Cross-Domain Adversarial Transfer: Can Attacks on Scientific Review LLMs Exploit Vulnerabilities in Other Automated Decision Systems?

TL;DR: If you can trick a peer review LLM, can the same attack patterns fool LLMs in legal, medical, or hiring domains? By testing the transferability of prompt injection attacks, we can find systemic weaknesses.

Research Question: Are prompt injection attack strategies developed for scientific peer review transferable to other LLM-powered decision-making domains, and what does this imply for generalized LLM security?

Hypothesis: Indirect prompt injection strategies effective in scientific peer review will successfully transfer—after minor modifications—to other automated LLM-based decision systems, revealing common systemic vulnerabilities.

Experiment Plan: Adapt the “Maximum Mark Magyk” and other successful attacks from Sahoo et al. (2025) to analogous tasks in legal, medical, and hiring LLM systems. Test attack efficacy and decision flip rates across these domains and LLMs. Analyze similarities and differences in vulnerability patterns, and propose cross-domain defense mechanisms. Release a benchmark suite for cross-domain adversarial robustness.

References:

• Sahoo, D., Prasad, M., Majhi, V., Singh, J., Chamola, V., Sinha, Y., Mandal, M., & Kumar, D. (2025). When Reject Turns into Accept: Quantifying the Vulnerability of LLM-Based Scientific Reviewers to Indirect Prompt Injection.
• Wang, Q. (2025). The Comprehensive Review on Prompt Injection Attacks and Defense Mechanisms in Large Language Models. Science and Technology of Engineering, Chemistry and Environmental Protection.