinchu, Taiwan", 4 "authors": [ 5 "Yu-Kai Shih", 6 "You-Kai Kang" 7 ], 8 "year": 2025, 9 "venue": "arXiv.org", 10 "arxiv_id": "2509.21367", 11 "doi": "10.48550/arXiv.2509.21367" 12 }, 13 "scan_version": 3, 14 "active_modules": [ 15 "experimental_rigor", 16 "data_leakage" 17 ], 18 "methodology_tags": [ 19 "case-study", 20 "benchmark-eval" 21 ], 22 "key_findings": "A RAG-enhanced tourism chatbot with layered defenses (system norms, gatekeeper, reverse RAG) blocks 301 of 674 adversarial injection prompts (45% recall) while maintaining 95% benign accuracy. GPT-5 without guardrails blocks only 249/674 attacks (37% recall), demonstrating that base model improvements alone are insufficient. The Gatekeeper (V2) and Reverse RAG (V3) versions achieve identical block counts across all attack categories, suggesting the reverse RAG layer adds no measurable incremental defense value. Response latency increases from 2.1s (baseline) to 3.2s (secure RAG) with the added defense layers.", 23 "checklist": { 24 "artifacts": { 25 "code_released": { 26 "applies": true, 27 "answer": false, 28 "justification": "No repository URL, code archive, or download link is provided anywhere in the paper. The system was developed by a Taiwan-based tourism technology firm but no source code is released." 29 }, 30 "data_released": { 31 "applies": true, 32 "answer": false, 33 "justification": "The adversarial datasets reference public sources (Deepset, Rubend18) but the 223 benign test queries and 49 partner-provided adversarial samples are not released. No download link for any combined dataset is provided." 34 }, 35 "environment_specified": { 36 "applies": true, 37 "answer": false, 38 "justification": "Section 3.4 lists 'Linux workstation with a single modern NVIDIA GPU, 64 GB RAM' and 'Python 3.11; Flowise; Qdrant; LangSmith' but provides no requirements.txt, Dockerfile, or detailed library versions sufficient to recreate the environment." 39 }, 40 "reproduction_instructions": { 41 "applies": true, 42 "answer": false, 43 "justification": "No step-by-step reproduction instructions, README, or scripts are provided. The paper describes the architecture conceptually but does not provide enough detail to replicate the system." 44 } 45 }, 46 "statistical_methodology": { 47 "confidence_intervals_or_error_bars": { 48 "applies": true, 49 "answer": false, 50 "justification": "All results in Tables 3-5 are reported as point estimates only. No confidence intervals, error bars, or uncertainty measures appear anywhere in the paper." 51 }, 52 "significance_tests": { 53 "applies": true, 54 "answer": false, 55 "justification": "The paper claims differences between defense versions (e.g., V0 vs V3) and between GPT-4o and GPT-5 based solely on comparing raw numbers without any statistical significance tests." 56 }, 57 "effect_sizes_reported": { 58 "applies": true, 59 "answer": true, 60 "justification": "Table 5 provides baseline context for all metrics (e.g., benign accuracy 78%→95%, hallucination rate 15%→2%, injection block rate 0%→100%), allowing the reader to assess the magnitude of improvements." 61 }, 62 "sample_size_justified": { 63 "applies": true, 64 "answer": false, 65 "justification": "No justification is given for the 223 benign queries or 674 adversarial prompts. No power analysis or sample size rationale is discussed." 66 }, 67 "variance_reported": { 68 "applies": true, 69 "answer": false, 70 "justification": "No standard deviations, variance across runs, or any spread measures are reported. Results appear to be from single runs with no indication of result stability." 71 } 72 }, 73 "evaluation_design": { 74 "baselines_included": { 75 "applies": true, 76 "answer": true, 77 "justification": "V0 (zero defense) serves as a naive baseline, with V1 (system norms), V2 (gatekeeper), V3 (reverse RAG), and V4 (GPT-5 direct) compared incrementally in Tables 3-5." 78 }, 79 "baselines_contemporary": { 80 "applies": true, 81 "answer": false, 82 "justification": "All baselines are internal variants of the same system. No comparison is made against any published prompt injection defense system, external guardrail framework, or competing approach from the literature." 83 }, 84 "ablation_study": { 85 "applies": true, 86 "answer": true, 87 "justification": "The V0→V1→V2→V3 progression effectively ablates defense layers, and V4 (GPT-5 direct) tests model capability with minimal scaffolding. Tables 3-4 show the incremental contribution of each layer." 