scan.json (27783B)
1 { 2 "paper": { 3 "title": "Trust in LLM-controlled Robotics: a Survey of Security Threats, Defenses and Challenges", 4 "authors": [ 5 "Xinyu Huang", 6 "Shyam Karthick V B", 7 "Taozhao Chen", 8 "Mitch Bryson", 9 "Thomas Chaffey", 10 "Huaming Chen", 11 "Kim-Kwang Raymond Choo", 12 "Ian R. Manchester" 13 ], 14 "year": 2025, 15 "venue": "arXiv", 16 "arxiv_id": "2601.02377", 17 "doi": "10.48550/arXiv.2601.02377" 18 }, 19 "scan_version": 3, 20 "active_modules": ["survey_methodology"], 21 "methodology_tags": ["meta-analysis"], 22 "key_findings": "This survey presents a taxonomy of attack vectors (jailbreaking, backdoor, prompt injection) and defense mechanisms (formal specification, multi-LLM oversight, prompt hardening, control-theoretic safety) for LLM-controlled robotic systems. The central insight is the 'embodiment gap' — traditional text-based LLM safety measures are insufficient because harm shifts from toxic text to dangerous physical actions, and the safety of a robotic command is inherently state-dependent. The authors find that current defenses are siloed across perception, cognition, and control layers, with no end-to-end assurance framework yet available.", 23 "checklist": { 24 "artifacts": { 25 "code_released": { 26 "applies": true, 27 "answer": false, 28 "justification": "No code repository, analysis scripts, or supplementary materials are mentioned or linked anywhere in the paper." 29 }, 30 "data_released": { 31 "applies": true, 32 "answer": false, 33 "justification": "No search corpus, extracted paper metadata, or analysis data is released. The survey does not provide a downloadable dataset of its reviewed papers." 34 }, 35 "environment_specified": { 36 "applies": true, 37 "answer": false, 38 "justification": "No environment or tool specifications are provided. As a survey, it could have specified tools used for literature management and analysis, but does not." 39 }, 40 "reproduction_instructions": { 41 "applies": true, 42 "answer": false, 43 "justification": "No step-by-step instructions are provided for reproducing the literature search or analysis. Section II.A describes a protocol at a high level but lacks specifics needed for exact reproduction." 44 } 45 }, 46 "statistical_methodology": { 47 "confidence_intervals_or_error_bars": { 48 "applies": false, 49 "answer": false, 50 "justification": "Survey paper with no original experiments or statistical analyses. Numbers cited (e.g., 'over 90% to under 2.5%') are from reviewed papers, not the survey's own analysis." 51 }, 52 "significance_tests": { 53 "applies": false, 54 "answer": false, 55 "justification": "No statistical comparisons or significance tests are performed; this is a narrative literature review." 56 }, 57 "effect_sizes_reported": { 58 "applies": false, 59 "answer": false, 60 "justification": "No original effect sizes are computed. The survey reports numbers from cited work without its own quantitative synthesis." 61 }, 62 "sample_size_justified": { 63 "applies": false, 64 "answer": false, 65 "justification": "No original experiments; the number of papers reviewed is not treated as a sample requiring justification in the statistical sense." 66 }, 67 "variance_reported": { 68 "applies": false, 69 "answer": false, 70 "justification": "No experiments conducted; no variance or spread measures are applicable." 71 } 72 }, 73 "evaluation_design": { 74 "baselines_included": { 75 "applies": true, 76 "answer": true, 77 "justification": "TABLE I provides a comparative summary of this survey against six related surveys (Kim et al. 2024, Zeng et al., Li et al. 2025, He et al. 2024, Xing et al., Efa), analyzing scope, methodology, focus areas, and limitations of each." 78 }, 79 "baselines_contemporary": { 80 "applies": true, 81 "answer": true, 82 "justification": "The compared surveys are from 2023-2025, which are contemporary to this 2025 survey. Includes recent works like Li et al. 2025, He et al. 2024, and Xing et al. 2025." 83 }, 84 "ablation_study": { 85 "applies": false, 86 "answer": false, 87 "justification": "No experiments are conducted; ablation is inapplicable to a survey paper." 88 }, 89 "multiple_metrics": { 90 "applies": false, 91 "answer": false, 92 "justification": "No experiments are conducted; evaluation metrics are inapplicable to a narrative survey." 93 }, 94 "human_evaluation": { 95 "applies": false, 96 "answer": false, 97 "justification": "No system outputs to evaluate; this is a literature survey with no experimental component." 