Prompt Injection in Manuscripts: Why Naive AI Review Is Unsafe

If an author or bad actor can manipulate the model through the manuscript itself, then the product has a trust problem in three places:

1. Output quality

The review can become falsely positive, incomplete, or distorted.

1. Security posture

The system may be treating untrusted user content as hidden instructions.

1. Commercial credibility

A product that looks rigorous but can be pushed around by the input is hard to defend to serious researchers, journals, or institutions.

That is why this issue matters for Manusights' category. It is not just an academic curiosity. It is a product-design test.

The simplest version of AI manuscript review is:

• extract the text
• paste the manuscript into a model
• ask for strengths, weaknesses, and a score

That is fast. It is also fragile.

Naive stacks often fail to separate:

• trusted system instructions
• developer instructions
• parsed manuscript content
• hidden machine-readable artifacts inside the manuscript

In that setup, the manuscript is doing double duty as both evidence and instruction source. That is exactly what prompt injection exploits.

A safer design treats the manuscript as untrusted evidence, not as a peer reviewer.

The defensive principles are straightforward:

1. Parse first, reason second

The system should extract structured content from the manuscript and carry forward the evidence, not blindly feed the whole raw file into a single prompt.

2. Prefer visible, normalized content

If the document contains hidden or machine-only text, the system should be able to detect or neutralize it instead of taking it at face value.

3. Keep deterministic software in the control layer

Model judgment is useful for evaluating science. It should not be the only layer deciding what instructions to follow, what text to trust, or how to interpret suspicious formatting.

4. Verify outputs against evidence

A review product should not just ask a model for a verdict. It should also verify references, ground claims, and maintain enough structure that the model cannot easily drift into a manipulated answer.

This is one reason safe AI manuscript review is a stronger framing than generic "AI peer review."

Most honest authors are not trying to manipulate review systems. But this still matters to them because:

• it exposes which AI tools are flimsy
• it explains why some AI feedback feels suspiciously shallow or flattering
• it raises the value of review systems built with manuscript-specific guardrails

If you are choosing a tool, ask a very practical question:

What stops the uploaded manuscript from steering the model in hidden ways?

If the company cannot answer that clearly, treat the output as brainstorming, not as a serious pre-submission assessment.

The lesson is not "ban all AI." The lesson is that AI review infrastructure needs the same mindset as any other adversarial input surface.

Publishers are already moving toward more automated screening. That makes this security posture more important, not less. For the broader workflow trend, see Journals Are Using AI Submission Screening.

Prompt injection is bad news for flimsy AI-review products, but it is good news for companies that are building the safer category.

It pushes the market toward:

• verification, not just wording
• parsing and structure, not raw prompt dumping
• confidence and limits, not fake certainty
• trust infrastructure, not cheap instant commentary

That is where a serious manuscript-review product should want the market to go.