88 }, 89 "multiple_metrics": { 90 "applies": true, 91 "answer": true, 92 "justification": "Table 4 reports precision, recall, accuracy, and F1 for attack detection. Table 5 reports benign accuracy, hallucination rate, injection block rate, response time, and user satisfaction." 93 }, 94 "human_evaluation": { 95 "applies": true, 96 "answer": false, 97 "justification": "Table 5 reports 'User Satisfaction (1-5)' scores (3.4 to 4.8) but provides zero description of the evaluation methodology — no number of evaluators, no evaluation protocol, no questionnaire, no recruitment process." 98 }, 99 "held_out_test_set": { 100 "applies": true, 101 "answer": false, 102 "justification": "No explicit separation between development/tuning data and test data is described. It is unclear whether any of the 223 benign queries or 674 adversarial prompts influenced the defense design during development." 103 }, 104 "per_category_breakdown": { 105 "applies": true, 106 "answer": true, 107 "justification": "Table 3 breaks down blocked attacks by attack type (double character, virtualization, obfuscation, payload splitting, adversarial suffix, instruction manipulation) across all defense versions." 108 }, 109 "failure_cases_discussed": { 110 "applies": true, 111 "answer": true, 112 "justification": "The 'Failure Case Analysis' section discusses three representative failure modes: indirect obfuscation with benign wrappers, multi-turn anchoring, and ambiguous safety scopes, with proposed mitigations." 113 }, 114 "negative_results_reported": { 115 "applies": true, 116 "answer": true, 117 "justification": "The paper honestly reports that overall recall is only 45% (373/674 attacks missed), that GPT-5 blocks only 37% on the full corpus, and that V2 and V3 achieve identical block counts (suggesting V3's reverse RAG adds no measurable value)." 118 } 119 }, 120 "claims_and_evidence": { 121 "abstract_claims_supported": { 122 "applies": true, 123 "answer": false, 124 "justification": "The abstract claims the secure version achieves 'substantial detection and mitigation rates across attack categories,' but actual recall on the full 674-attack corpus is only 45% (Table 4). The abstract's framing significantly overstates the system's defensive capability." 125 }, 126 "causal_claims_justified": { 127 "applies": true, 128 "answer": true, 129 "justification": "The V0→V1→V2→V3 incremental ablation design is a controlled single-variable manipulation — each version adds one defense layer while keeping others constant. This is adequate for the causal claims about each layer's contribution." 130 }, 131 "generalization_bounded": { 132 "applies": true, 133 "answer": false, 134 "justification": "The title bounds results to Hsinchu, but the conclusion claims the system 'serves as a practical blueprint for deploying secure AI in visitor services' and aims to 'foster innovation in secure smart tourism globally.' A system with 45% attack detection rate does not support 'blueprint' claims." 135 }, 136 "alternative_explanations_discussed": { 137 "applies": true, 138 "answer": false, 139 "justification": "No discussion of alternative explanations for results. For example, no consideration that the 301 blocked attacks may simply be the easiest/most formulaic attacks, or that the defense pattern-matches known attack templates rather than genuinely understanding intent." 140 }, 141 "proxy_outcome_distinction": { 142 "applies": true, 143 "answer": false, 144 "justification": "The paper frames 45% recall as 'substantial' defense and presents 'User Satisfaction' scores without explaining what they measure or how they were collected. The gap between the proxy (block rate on curated attack sets) and the claimed outcome (system security) is not acknowledged." 145 } 146 }, 147 "setup_transparency": { 148 "model_versions_specified": { 149 "applies": true, 150 "answer": false, 151 "justification": "The paper uses 'GPT-4o' and 'GPT-5 (released 2025-08-07)' but provides no snapshot dates or API version identifiers. Marketing names without snapshot dates do not constitute specified versions per the schema." 152 }, 153 "prompts_provided": { 154 "applies": true, 155 "answer": false, 156 "justification": "Sections 3.2.2 and 3.2.4 provide prompt 'excerpts' and 'skeletons' but not complete prompts. The system norms prompt is labeled 'Prompt Skeleton (excerpt)' and the summary directive is a fragment. The full prompt text used in experiments is not provided." 