98 }, 99 "held_out_test_set": { 100 "applies": false, 101 "answer": false, 102 "justification": "No experiments conducted; held-out sets are inapplicable." 103 }, 104 "per_category_breakdown": { 105 "applies": true, 106 "answer": true, 107 "justification": "The survey provides detailed per-category breakdowns: attacks are organized into jailbreaking (Section IV.A), backdoor (Section IV.B), and prompt injection (Section IV.C). Defenses are categorized into 10 mechanism families (Section V.C). TABLE II maps works across lifecycle, layers, and mechanisms." 108 }, 109 "failure_cases_discussed": { 110 "applies": true, 111 "answer": true, 112 "justification": "Section IV.A.3 discusses limitations of jailbreaking methods. Section IV.B.4 enumerates unresolved challenges in backdoor attacks (trigger sensitivity, ASR-utility trade-off, ICL sustainability). Section V.D extensively discusses limitations of current defense mechanisms." 113 }, 114 "negative_results_reported": { 115 "applies": true, 116 "answer": true, 117 "justification": "The survey reports that traditional ad-hoc jailbreak methods 'often fail' in the robotics context (Section IV.A.1), that text-based defenses 'prove ineffective' for embodied systems (Section VIII.B), and that current defenses are 'fragmented and incomplete' (Section V.D)." 118 } 119 }, 120 "claims_and_evidence": { 121 "abstract_claims_supported": { 122 "applies": true, 123 "answer": true, 124 "justification": "The abstract claims to present a systematic survey of threats and defenses for LLM-controlled robotics, a taxonomy of attack vectors, analysis of defense mechanisms, and review of benchmarks. Sections III-VII deliver on each of these claims with structured taxonomies, tables, and detailed analysis." 125 }, 126 "causal_claims_justified": { 127 "applies": false, 128 "answer": false, 129 "justification": "The paper is a survey that synthesizes existing literature. It does not make original causal claims from its own experimental work. Claims like 'LLMs introduce security vulnerabilities' are supported by cited empirical papers, not the authors' own causal analysis." 130 }, 131 "generalization_bounded": { 132 "applies": true, 133 "answer": true, 134 "justification": "The paper explicitly bounds its scope to 'attacks targeting the cognitive layer, the reasoning and planning modules where natural language understanding occurs' and states it is 'distinct from the attacks on low-level perception, vision, or motor control modules' (Section I). Section II.A further defines inclusion/exclusion criteria." 135 }, 136 "alternative_explanations_discussed": { 137 "applies": false, 138 "answer": false, 139 "justification": "This is a pure survey/taxonomy paper that presents no original empirical results for which alternative explanations would need to be considered." 140 }, 141 "proxy_outcome_distinction": { 142 "applies": false, 143 "answer": false, 144 "justification": "No measurements are made by this survey paper; there is no proxy-outcome gap to address." 145 } 146 }, 147 "setup_transparency": { 148 "model_versions_specified": { 149 "applies": false, 150 "answer": false, 151 "justification": "No models are used by the authors; this is a literature survey." 152 }, 153 "prompts_provided": { 154 "applies": false, 155 "answer": false, 156 "justification": "No prompting is used; this is a literature survey." 157 }, 158 "hyperparameters_reported": { 159 "applies": false, 160 "answer": false, 161 "justification": "No experiments conducted; no hyperparameters to report." 162 }, 163 "scaffolding_described": { 164 "applies": false, 165 "answer": false, 166 "justification": "No agentic scaffolding is used; this is a literature survey." 167 }, 168 "data_preprocessing_documented": { 169 "applies": true, 170 "answer": false, 171 "justification": "Section II.A describes the search protocol (databases: Google Scholar, arXiv, IEEE Xplore; keyword combinations; inclusion/exclusion criteria; multi-stage screening with snowballing). However, no quantitative pipeline is provided — the paper does not report how many initial results were found, how many passed each screening stage, or the total number of papers included in the final review." 