Are My Optimized Prompts Compromised? Exploring Vulnerabilities of LLM-based Optimizers

Large language model (LLM) systems increasingly power everyday AI applications such as chatbots, computer-use assistants, and autonomous robots, where performance often depends on manually well-crafted prompts. LLM-based prompt optimizers reduce that effort by iteratively refining prompts from scored feedback, yet the security of this optimization stage remains underexamined. We present the first systematic analysis of poisoning risks in LLM-based prompt optimization. Using HarmBench, we find systems are substantially more vulnerable to manipulated feedback than to query poisoning alone: feedback-based attacks raise attack success rate (ASR) by up to ΔASR = 0.48. We introduce a simple fake reward attack that requires no access to the reward model and significantly increases vulnerability. We also propose a lightweight highlighting defense that reduces the fake reward ΔASR from 0.23 to 0.07 without degrading utility. These results establish prompt optimization pipelines as a first-class attack surface and motivate stronger safeguards for feedback channels and optimization frameworks.

Key Contributions

• First systematic analysis of poisoning risks in LLM-based prompt optimization pipelines, distinguishing query poisoning from feedback poisoning and showing the latter is far more dangerous
• Fake reward attack that appends fabricated positive feedback tokens to inputs with no access to the reward model, raising ASR by up to ΔASR=0.48
• Lightweight highlighting defense that makes the optimizer aware of potentially poisoned feedback, reducing fake reward ΔASR from 0.23 to 0.07 without utility degradation

🛡️ Threat Analysis

Details

Similar Papers