157 }, 158 "hyperparameters_reported": { 159 "applies": true, 160 "answer": true, 161 "justification": "Section 3.4 reports: 'Retrieval top-k = 5; similarity threshold τ = 0.70; temperature = 0.2; max tokens = 1024; cosine distance for relevance.'" 162 }, 163 "scaffolding_described": { 164 "applies": true, 165 "answer": true, 166 "justification": "The Agentflow variants (V0-V4) are described in detail in Sections 3.2.1-3.2.5 with workflow diagrams (Figures 1-7), component descriptions (intent router, relevance check, leak scan), and decision tables (Table 1)." 167 }, 168 "data_preprocessing_documented": { 169 "applies": true, 170 "answer": false, 171 "justification": "No description of how the adversarial datasets were combined, filtered, or preprocessed. The 373 attacks that don't fall into any of the 6 taxonomy categories (674 total minus 301 categorized) are never explained or characterized." 172 } 173 }, 174 "limitations_and_scope": { 175 "limitations_section_present": { 176 "applies": true, 177 "answer": true, 178 "justification": "Section 6 'Limitations' provides substantive discussion across 9 specific limitation areas including dataset diversity, API vulnerabilities, RAG scope, multilingual coverage, and adversarial threat evolution." 179 }, 180 "threats_to_validity_specific": { 181 "applies": true, 182 "answer": true, 183 "justification": "Section 6 lists specific threats: 'Internal queries may not capture full diversity; field trials are essential,' 'Tested known attacks; emerging threats (e.g., indirect injections) may evade,' and 'GPT-5: Early access limited testing depth.' These are specific to this study." 184 }, 185 "scope_boundaries_stated": { 186 "applies": true, 187 "answer": true, 188 "justification": "Section 6 states specific exclusions: multilingual support is 'limited to major languages; slang/dialects unhandled,' 'Flowise limits flexibility,' and adversarial testing covered only 'known attacks' with emerging threats unexplored." 189 } 190 }, 191 "data_integrity": { 192 "raw_data_available": { 193 "applies": true, 194 "answer": false, 195 "justification": "No raw data is released. The 223 benign queries, 49 partner-provided adversarial samples, system responses, and CPE logs are not available for independent verification." 196 }, 197 "data_collection_described": { 198 "applies": true, 199 "answer": false, 200 "justification": "Section 3.3 names the adversarial sources ('Deepset (546), Rubend18 (79), partner (49, adapted)') and states '223 benign queries (informational/transactional/exploratory)' but does not describe how the benign queries were created, how partner samples were adapted, or what inclusion criteria were used." 201 }, 202 "recruitment_methods_described": { 203 "applies": false, 204 "answer": false, 205 "justification": "No human participants in this study. Data sources are adversarial prompt datasets and system-generated test queries, not human subjects." 206 }, 207 "data_pipeline_documented": { 208 "applies": true, 209 "answer": false, 210 "justification": "No documentation of the data pipeline from raw datasets to final evaluation. The 674 total adversarial prompts include 373 that are not categorized into any attack type in Table 2, and this gap is never explained." 211 } 212 }, 213 "conflicts_of_interest": { 214 "funding_disclosed": { 215 "applies": true, 216 "answer": false, 217 "justification": "No funding section or acknowledgments mentioning financial support. The paper references development by 'a Taiwan-based tourism technology firm' but does not disclose the financial arrangement or name the firm." 218 }, 219 "affiliations_disclosed": { 220 "applies": true, 221 "answer": false, 222 "justification": "Author affiliations list 'National Dong Hwa University' and 'BTS Experimental Education Program' but the relationship between the authors and the unnamed tourism tech firm that developed the system is not disclosed." 223 }, 224 "funder_independent_of_outcome": { 225 "applies": true, 226 "answer": false, 227 "justification": "The unnamed tourism technology firm that developed the chatbot has a clear commercial interest in the system being shown as effective. This conflict is not acknowledged or discussed." 228 }, 229 "financial_interests_declared": { 230 "applies": true, 231 "answer": false, 232 "justification": "No competing interests or financial disclosure statement appears anywhere in the paper." 