172 } 173 }, 174 "limitations_and_scope": { 175 "limitations_section_present": { 176 "applies": true, 177 "answer": false, 178 "justification": "There is no dedicated limitations section for the survey itself. Section V.D discusses limitations of current defense mechanisms in the field, and Section VIII discusses open challenges, but neither addresses the limitations of this survey's own methodology (e.g., search completeness, reviewer bias, time window)." 179 }, 180 "threats_to_validity_specific": { 181 "applies": true, 182 "answer": false, 183 "justification": "No threats to the validity of this survey are discussed. The paper does not acknowledge potential gaps in its search strategy, selection bias, or the possibility that its taxonomy may not be exhaustive." 184 }, 185 "scope_boundaries_stated": { 186 "applies": true, 187 "answer": true, 188 "justification": "Section I explicitly states: 'we focus on attacks targeting the cognitive layer, the reasoning and planning modules where natural language understanding occurs. It is distinct from the attacks on low-level perception, vision, or motor control modules.' Section II.A further defines inclusion/exclusion criteria for the review." 189 } 190 }, 191 "data_integrity": { 192 "raw_data_available": { 193 "applies": true, 194 "answer": false, 195 "justification": "No raw data (list of all papers found, screening decisions, extraction tables) is provided for independent verification of the survey's completeness or accuracy." 196 }, 197 "data_collection_described": { 198 "applies": true, 199 "answer": true, 200 "justification": "Section II.A describes databases searched (Google Scholar, arXiv, IEEE Xplore), keyword strategy combining three concepts (models, applications, security), inclusion criteria (direct focus on LLM-controlled robotics security), exclusion criteria (purely digital LLM security or traditional robotics security without LLMs), and multi-stage screening with snowballing." 201 }, 202 "recruitment_methods_described": { 203 "applies": false, 204 "answer": false, 205 "justification": "No human participants. The paper selection process (analogous to recruitment for a survey) is described in Section II.A." 206 }, 207 "data_pipeline_documented": { 208 "applies": true, 209 "answer": false, 210 "justification": "The pipeline from search to final analysis is described qualitatively (Section II.A: 'multi-stage screening of titles, abstracts, and full texts, supplemented by a snowballing review') but lacks quantitative details — no counts of papers at each stage, no PRISMA flow diagram, and no explicit total of included papers." 211 } 212 }, 213 "conflicts_of_interest": { 214 "funding_disclosed": { 215 "applies": true, 216 "answer": true, 217 "justification": "Funding is disclosed: 'The work of K.-K. R. Choo is supported by the Cloud Technology Endowed Professorship, and the Fulbright Distinguished Scholar in Cybersecurity and Critical Infrastructure award.'" 218 }, 219 "affiliations_disclosed": { 220 "applies": true, 221 "answer": true, 222 "justification": "Author affiliations are clearly listed: University of Sydney (School of Electrical and Computer Engineering, Australian Centre for Robotics) and University of Texas at San Antonio (Department of Information Systems and Cybersecurity), plus University of Iceland." 223 }, 224 "funder_independent_of_outcome": { 225 "applies": true, 226 "answer": true, 227 "justification": "Funding comes from academic sources (Cloud Technology Endowed Professorship, Fulbright) with no apparent financial interest in the survey's conclusions about LLM-robotics security." 228 }, 229 "financial_interests_declared": { 230 "applies": true, 231 "answer": false, 232 "justification": "No competing interests or financial interests statement is present in the paper." 233 } 234 }, 235 "contamination": { 236 "training_cutoff_stated": { 237 "applies": false, 238 "answer": false, 239 "justification": "Survey paper — does not evaluate any pre-trained model on a benchmark." 240 }, 241 "train_test_overlap_discussed": { 242 "applies": false, 243 "answer": false, 244 "justification": "Survey paper — does not evaluate any pre-trained model on a benchmark." 245 }, 246 "benchmark_contamination_addressed": { 247 "applies": false, 248 "answer": false, 249 "justification": "Survey paper — does not evaluate any pre-trained model on a benchmark." 250 } 251 }, 252 "human_studies": { 253 "pre_registered": { 254 "applies": false, 255 "answer": false, 256 "justification": "No human participants in this survey." 