# When Agentic LLMs Trust Poisoned Tools: Vulnerability of Clinical LLMs to Adversarial Guidelines

**Authors:** Mahmud Omar, Alon Gorenshtien, Yiftach Barash, Girish Nadkarni, Eyal Klang

PMC · DOI: 10.21203/rs.3.rs-8872967/v1 · Research Square · 2026-02-18

## TL;DR

Clinical LLMs are vulnerable to adversarial modifications in guidelines, often failing to detect harmful changes and showing strong presentation bias.

## Contribution

Demonstrates vulnerability of agentic LLMs to poisoned medical guidelines and highlights risks in low-resource settings.

## Key findings

- Models selected adversarial guideline versions in 40.6% of cases, with high failure rates for safety-critical changes.
- Presentation bias caused models to favor the first option in 72.7% of decisions, significantly affecting accuracy.
- Findings suggest the need for independent verification and ranking safeguards in agentic LLMs for clinical use.

## Abstract

Agentic large language models (LLMs) increasingly rely on retrieved sources and tools, but their ability to reject these tools which undergo adversarial modification is uncertain. We evaluated 21 LLMs on 500 physician-validated emergency department and inpatient vignettes across 12 medical domains. For each vignette, models chose between an authentic guideline excerpt and a sham version with one adversarial modification, presented in random order (10,500 agentic decisions). Models selected the sham in 40.6% of evaluations (59.4% accuracy), with the highest failure rates for safety-critical changes including removed warnings, deleted allergy information, contraindication violations and dosing errors (54.2% to 61.7% failure). Choices were dominated by presentation bias: models favored the first option in 72.7% of decisions, shifting accuracy from 36.7% to 82.3% depending on sham position. Guideline selection in agentic systems is therefore vulnerable to poisoned sources and may require independent verification and ranking safeguards before clinical deployment. This finding is important especially in low-resource environments relying on AI agents as primary public health gatekeepers face disproportionate risks from poisoned tools

## Full-text entities

- **Diseases:** LLMs (MESH:D007806), allergy (MESH:D004342)

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12934906/full.md

## Figures

1 figure with captions in the complete paper: https://tomesphere.com/paper/PMC12934906/full.md

## References

29 references — full list in the complete paper: https://tomesphere.com/paper/PMC12934906/full.md

---
Source: https://tomesphere.com/paper/PMC12934906