233 } 234 }, 235 "contamination": { 236 "training_cutoff_stated": { 237 "applies": false, 238 "answer": false, 239 "justification": "This paper tests defense mechanisms against prompt injection attacks rather than evaluating a pre-trained model's knowledge on a benchmark. The adversarial prompts test security behavior, not learned knowledge." 240 }, 241 "train_test_overlap_discussed": { 242 "applies": false, 243 "answer": false, 244 "justification": "This is a defense-testing study (red-teaming) that evaluates guardrails against adversarial inputs, not a benchmark evaluation of model knowledge." 245 }, 246 "benchmark_contamination_addressed": { 247 "applies": false, 248 "answer": false, 249 "justification": "The evaluation tests whether defense layers block attacks, not whether the model has memorized benchmark answers. Contamination in the traditional sense does not apply." 250 } 251 }, 252 "human_studies": { 253 "pre_registered": { 254 "applies": false, 255 "answer": false, 256 "justification": "No human participants in this study. Evaluation is entirely automated using adversarial and benign prompt datasets." 257 }, 258 "irb_or_ethics_approval": { 259 "applies": false, 260 "answer": false, 261 "justification": "No human participants. The study tests an AI chatbot system against automated datasets." 262 }, 263 "demographics_reported": { 264 "applies": false, 265 "answer": false, 266 "justification": "No human participants. All evaluation is automated." 267 }, 268 "inclusion_exclusion_criteria": { 269 "applies": false, 270 "answer": false, 271 "justification": "No human participants in this study." 272 }, 273 "randomization_described": { 274 "applies": false, 275 "answer": false, 276 "justification": "No human participants or experimental conditions requiring randomization." 277 }, 278 "blinding_described": { 279 "applies": false, 280 "answer": false, 281 "justification": "No human participants or evaluators requiring blinding." 282 }, 283 "attrition_reported": { 284 "applies": false, 285 "answer": false, 286 "justification": "No human participants." 287 } 288 }, 289 "cost_and_practicality": { 290 "inference_cost_reported": { 291 "applies": true, 292 "answer": true, 293 "justification": "Table 5 reports response time in seconds for each version: Baseline 2.1s, RAG 2.8s, Secure RAG 3.2s, GPT-5 Direct 2.5s. This provides wall-clock latency per query." 294 }, 295 "compute_budget_stated": { 296 "applies": true, 297 "answer": false, 298 "justification": "Section 3.4 mentions hardware ('Linux workstation with a single modern NVIDIA GPU, 64 GB RAM') but does not quantify total API spend, GPU hours, or computational budget for the evaluation." 299 } 300 }, 301 "experimental_rigor": { 302 "seed_sensitivity_reported": { 303 "applies": true, 304 "answer": false, 305 "justification": "No mention of multiple runs, random seeds, or seed sensitivity analysis. All results appear to be from single runs." 306 }, 307 "number_of_runs_stated": { 308 "applies": true, 309 "answer": false, 310 "justification": "The number of experimental runs is never stated. Results are presented without indicating how many runs produced them." 311 }, 312 "hyperparameter_search_budget": { 313 "applies": true, 314 "answer": false, 315 "justification": "No hyperparameter search described. The similarity threshold τ=0.70 and temperature=0.2 appear chosen without justification or search budget." 316 }, 317 "best_config_selection_justified": { 318 "applies": true, 319 "answer": false, 320 "justification": "No explanation of how the hyperparameter values (τ=0.70, top-k=5, temperature=0.2) were selected. No validation set or selection methodology described." 321 }, 322 "multiple_comparison_correction": { 323 "applies": true, 324 "answer": false, 325 "justification": "The paper makes numerous comparisons across 5 system versions and 6+ attack categories without any statistical tests, let alone multiple comparison corrections." 326 }, 327 "self_comparison_bias_addressed": { 328 "applies": true, 329 "answer": false, 330 "justification": "All baselines are the authors' own system variants. No acknowledgment that evaluating their own system against their own baselines may introduce bias, and no independent evaluation is conducted." 331 }, 332 "compute_budget_vs_performance": { 333 "applies": true, 334 "answer": false, 335 "justification": "Response times are reported per version (2.1-3.2s in Table 5) but there is no systematic analysis of compute-performance tradeoffs or discussion of whether added latency is justified by defense gains." 