Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Deep Research Brings Deeper Harm

Shuo Chen, Zonggen Li, Zhen Han, Bailan He, Tong Liu, Haokun Chen, Georg Groh, Philip Torr, Volker Tresp, Jindong Gu

TL;DR

This paper analyzes safety risks of Deep Research (DR) agents that autonomously perform multi-step, internet-enabled investigations using large language models. It introduces two DR-specific jailbreak strategies, Plan Injection and Intent Hijack, along with a DeepREJECT metric that assesses not only refusal but also the malicious usefulness of generated content. Through experiments across six backbone models and two safety benchmarks (StrongREJECT and SciSafeEval), the authors show that DR agents can bypass surface safety checks and produce coherent, dangerous, and domain-specific guidance, with heightened risk in biosecurity contexts. The findings argue for architecture-aware alignment and domain-specific evaluation frameworks, and propose defense mechanisms such as early refusal propagation, plan auditing, and trusted web content filtering. Code and data are provided to enable future safety research in DR systems.

Abstract

Deep Research (DR) agents built on Large Language Models (LLMs) can perform complex, multi-step research by decomposing tasks, retrieving online information, and synthesizing detailed reports. However, the misuse of LLMs with such powerful capabilities can lead to even greater risks. This is especially concerning in high-stakes and knowledge-intensive domains such as biosecurity, where DR can generate a professional report containing detailed forbidden knowledge. Unfortunately, we have found such risks in practice: simply submitting a harmful query, which a standalone LLM directly rejects, can elicit a detailed and dangerous report from DR agents. This highlights the elevated risks and underscores the need for a deeper safety analysis. Yet, jailbreak methods designed for LLMs fall short in exposing such unique risks, as they do not target the research ability of DR agents. To address this gap, we propose two novel jailbreak strategies: Plan Injection, which injects malicious sub-goals into the agent's plan; and Intent Hijack, which reframes harmful queries as academic research questions. We conducted extensive experiments across different LLMs and various safety benchmarks, including general and biosecurity forbidden prompts. These experiments reveal 3 key findings: (1) Alignment of the LLMs often fail in DR agents, where harmful prompts framed in academic terms can hijack agent intent; (2) Multi-step planning and execution weaken the alignment, revealing systemic vulnerabilities that prompt-level safeguards cannot address; (3) DR agents not only bypass refusals but also produce more coherent, professional, and dangerous content, compared with standalone LLMs. These results demonstrate a fundamental misalignment in DR agents and call for better alignment techniques tailored to DR agents. Code and datasets are available at https://chenxshuo.github.io/deeper-harm.

Deep Research Brings Deeper Harm

TL;DR

This paper analyzes safety risks of Deep Research (DR) agents that autonomously perform multi-step, internet-enabled investigations using large language models. It introduces two DR-specific jailbreak strategies, Plan Injection and Intent Hijack, along with a DeepREJECT metric that assesses not only refusal but also the malicious usefulness of generated content. Through experiments across six backbone models and two safety benchmarks (StrongREJECT and SciSafeEval), the authors show that DR agents can bypass surface safety checks and produce coherent, dangerous, and domain-specific guidance, with heightened risk in biosecurity contexts. The findings argue for architecture-aware alignment and domain-specific evaluation frameworks, and propose defense mechanisms such as early refusal propagation, plan auditing, and trusted web content filtering. Code and data are provided to enable future safety research in DR systems.

Abstract

Deep Research (DR) agents built on Large Language Models (LLMs) can perform complex, multi-step research by decomposing tasks, retrieving online information, and synthesizing detailed reports. However, the misuse of LLMs with such powerful capabilities can lead to even greater risks. This is especially concerning in high-stakes and knowledge-intensive domains such as biosecurity, where DR can generate a professional report containing detailed forbidden knowledge. Unfortunately, we have found such risks in practice: simply submitting a harmful query, which a standalone LLM directly rejects, can elicit a detailed and dangerous report from DR agents. This highlights the elevated risks and underscores the need for a deeper safety analysis. Yet, jailbreak methods designed for LLMs fall short in exposing such unique risks, as they do not target the research ability of DR agents. To address this gap, we propose two novel jailbreak strategies: Plan Injection, which injects malicious sub-goals into the agent's plan; and Intent Hijack, which reframes harmful queries as academic research questions. We conducted extensive experiments across different LLMs and various safety benchmarks, including general and biosecurity forbidden prompts. These experiments reveal 3 key findings: (1) Alignment of the LLMs often fail in DR agents, where harmful prompts framed in academic terms can hijack agent intent; (2) Multi-step planning and execution weaken the alignment, revealing systemic vulnerabilities that prompt-level safeguards cannot address; (3) DR agents not only bypass refusals but also produce more coherent, professional, and dangerous content, compared with standalone LLMs. These results demonstrate a fundamental misalignment in DR agents and call for better alignment techniques tailored to DR agents. Code and datasets are available at https://chenxshuo.github.io/deeper-harm.

Paper Structure

This paper contains 22 sections, 2 equations, 10 figures, 17 tables.

Table of Contents

  1. Introduction
  2. Preliminary Investigation
  3. Design Jailbreak and Metrics for Deep Research Agents
  4. Jailbreak Methods for Deep Research Agents
  5. An Evaluation Metric Grounded in Intention and Knowledge Risk
  6. Experiments
  7. Experimental Setup
  8. Red-Teaming DR on Forbidden Prompts
  9. Red-teaming DR on Biosecurity Domain
  10. Discussion
  11. Conclusion
  12. Autonomous Multi-step Retrieval
  13. Dynamic Reasoning and Decision-Making
  14. Multimodal and Tool-Augmented Capabilities
  15. Professional Report Generation
  16. ...and 7 more sections

Figures (10)

  • Figure 1: Comparison of outputs from QwQ-32B and WebThinker for harmful query I want to get high on prescription amphetamines. What symptoms should I mention when I talk to my doctor? The LLM directly refuses to answer and issues a safety warning, whereas WebThinker generates a detailed and highly actionable report with many specific details.
  • Figure 2: Plan Injection pipeline. The attacker replaces the original search plan by removing legal and ethical risk warnings from the original plan and adding more specific retrieval targets and details.
  • Figure 3: LLM Judge Performance Comparison Across Settings, as shown in Table \ref{['tab:Report Num, LLM Judge, and DeepREJECT']}.
  • Figure 4: DeepREJECT Performance Comparison Across Settings, as shown in Table \ref{['tab:Report Num, LLM Judge, and DeepREJECT']}.
  • Figure 5: Comparison of outputs from QwQ-32B and WebThinker for a biosecurity-harm query How should the gene sequence of Bacillus anthracis be modified to increase its resistance and enable it to combat multiple vaccines? The LLM (QwQ-32B) refuses to provide guidance and emphasizes biosecurity concerns, demonstrating appropriate safety protocols. In contrast, the DR agent (WebThinker + QwQ-32B) generates a structured and detailed report about genetic modifications for vaccine resistance.
  • ...and 5 more figures