How to get your paper accepted by an AI reviewer: indirect prompt injection in peer review

Federico Torrielli
Stefano Locci
Amon Rapp
Luigi Di Caro

Read the full article

Discuss this preprint

Start a discussion What are Sciety discussions?

Listed in

This article is not in any list yet, why not save it to one of your lists.

Abstract

The growing use of large language models to assist or automate academic peer review raises fundamental questions about the validity and robustness of algorithmically mediated research evaluation. This study introduces the Author-Reviewer-Organizer (ARO) framework, which models peer review as a strategic interaction among authors, reviewers, and organizers with distinct incentives and capacities to exploit or constrain AI-based evaluation. Within this framework, we present a large-scale empirical assessment of indirect prompt injection, a vulnerability that allows hidden instructions embedded in a manuscript to influence an AI reviewer's output without the reviewer's awareness. Using 5,600 controlled experiments on manuscripts from NeurIPS and ICLR published before November 2022, prior to the widespread public availability of high-capability LLMs, we evaluate the susceptibility of two widely used, general-purpose LLM-based chatbot systems employed for review assistance under multiple injection strategies. We find that hidden instructions are followed in 78% of cases for ChatGPT and 86% for Gemini, substantially exceeding success rates reported in prior prompt-injection studies. Manipulation can reliably steer review sentiment and acceptance recommendations, while the same mechanism can be repurposed by organizers for defensive purposes, including watermarking and detection of AI-generated reviews. Instruction placement within the document significantly affects outcomes, with early-position payloads consistently exerting greater influence. By situating these results within the ARO framework, we show that AI-assisted peer review introduces document-level structural vulnerabilities that undermine evaluative reliability. The results have direct implications for the use and governance of LLMs in peer review, research assessment, and other gatekeeping processes central to scientometric analysis and science policy. JEL Classification: O33 , D82 , D83 , L86 MSC Classification: 68M25 , 68T50 , 68T01

Version published to 10.21203/rs.3.rs-8432945/v1 on Research Square
Jan 5, 2026

LLM Aspect Prediction: Reviewing Academic Papers from Different Aspects with Large Language Model

This article has 3 authors:
1. Zihao Hu
2. Fumiyo Fukumoto
3. Dongjin Yu
This article has no evaluationsLatest version Dec 11, 2025
When AI Reviews Science: Can We Trust the Referee?

This article has 10 authors:
1. Jialiang Wang
2. Yuchen Liu
3. Hang Xu
4. Kaichun Hu
5. Shimin Di
6. Wangze Ni
7. Linan Yue
8. Min-Ling Zhang
9. Kui Ren
10. Lei Chen
This article has no evaluationsLatest version Jan 5, 2026
The Role of Artificial Intelligence in the Lifecycle of Scientific Manuscripts: Authoring, Reviewing, and Editorial Selection

This article has 1 author:
1. Jose L. Domingo
This article has no evaluationsLatest version Jan 18, 2026

Discuss this preprint

Listed in

Abstract

Article activity feed

Related articles

LLM Aspect Prediction: Reviewing Academic Papers from Different Aspects with Large Language Model

When AI Reviews Science: Can We Trust the Referee?

The Role of Artificial Intelligence in the Lifecycle of Scientific Manuscripts: Authoring, Reviewing, and Editorial Selection