336 }, 337 "benchmark_construct_validity": { 338 "applies": true, 339 "answer": false, 340 "justification": "No discussion of whether the Deepset, Rubend18, and partner datasets are valid proxies for real-world prompt injection threats. The Deepset dataset includes 'politics/role-play' samples whose relevance to prompt injection is unclear." 341 }, 342 "scaffold_confound_addressed": { 343 "applies": true, 344 "answer": false, 345 "justification": "The GPT-5 ablation (V4) uses GPT-5 with minimal scaffolding (no V2 relevance gating) while V3 uses GPT-4o with full guardrails. This conflates model and scaffolding effects, but the confound is not discussed." 346 } 347 }, 348 "data_leakage": { 349 "temporal_leakage_addressed": { 350 "applies": true, 351 "answer": false, 352 "justification": "The Deepset and Rubend18 adversarial datasets are publicly available and may have been included in GPT-4o/GPT-5 training data. This potential temporal leakage is not discussed." 353 }, 354 "feature_leakage_addressed": { 355 "applies": true, 356 "answer": false, 357 "justification": "No discussion of whether the evaluation setup provides any hints or features that would not be available in real-world deployment scenarios." 358 }, 359 "non_independence_addressed": { 360 "applies": true, 361 "answer": false, 362 "justification": "No analysis of whether attacks within or across datasets share structural similarities that could inflate apparent defense performance." 363 }, 364 "leakage_detection_method": { 365 "applies": true, 366 "answer": false, 367 "justification": "No concrete leakage detection or prevention method is applied. The paper does not check whether the adversarial prompts appear in model training data." 368 } 369 } 370 }, 371 "claims": [ 372 { 373 "claim": "RAG integration improves benign query accuracy from 78% to 95%.", 374 "evidence": "Table 5 shows baseline benign accuracy of 78% vs RAG and Secure RAG at 95%. GPT-5 Direct achieves 96%.", 375 "supported": "moderate" 376 }, 377 { 378 "claim": "The Secure RAG version achieves 100% injection block rate.", 379 "evidence": "Table 5 claims 100% injection block rate, but the footnote clarifies this is on 'a focused subset of 301 high-confidence injection samples.' Table 4 shows actual recall of 45% on the full 674-attack corpus.", 380 "supported": "weak" 381 }, 382 { 383 "claim": "GPT-5 blocks approximately 85% of attacks without additional guardrails.", 384 "evidence": "Table 5 reports 85% injection block rate for GPT-5 Direct. However, Table 4 shows GPT-5 blocked only 249/674 attacks (37% recall). The 85% figure appears inconsistent with the full-corpus results.", 385 "supported": "weak" 386 }, 387 { 388 "claim": "Layered defenses progressively improve attack detection from F1 0.01 (V0) to F1 0.62 (V3).", 389 "evidence": "Table 4 shows F1 progression: V0=0.01, V1=0.48, V2=0.62, V3=0.62. However, V2 and V3 achieve identical scores, indicating the Reverse RAG layer adds no measurable defense value.", 390 "supported": "moderate" 391 }, 392 { 393 "claim": "RAG reduces hallucination rate from 15% to 2%.", 394 "evidence": "Table 5 reports hallucination rates: Baseline 15%, RAG 2%, Secure RAG 2%, GPT-5 Direct 1%. No methodology for measuring hallucinations is described.", 395 "supported": "weak" 396 }, 397 { 398 "claim": "Multi-layered linguistic analysis across lexical, semantic, intentional, contextual, and pragmatic levels enables accurate intent detection.", 399 "evidence": "Section 3.1 describes five parsing levels conceptually. No empirical evaluation isolates the contribution of linguistic analysis to intent detection accuracy.", 400 "supported": "unsupported" 401 } 402 ], 403 "red_flags": [ 404 { 405 "flag": "Misleading 100% block rate claim", 406 "detail": "Table 5 claims 100% injection block rate for Secure RAG, but the footnote reveals this is only on 301 of 674 attacks (45% of the corpus). The abstract similarly describes 'substantial detection and mitigation rates' for 45% recall. This framing materially misrepresents the system's actual defensive capability." 407 }, 408 { 409 "flag": "373 unaccounted adversarial samples", 410 "detail": "The paper claims 674 total adversarial prompts but the attack taxonomy in Table 2 only accounts for 301 (23+184+71+0+4+19). The remaining 373 attacks — which the system fails to block — are never categorized, explained, or analyzed." 411 }, 412 { 413 "flag": "Inconsistent GPT-5 metrics across tables", 414 "detail": "Table 5 reports 85% injection block rate for GPT-5 Direct, but Table 4 shows only 249/674 blocked (37% recall). The discrepancy is not explained, and the footnote only addresses the Secure RAG 100% figure." 