257 }, 258 "irb_or_ethics_approval": { 259 "applies": false, 260 "answer": false, 261 "justification": "No human participants in this survey." 262 }, 263 "demographics_reported": { 264 "applies": false, 265 "answer": false, 266 "justification": "No human participants in this survey." 267 }, 268 "inclusion_exclusion_criteria": { 269 "applies": false, 270 "answer": false, 271 "justification": "No human participants in this survey." 272 }, 273 "randomization_described": { 274 "applies": false, 275 "answer": false, 276 "justification": "No human participants in this survey." 277 }, 278 "blinding_described": { 279 "applies": false, 280 "answer": false, 281 "justification": "No human participants in this survey." 282 }, 283 "attrition_reported": { 284 "applies": false, 285 "answer": false, 286 "justification": "No human participants in this survey." 287 } 288 }, 289 "cost_and_practicality": { 290 "inference_cost_reported": { 291 "applies": false, 292 "answer": false, 293 "justification": "Survey paper — no method or system to cost." 294 }, 295 "compute_budget_stated": { 296 "applies": false, 297 "answer": false, 298 "justification": "Survey paper — no computational experiments conducted." 299 } 300 }, 301 "survey_methodology": { 302 "prisma_or_structured_protocol": { 303 "applies": true, 304 "answer": false, 305 "justification": "Section II.A describes a search protocol with databases, keywords, and inclusion/exclusion criteria, but does not follow PRISMA or reference any established review methodology. There is no flow diagram, no protocol registration, and the search queries are not reproducible as stated (only keyword themes, not exact queries)." 306 }, 307 "quality_assessment_of_sources": { 308 "applies": true, 309 "answer": false, 310 "justification": "The survey does not assess the methodological quality of its source papers. TABLE I compares related surveys on scope and focus but does not evaluate their rigor. Attack and defense papers are summarized descriptively without quality scoring or risk-of-bias assessment." 311 }, 312 "publication_bias_discussed": { 313 "applies": true, 314 "answer": false, 315 "justification": "No discussion of publication bias. The survey does not consider whether its sources are biased toward positive attack results or successful defenses, nor does it discuss whether negative results or failed approaches are underrepresented in the literature." 316 } 317 } 318 }, 319 "claims": [ 320 { 321 "claim": "The 'embodiment gap' creates unique security vulnerabilities where traditional text-based LLM safety measures are insufficient for robotic systems.", 322 "evidence": "Supported by cited works demonstrating that LLMs verbally refuse malicious requests while paradoxically executing them [25], that semantically identical commands cause different robot behaviors [19], and that ad-hoc jailbreaks produce non-executable policies [27, 37]. Sections I, III, and VIII.A-B synthesize this evidence.", 323 "supported": "moderate" 324 }, 325 { 326 "claim": "ROBOPAIR and POEX frameworks achieve high success rates in jailbreaking LLM-controlled robots by ensuring policy executability.", 327 "evidence": "Section IV.A.2 describes ROBOPAIR's 'Syntax Checker' LLM and POEX's 'Policy Evaluator' model, citing [27] and [37] respectively. The claim of 'high success rates' is made without specific numbers in this survey.", 328 "supported": "moderate" 329 }, 330 { 331 "claim": "Current defense mechanisms are fragmented and siloed across system layers, preventing end-to-end safety assurance.", 332 "evidence": "Section V.D provides a detailed analysis: formal specifications don't extend to continuous dynamics, CBFs operate independently of LLM reasoning, multi-LLM oversight relies on the same model family's alignment, prompt hardening cannot address role-based jailbreaks, and evaluation uses static metrics that don't capture real deployment uncertainty.", 333 "supported": "moderate" 334 }, 335 { 336 "claim": "Safety Guardrails [97] can reduce unsafe executions from over 90% to under 2.5%.", 337 "evidence": "Cited from [97] in Section V.C.1. This is a specific quantitative claim from a single source paper, reported without independent verification or analysis of the claim's conditions.", 338 "supported": "weak" 339 }, 340 { 341 "claim": "State and memory management (SafeEmbodAI, Enhancing Reliability) can improve task success rate by 30.8% under injection attacks, and up to 325% in complex