arXiv preprint, 2026

SafeGEO: Understanding Generative Engine Optimization Risks in Recommendation Agents

Qianfeng Wen1,5,* Yifan Simon Liu2,* Xin Liu3,5,* Difan Jiao1 Blair Yang1,6 Junda Wu4 Zhenwei Tang1
1Dept. of Computer Science, University of Toronto 2Dept. of Mechanical & Industrial Engineering, University of Toronto 3Faculty of Information, University of Toronto 4UC San Diego 5ZBot Technology 6Coolwei AI Lab

*Equal contribution

How GEO attacks manipulate recommendation agents
A recommendation agent reads retrieved web evidence to rank products. GEO lets a seller rewrite its own sources across three manipulation loci (content, epistemic framing, and model-facing control), making a flawed product look better supported and pushing it into the user's decision set.

Abstract

Generative Engine Optimization (GEO) lets content owners rewrite web content to increase their visibility in generative systems. In recommendation agents, this creates a risk that seller-controlled sources make flawed products appear better supported than they are. We study this risk by asking whether recommendation agents preserve utility-aligned decisions when seller-controlled sources are rewritten for GEO. To make this question measurable, we construct SafeGEO, an evaluation suite with 22 GEO attack variants across 600 recommendation cases. We empirically show that GEO attacks can promote flawed target products. On average, they increase the rate at which such flawed products enter the recommendation set by up to 83.2%. We further study whether agent-side design choices can mitigate this risk and show that simple defenses, including defensive prompting and structured evidence checks, reduce harmful target promotion by up to 39.2%. These gains are substantial but do not restore the no-GEO performance, showing that GEO remains a serious risk despite developer-side mitigation.

What's in SafeGEO

A GEO robustness benchmark

Tests whether an agent keeps utility-aligned recommendations when seller-controlled sources are rewritten. It uses 22 attack packages and 2 truthful controls over 600 cases and 3 target slots (40,800 instances).

A structured attack library

Seven atomic manipulation primitives across three loci, composed from single moves up to full-stack realistic GEO pages a plausible operator might deploy.

A released dataset

Ten Hugging Face Parquet configs with model-facing inputs, hidden ground-truth labels, and line-level evidence annotations. It loads with one call and runs offline.

An agent-side mitigation study

Six developer-side defense layers (L0 to L5) evaluated on the realistic attacks, reporting how much each reduces harmful promotion relative to an unmitigated baseline.

Key results

40,800
evaluation instances
(600 cases, 6 verticals)
22 + 2
attack packages
plus 2 controls
+83.2%
flawed products promoted
by GEO attacks
−39.2%
harmful promotion cut
by developer-side defenses

GEO is a serious threat to recommendation agents, and practical developer-side defenses substantially reduce, but do not eliminate, its impact.

How SafeGEO is built

SafeGEO benchmark construction and evaluation pipeline
Evidence-grounded recommendation cases, each with hidden utility and evidence labels, are expanded into GEO-attacked instances (68 per base case; 40,800 total) and scored for utility-aligned robustness against an evaluated model.

Dataset

600 recommendation base cases across 6 product verticals, each expanded into 68 instances (22 packages times 3 target slots, plus 2 controls) for 40,800 instances, shipped as 10 Parquet configs on the Hugging Face Hub.

AI Meeting Transcription
Baby Monitor
Carry-on Backpack
Home Air Purifier
Noise-Canceling Headphones
Office Chair

Configs: visible, labels, candidate_quality, source_annotations, geo_line_annotations, targets, instances_manifest, quality_distributions, requirement_annotations, controlled_documents.

from datasets import load_dataset

visible = load_dataset("wieeii/SafeGEO", "visible", split="test")  # model-facing inputs
labels  = load_dataset("wieeii/SafeGEO", "labels",  split="test")  # hidden ground truth

Browse the dataset on Hugging Face

Attack taxonomy

SafeGEO models GEO as an adversary that rewrites seller-controlled sources along three loci, built from seven primitives, composed into 22 packages and probed against two truthful controls over three target slots.

Content
The substantive claims: what the product is said to do, and which caveats are present or omitted.
Epistemic
The apparent trustworthiness: claimed authority and the strength of evidence-like support.
Model-facing
How the source presents itself to the agent: salience manipulation and instructions aimed at the model.
CodePrimitiveLocus
Aauthority launderingepistemic
Uunsupported fit claimcontent
Ccaveat omissioncontent
Rrelevance floodingcontent
Eevidence paddingepistemic
Ssalience manipulationmodel-facing
Mmodel-directed instructionmodel-facing
7
atomic
single primitive
3
block
one full locus
4
cross-block
multiple loci
8
realistic
deployable pages

For each base case, three candidate items are randomly sampled from the roster as GEO targets (slots A, B, C); each instance rewrites only that target's own source. The mitigation study uses slot A.
Full taxonomy: all 22 packages, controls, and the source template

Agent-side mitigation study

Given that GEO attacks work, what can a developer do without changing the model? Six design layers are compared on the same attacked instances (Target A, the 8 realistic packages), each measured by how much it reduces attack success against the unmitigated baseline.

