Do No Harm: Exposing Hidden Vulnerabilities of LLMs via Persona-based Client Simulation Attack in Psychological Counseling

TL;DR

This paper introduces PCSA, a novel persona-driven red-teaming framework that exposes vulnerabilities in LLMs used in mental health, revealing risks like harmful advice and reinforcement of delusions.

Contribution

The paper presents the first framework for simulating psychological counseling clients to evaluate LLM safety in mental health applications.

Findings

PCSA outperforms four baselines in exposing vulnerabilities.

Generated dialogues are more natural and realistic.

Current LLMs are vulnerable to domain-specific adversarial tactics.

Abstract

The increasing use of large language models (LLMs) in mental healthcare raises safety concerns in high-stakes therapeutic interactions. A key challenge is distinguishing therapeutic empathy from maladaptive validation, where supportive responses may inadvertently reinforce harmful beliefs or behaviors in multi-turn conversations. This risk is largely overlooked by existing red-teaming frameworks, which focus mainly on generic harms or optimization-based attacks. To address this gap, we introduce Personality-based Client Simulation Attack (PCSA), the first red-teaming framework that simulates clients in psychological counseling through coherent, persona-driven client dialogues to expose vulnerabilities in psychological safety alignment. Experiments on seven general and mental health-specialized LLMs show that PCSA substantially outperforms four competitive baselines. Perplexity analysis and human inspection further indicate that PCSA generates more natural and realistic dialogues. Our results reveal that current LLMs remain vulnerable to domain-specific adversarial tactics, providing unauthorized medical advice, reinforcing delusions, and implicitly encouraging risky actions.