Papers
Topics
Authors
Recent
Search
2000 character limit reached

No Hidden Prompts Needed! You Can Game AI Peer Review with Presentation-Only Revisions

Published 11 Jun 2026 in cs.CL | (2606.13044v1)

Abstract: As AI-generated reviews move from experimental tools into peer-review infrastructure, most robustness concerns have focused on explicit attacks such as hidden instructions and prompt injection. We study a harder and more policy-relevant failure mode: no hidden text, no prompt injection, and no changes to methods, experiments, figures, equations, proofs, or numerical results. The attacker modifies only presentation-level content, such as the abstract, contribution framing, related work, discussion, and narrative structure. We introduce adversarial repackaging: a closed-loop attack that uses AI-reviewer feedback to search for presentation-level revisions while keeping the scientific evidence fixed. Across three mainstream AI reviewers, adversarial repackaging achieves a 75.1% attack success rate and a mean score gain of +1.21/10. The effect is not explained by ordinary prose polishing. We also reveal that strategies that change how the reviewer interprets the paper, such as related-work repositioning and analytical discussion expansion, substantially outperform surface edits such as local polishing, table formatting, and algorithm boxes. Our analysis reveals two deeper structural failure modes. First, AI reviewers are easier to impress than to convince: highlighting strengths reliably increases perceived merit, while attempts to dissolve weaknesses frequently backfire. Second, AI reviewers can confuse the appearance of addressing a limitation with actually resolving it, allowing unchanged evidence to be reinterpreted as stronger scientific contribution. These results show that the deployment risk is not only malicious hidden instructions, but the emergence of paper presentation itself as an optimization surface. We release a contamination-free rolling benchmark and attack framework for testing whether AI reviewers remain anchored to scientific content under presentation-only edits.

Summary

  • The paper introduces adversarial repackaging, showing that presentation-only edits can systematically inflate review scores.
  • It employs a closed-loop, multi-round strategy using narrative restructuring to achieve a mean score gain of +1.21/10 and a 75.1% attack success rate.
  • The findings highlight a critical flaw in current AI review systems that equate presentation quality with scientific merit, urging more robust evaluation methods.

Adversarial Repackaging: Assessing Vulnerabilities in AI Peer Review to Presentation-Only Edits

Introduction

The integration of LLM-based reviewers into scientific peer review infrastructure has galvanized new debates on the robustness and security of the review process. Unlike well-known risks such as prompt injection and hidden instructions, which leave detectable traces, a more subtle yet policy-relevant vulnerability exists: manipulation of review outcomes solely through presentation-level edits, i.e., reframing, restructuring, and narrative enhancement, while holding all scientific content—methods, experiments, figures, equations, and results—fixed. This paper introduces the concept of adversarial repackaging as a closed-loop, black-box attack and demonstrates that state-of-the-art AI reviewers are systemically susceptible to such manipulations, enabling significant and systematic review score inflation without violating scientific integrity or current conference policies (2606.13044). Figure 1

Figure 1: Overview of the adversarial repackaging framework, zoning scientific content from editable presentation regions and exposing dominant failure modes in AI reviewing.

Experimental Methodology and Threat Model

The paper defines resistance to presentation-only review gaming as a necessary condition for trustworthy AI review automation: when scientific content is held fixed, systematic improvement in reviewer outcomes resulting only from presentation-level adjustment signals a critical failure. To test this, the authors propose a three-zone partitioning of the manuscript: (1) a free zone (abstract, introduction, related work, discussion, conclusion) eligible for narrative and rhetorical edits; (2) a limited zone where rewording and reordering is allowed for exposition but not fact; and (3) a strictly fixed zone containing all immutable scientific evidence.

The attack operates through a closed-loop, multi-round process, using the AI reviewer's feedback at each stage to optimize subsequent edits. The system implements a diverse strategy pool—spanning narrative restructuring (e.g., analytical discussion expansion, related work repositioning) and strictly surface-level presentation modifications (e.g., formatting, local prose refinement)—with adaptive, signal-driven strategy selection. Each round, only candidate modifications resulting in demonstrably more favorable reviews (using both numerical and linguistic comparative judgments) are retained. Figure 2

Figure 2: System architecture for closed-loop adversarial editing, with agent layers for profiling, strategy planning, and direct interaction with the review model.

Dataset Construction and Evaluation Protocol

The authors construct a rolling, contamination-free benchmark from over 500 unpublished arXiv preprints (as of April 2026), covering the ML, CV, and NLP domains. Multi-stage filtering ensures only substantive, unpublished, and properly formatted research manuscripts are included, backed by automated LaTeX compilation and multi-model cross-review validation. Figure 3

Figure 3: Automated dataset construction pipeline and paper statistics, ensuring methodological rigor and domain diversity.