scenarios.", 342 "evidence": "Section V.C.4 cites [89] for these numbers. These are specific quantitative claims from a single source, reported at face value.", 343 "supported": "weak" 344 }, 345 { 346 "claim": "Backdoor attacks in LLM-controlled robotics are particularly dangerous because they produce direct physical effects, unlike backdoors in text-only systems.", 347 "evidence": "Section IV.B discusses CBA [38] (dual-modality triggers in autonomous driving), TrojanRobot [39] (visual triggers for manipulated instructions), and BALD [73] (three triggering mechanisms). These demonstrate the physical consequence dimension.", 348 "supported": "moderate" 349 } 350 ], 351 "red_flags": [ 352 { 353 "flag": "No quality assessment of source papers", 354 "detail": "The survey summarizes attack and defense papers without assessing their methodological quality, experimental rigor, or risk of bias. Claims like 'high success rates' for attack frameworks are reported at face value without scrutinizing the conditions, threat models, or generalizability of those results. This launders the signal-to-noise ratio of the sources." 355 }, 356 { 357 "flag": "No PRISMA or quantitative search pipeline", 358 "detail": "Despite claiming a 'structured search protocol' (Section II.A), the paper provides no PRISMA flow diagram, no counts of papers at each screening stage, and no total number of included papers. The search queries are described as keyword themes rather than reproducible queries. The completeness and representativeness of the review cannot be independently verified." 359 }, 360 { 361 "flag": "Selective reporting of quantitative claims", 362 "detail": "Specific numbers from cited papers (e.g., '90% to under 2.5%' for Safety Guardrails, '30.8% increase' for Enhancing Reliability, '267% gains' for SafeEmbodAI) are reported without context about the experimental conditions, baselines, or potential limitations of those measurements. This creates an impression of strong evidence that may not reflect the original papers' caveats." 363 }, 364 { 365 "flag": "No discussion of the survey's own limitations", 366 "detail": "While Sections V.D and VIII discuss limitations of the field, no section addresses limitations of this survey itself — such as search completeness, language bias (English-only), time window, reviewer bias in paper selection, or the possibility that the proposed taxonomy is not exhaustive." 367 } 368 ], 369 "cited_papers": [ 370 { 371 "title": "Jailbreaking LLM-controlled robots", 372 "authors": ["A. Robey", "Z. Ravichandran", "V. Kumar", "H. Hassani", "G. J. Pappas"], 373 "year": 2024, 374 "arxiv_id": "2410.13691", 375 "relevance": "Introduces ROBOPAIR framework for jailbreaking LLM-controlled robots with a syntax-checking LLM, directly relevant to LLM security in agentic systems." 376 }, 377 { 378 "title": "POEX: Towards policy executable jailbreak attacks against the LLM-based robots", 379 "authors": ["X. Lu", "Z. Huang", "X. Li", "C. Zhang", "X. Ji", "W. Xu"], 380 "year": 2025, 381 "arxiv_id": "2412.16633", 382 "relevance": "Advances jailbreaking of LLM-controlled robots with a Policy Evaluator ensuring physical executability, key contribution to LLM-robotics safety research." 383 }, 384 { 385 "title": "BadRobot: Jailbreaking embodied LLMs in the physical world", 386 "authors": ["H. Zhang", "H. Pan", "S. Huang", "Y. Dong", "Z. Zhou"], 387 "year": 2024, 388 "relevance": "First systematic investigation of jailbreaking attacks on embodied LLM systems, identifying contextual jailbreaks, safety misalignment, and conceptual deception." 389 }, 390 { 391 "title": "TrojanRobot: Physical-world backdoor attacks against VLM-based robotic manipulation", 392 "authors": ["X. Wang", "H. Pan", "H. Zhang", "M. Li", "S. Hu"], 393 "year": 2025, 394 "arxiv_id": "2411.11683", 395 "relevance": "Demonstrates supply-chain backdoor attacks on VLM-based robotic systems through malicious external vision-language models." 396 }, 397 { 398 "title": "Compromising embodied agents with contextual backdoor attacks", 399 "authors": ["A. Liu", "Y. Zhou", "X. Liu", "T. Zhang", "S. Liang"], 400 "year": 2024, 401 "arxiv_id": "2408.02882", 402 "relevance": "Introduces dual-modality backdoor triggers (textual + visual) for attacking LLM-generated code in autonomous driving scenarios." 