This work identifies a novel vulnerability in ID-free recommender systems under black-box settings: attackers can covertly promote low-quality items by strategically rewriting textual descriptions—without requiring user or item IDs—to mimic high-popularity products. To address this, the authors propose the first LLM-agent-based attack framework tailored for ID-free paradigms, featuring a multi-agent collaborative architecture for adversarial text generation and detection. It integrates popularity-aware feature extraction, iterative semantic rewriting, and suspicious-text discrimination. Experiments demonstrate that the attack significantly increases exposure rates of low-quality items across multiple ID-free models. The co-designed detector achieves over 92% accuracy in identifying malicious descriptions. This study advances security evaluation of recommender systems from traditional ID-dependent assumptions toward ID-free robustness, establishing a new adversarial testing benchmark for text-driven recommendation.

Recent advances in ID-free recommender systems have attracted significant attention for effectively addressing the cold start problem. However, their vulnerability to malicious attacks remains largely unexplored. In this paper, we unveil a critical yet overlooked risk: LLM-powered agents can be strategically deployed to attack ID-free recommenders, stealthily promoting low-quality items in black-box settings. This attack exploits a novel rewriting-based deception strategy, where malicious agents synthesize deceptive textual descriptions by simulating the characteristics of popular items. To achieve this, the attack mechanism integrates two primary components: (1) a popularity extraction component that captures essential characteristics of popular items and (2) a multi-agent collaboration mechanism that enables iterative refinement of promotional textual descriptions through independent thinking and team discussion. To counter this risk, we further introduce a detection method to identify suspicious text generated by our discovered attack. By unveiling this risk, our work aims to underscore the urgent need to enhance the security of ID-free recommender systems.