415 }, 416 { 417 "flag": "User satisfaction scores without methodology", 418 "detail": "Table 5 reports user satisfaction scores (3.4 to 4.8 on a 1-5 scale) with zero description of evaluation methodology — no evaluator count, no evaluation protocol, no questionnaire design, no recruitment process." 419 }, 420 { 421 "flag": "V2 and V3 identical results unexplained", 422 "detail": "The Gatekeeper (V2) and Reverse RAG (V3) versions block identical numbers of attacks across every category in Table 3 (both total 301). The Reverse RAG layer — presented as a key contribution — adds zero measurable defensive value, but this is not discussed." 423 }, 424 { 425 "flag": "No external defense baselines", 426 "detail": "All comparisons are between internal system variants. No published prompt injection defense system, external guardrail framework, or competing approach from the literature is compared against." 427 }, 428 { 429 "flag": "Undisclosed commercial conflict of interest", 430 "detail": "The paper describes development by 'a Taiwan-based tourism technology firm' that has a commercial interest in the system being shown as effective. The firm is not named, the financial arrangement is not disclosed, and no competing interests statement appears." 431 } 432 ], 433 "cited_papers": [ 434 { 435 "title": "Guardrails for large language models: A review of techniques and challenges", 436 "authors": ["Akheel"], 437 "year": 2025, 438 "relevance": "Directly surveys LLM guardrail techniques and challenges, relevant to the survey's coverage of prompt injection defenses." 439 }, 440 { 441 "title": "An early categorization of prompt injection attacks on large language models", 442 "authors": ["Sippo Rossi", "Alisia Marianne Michel", "Raghava Rao Mukkamala", "Jason Bennett Thatcher"], 443 "year": 2024, 444 "arxiv_id": "2402.00898", 445 "relevance": "Provides a foundational taxonomy of prompt injection attacks on LLMs, directly relevant to the survey's prompt injection coverage." 446 }, 447 { 448 "title": "LLM01:2025 Prompt Injection", 449 "authors": ["OWASP"], 450 "year": 2025, 451 "relevance": "OWASP's official prompt injection risk classification for LLMs, a key reference standard for AI security research." 452 }, 453 { 454 "title": "Prompt Injection: An Analysis of Recent LLM Security Incidents", 455 "authors": ["NSFOCUS"], 456 "year": 2025, 457 "relevance": "Analyzes real-world LLM security incidents involving prompt injection, relevant to understanding practical attack vectors." 458 }, 459 { 460 "title": "zIA: a GenAI-powered personalized local assistant assists tourists in Italy", 461 "authors": ["A. Cassani", "M. Ruberl", "A. Salis", "G. Boanelli", "G. Giannese"], 462 "year": 2025, 463 "relevance": "Closely related GenAI tourism assistant system, useful for comparative analysis of AI chatbot architectures." 464 }, 465 { 466 "title": "Enhancing tourism recommender systems for sustainable city trips using retrieval-augmented generation", 467 "authors": ["A. Banerjee", "A. Satish", "W. Wörndl"], 468 "year": 2025, 469 "doi": "10.1007/978-3-031-87654-7_3", 470 "relevance": "RAG-based tourism recommendation system, relevant to understanding RAG applications in domain-specific AI deployments." 471 } 472 ], 473 "engagement_factors": { 474 "practical_relevance": { 475 "score": 2, 476 "justification": "Describes a deployable chatbot architecture with defense layers that practitioners could adapt, though no code or tools are released." 477 }, 478 "surprise_contrarian": { 479 "score": 0, 480 "justification": "Confirms the expected finding that layered defenses help and that base models alone are insufficient against prompt injection." 481 }, 482 "fear_safety": { 483 "score": 2, 484 "justification": "Shows that even with multi-layered defenses, 55% of adversarial attacks succeed, and GPT-5 alone blocks only 37% of the full attack corpus." 485 }, 486 "drama_conflict": { 487 "score": 0, 488 "justification": "No controversy, no challenges to established players or widely-held beliefs." 489 }, 490 "demo_ability": { 491 "score": 0, 492 "justification": "No code repository, no demo, no downloadable tool or dataset released." 493 }, 494 "brand_recognition": { 495 "score": 1, 496 "justification": "References GPT-5 and GPT-4o (recognizable OpenAI products) but the paper is from an unknown university program, not a major lab." 497 } 498 } 499 }