403 }, 404 { 405 "title": "On the vulnerability of LLM/VLM-controlled robotics", 406 "authors": ["X. Wu", "S. Chakraborty", "R. Xian", "J. Liang", "T. Guan"], 407 "year": 2025, 408 "arxiv_id": "2402.10340", 409 "relevance": "Studies input sensitivity of LLM/VLM-controlled robots, showing semantically identical commands cause different behaviors — directly relevant to LLM reliability." 410 }, 411 { 412 "title": "Safety guardrails for LLM-enabled robots", 413 "authors": ["Z. Ravichandran", "A. Robey", "V. Kumar", "G. J. Pappas", "H. Hassani"], 414 "year": 2025, 415 "arxiv_id": "2503.07885", 416 "relevance": "Proposes formal safety specification and runtime enforcement for LLM-controlled robots using temporal logic, reducing unsafe executions." 417 }, 418 { 419 "title": "Plug in the safety chip: Enforcing constraints for LLM-driven robot agents", 420 "authors": ["Z. Yang", "S. S. Raman", "A. Shah", "S. Tellex"], 421 "year": 2024, 422 "relevance": "Introduces NL-to-LTL workflow for enforcing safety constraints on LLM-driven robot agents, a key defense mechanism." 423 }, 424 { 425 "title": "SafeEmbodAI: A safety framework for mobile robots in embodied AI systems", 426 "authors": ["W. Zhang", "X. Kong", "T. Braunl", "J. B. Hong"], 427 "year": 2024, 428 "arxiv_id": "2409.01630", 429 "relevance": "Proposes prompt hardening, state management, and rule-based validation for embodied AI safety, reporting significant gains under adversarial conditions." 430 }, 431 { 432 "title": "Code as policies: Language model programs for embodied control", 433 "authors": ["J. Liang", "W. Huang", "F. Xia", "P. Xu", "K. Hausman"], 434 "year": 2023, 435 "relevance": "Seminal work on generating executable Python code from language for robot control, introduces code injection attack surface in LLM-robotics." 436 }, 437 { 438 "title": "Can we trust embodied agents? Exploring backdoor attacks against embodied LLM-based decision-making systems", 439 "authors": ["R. Jiao", "S. Xie", "J. Yue", "T. Sato", "L. Wang"], 440 "year": 2024, 441 "relevance": "Introduces BALD framework with three backdoor triggering mechanisms for embodied LLM decision-making, directly relevant to LLM agent safety." 442 }, 443 { 444 "title": "Robo-Troj: Attacking LLM-based task planners", 445 "authors": ["M. A. Nahian", "Z. Altaweel", "D. Reitano", "S. Ahmed", "S. Zhang"], 446 "year": 2025, 447 "relevance": "Demonstrates training-time Trojan attacks on LLM task planners using soft prompt tuning and multi-trigger optimization." 448 }, 449 { 450 "title": "CEE: An inference-time jailbreak defense for embodied intelligence via subspace concept rotation", 451 "authors": ["J. Yang", "Z. Lin", "Z. Lu", "Y. Wang", "L. Wang"], 452 "year": 2025, 453 "arxiv_id": "2504.13201", 454 "relevance": "Proposes inference-time defense against jailbreaking in embodied AI through prompt hardening and infrastructure-level enforcement." 455 }, 456 { 457 "title": "Embodied red teaming for auditing robotic foundation models", 458 "authors": ["S. Karnik", "Z.-W. Hong", "N. Abhangi", "Y.-C. Lin", "T.-H. Wang"], 459 "year": 2025, 460 "arxiv_id": "2411.18676", 461 "relevance": "Proposes automated red-teaming methodology for robotic foundation models using VLMs to discover non-malicious failure modes." 462 } 463 ], 464 "engagement_factors": { 465 "practical_relevance": { 466 "score": 1, 467 "justification": "Provides a useful taxonomy and roadmap for researchers, but no tools, code, or immediately actionable techniques for practitioners." 468 }, 469 "surprise_contrarian": { 470 "score": 1, 471 "justification": "The 'embodiment gap' concept is interesting but the idea that LLM-controlled robots have security vulnerabilities is not surprising to the security community." 472 }, 473 "fear_safety": { 474 "score": 3, 475 "justification": "Directly catalogs how LLM-controlled robots can be jailbroken, backdoored, and manipulated into performing dangerous physical actions — high fear/safety valence." 476 }, 477 "drama_conflict": { 478 "score": 1, 479 "justification": "No controversy or dramatic claims; straightforward survey of an emerging threat landscape without challenging specific companies or researchers." 480 }, 481 "demo_ability": { 482 "score": 0, 483 "justification": "No code, demo, or runnable artifacts; purely a written survey." 484 }, 485 "brand_recognition": { 486 "score": 1, 487 "justification": "Authors are from University of Sydney and UT San Antonio; Kim-Kwang Raymond Choo is well-known in cybersecurity but not mainstream AI recognition." 488 } 489 } 490 }