L0Source-only baselineNo mitigation, the reference point.
L1Prompt mitigationA defensive final instruction is added; nothing else changes.
L2Rationale elicitationTop recommendations must carry reasons and citations.
L3Audited evidence sheetA lightweight upstream evidence-verification artifact is added.
L4Context balancingSource context is reordered to reduce single-source GEO salience.
L5Instruction filteringSource-internal instructions aimed at the assistant are removed.

Evaluation

Every instance is scored against hidden ground truth. The headline metrics weigh attack success against recommendation utility and safety:

Target@3
attacked target lands in the top three, the headline attack-success rate
HCV@1
top-one recommendation violates a hard constraint
uNDCG@5
utility NDCG at 5 of the ranking
GT@3
top three contain an acceptable ground-truth candidate

Citation validity, refuting-evidence recall, gap detection, and more are in the full metric glossary.

Results

We evaluate three open-weight agents (Gemma 4 31B IT, Qwen3.6 27B, Devstral Small 2 24B Instruct) and run a frontier robustness check on DeepSeek-V4-Flash. Metrics: Target@3 (attacked-target top-3), HCV@1 (hard-constraint violation at rank 1), GT@3, uNDCG@5.

Realistic GEO attack vs. truthful-rewrite control across four agents
A single seller-controlled rewrite moves the attacked target into the top 3 far more often than a truthful rewrite, across all four agents. DeepSeek-V4-Flash (boxed) is the most robust, yet still jumps from 4.6% to 72.6%.

Main attack on the realistic GEO variants (control, then attack)

ModelTarget@3HCV@1GT@3uNDCG@5
Gemma 4 31B IT3.4 → 79.6 +76.216.9 → 75.6 +58.871.2 → 67.9 −3.374.4 → 68.6 −5.8
Qwen3.6 27B8.1 → 78.3 +70.224.2 → 83.7 +59.561.2 → 60.8 −0.466.5 → 63.6 −3.0
Devstral Small 2 24B Instruct12.7 → 90.9 +78.241.1 → 90.7 +49.750.7 → 47.9 −2.867.4 → 59.2 −8.2

GEO moves a flawed target into the top 3 in up to 90.9% of cases, up from roughly 3 to 13% under truthful controls. The strongest single variant, full-stack realistic on Devstral, reaches +83.2 on Target@3.

Per-package attack Target@3 across the four agents
Per-package Target@3 across the four agents. Evidence-shaping attacks transfer to every model, while the explicitly instruction-like AI-directed source text collapses on the newer DeepSeek-V4-Flash (red line), which resists prompt-injection-style content best.

Mitigation: Target@3 reduction vs. baseline (lower is safer)

LayerGemma 4 31B ITQwen3.6 27BDevstral 2 24B
L0 No mitigation (Target@3)79.678.390.9
L1 Defensive prompt−15.1−11.0−2.8
L2 Rationale elicitation−15.0+7.5+2.3
L3 Evidence breakdown−29.7−39.2−17.7
L4 Context balancing−11.5−4.5−3.2
L5 Instruction filtering−2.2+3.0−0.5

The L3 audited evidence breakdown is the strongest defense, reaching a 39.2 point Target@3 reduction, but no layer restores no-GEO performance.

Misleading-citation rate predicts attacked-target placement
Why it works: variants that get the model to cite misleading GEO lines also achieve higher attacked-target placement (Pearson r = 0.99 on DeepSeek-V4-Flash; r = 0.91 across the open-weight models). GEO shifts the evidence balance the model sees rather than overriding its instructions.

Robustness across scale. DeepSeek-V4-Flash (larger, more recent) is the most robust agent we evaluate, yet a single seller-controlled rewrite still lifts Target@3 from 4.6% to 72.6% (+68.0) and HCV@1 from 23.0% to 73.4% (+50.4). Full per-variant and 22-variant results are in the paper.

Resources

BibTeX

@article{wen2026safegeo,
  title   = {SafeGEO: Understanding Generative Engine Optimization Risks in Recommendation Agents},
  author  = {Wen, Qianfeng and Liu, Yifan Simon and Liu, Xin and Jiao, Difan and Yang, Blair and Wu, Junda and Tang, Zhenwei},
  journal = {arXiv preprint arXiv:2606.28356},
  year    = {2026}
}