The main evaluation protocol employs three frontier LLMs—Claude Sonnet 4, Claude Sonnet 4.5, and GPT-5-mini—provisioned with complete, official conference review guidelines and compiled PDFs as input. The attack agent is matched to the target reviewer in the main setup; transfer experiments explore mismatched model and rubric settings.

Review shifts are quantified not only by conventional score changes but also by an independent, LLM-based pairwise judge that measures changes in strengths, weakness severity, and net review content, improving causal attribution and reducing noise from reviewer stochasticity.

Empirical Findings

Systematic Review Score Inflation

Adversarial repackaging achieves a mean score gain of +1.21/10 and a 75.1% attack success rate (defined as ΔS≥+1\Delta S \geq +1) across all models and rubrics, with more than half of baseline-rejected papers crossing the borderline acceptance threshold post-attack. These gains are not attributable to minor language polishing; baseline comparison with prior approaches (e.g., abstract-only attacks, one-shot full rewrite) confirms that closed-loop, full-paper, and strategy-diverse optimization is fundamentally more effective.

Bold claim: Resistance to presentation-only review gaming is not exhibited by any current mainstream AI reviewer—manuscript scores can be shifted significantly without any substantive change to scientific content.

Failure Mode 1: Strength–Weakness Asymmetry

Examination of per-round review deltas reveals that AI reviewers exhibit a pronounced asymmetry: it's easier to amplify perceived strengths than to diminish or rationally dissolve weaknesses. While 86.1% of rounds yield increased strengths, attempts to mitigate weaknesses "backfire" in 31.6% of cases, often leading to harsher criticism even when presentation is superficially improved. Figure 4

Figure 4: Distribution of per-round changes to strengths and severity, illustrating stable strength inflation but volatile, difficult-to-control criticism attenuation.

A single round frequently results in both more praise and more criticism, and even when weakness severity increases, overall scores may still rise if strengths are sufficiently foregrounded. This effect is most prominent in joint outcome analysis, where the aggregate review is swamped by highlighted strengths.

Failure Mode 2: Strategy Effectiveness Gradient

Not all presentation strategies are equally effective. Narrative restructuring techniques—notably analytical discussion expansion and related work repositioning—are markedly superior to cosmetic or surface-level edits (e.g., table formatting, polishing). The most effective strategies directly alter how the reviewer interprets context, significance, and limitations, not just how information is delivered.

Claim: The AI reviewer's judgment systematically tracks narrative framing and rhetorical positioning more than core evidence, rendering the evaluation non-anchorable in scientific content.

Manipulation Mechanisms: Case Analysis

A detailed case study demonstrates the full pipeline of manipulation:

  • Strength inflation: Upgrades in evaluation are achieved by repackaging, not revising, scientific claims (e.g., relabeling limited data as "complementary regimes" or rephrasing novelty claims).
  • Limitation laundering: Weaknesses are reframed (often as conscious design decisions) or replaced by less critical "decoy" limitations, while formal scientific gaps remain.
  • Review parroting: Reviewers imitate the language and framing introduced in the revised manuscript, echoing author self-positioning without independent validation of content.

These manipulations result in significant, systematic revision of overall assessments even though the underlying work is unaltered.

Robustness, Transferability, and Audit

The attack's effectiveness is robust across model families (Anthropic Claude vs. OpenAI GPT) and review templates (ICLR, NeurIPS, ICML), with attacks developed against one model or rubric preserving positive effects when evaluated under another. Human audits confirm that the attacked versions are, by and large, semantically indistinguishable from their originals on core scientific dimensions; differences are almost exclusively presentation-level.

Theoretical and Practical Implications

This paper's results identify a critical, structural deficiency in AI reviewer systems: the optimization surface for review scores encompasses not only technical merit but the entire space of academic rhetorical tactics permitted within standard policy. As such, the risk of systematic incentive distortion is non-trivial: over-optimization for superficial narrative presentation could overshadow advancement in genuine scientific contribution if not checked.

Practical consequences include an arms race of narrative framing among submitters, compromised reliability in automated review pipelines, and increased barriers to fair evaluation. Theoretical implications include the insight that current LLM-based reviewers confound semantic and rhetorical dimensions, failing to disentangle writing clarity from substantive contribution. This motivates future work in model architectures and reviewer guidelines that enforce stronger scientific anchoring and decouple language quality from scientific merit during assessment.

Conclusion

The concept of "adversarial repackaging" exposes a fundamental challenge for LLM-based peer review: without explicit cheating, visible presentation-level changes alone can significantly influence automated reviews, highlighting the inadequacy of current defenses and the need for robust, content-anchored evaluation paradigms. Benchmarking frameworks and datasets provided support further research, but the pathway to deployment of trustworthy AI reviewers will require methods that are provably resistant to all forms of presentation-induced optimization that do not affect the underlying science.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 3 tweets with 1 like about this paper.