This work exposes critical prompt injection robustness vulnerabilities in large language models (LLMs) when deployed as automated evaluators (“LLM-as-a-judge”), particularly against hidden malicious instructions embedded in real-world PDF documents. Method: We design a minimal yet effective evaluation paradigm: under zero-shot settings, mainstream LLMs are tasked with solving elementary arithmetic questions (e.g., “3 + 2 = ?”) presented as multiple-choice or true/false items—despite adversarial PDF formatting that subtly injects misleading prompts. Contribution/Results: Experiments reveal that even on syntactically unambiguous, low-complexity tasks, all tested models exhibit significant susceptibility to implicit prompt interference, with error rates sharply increasing—some miscomputing basic operations like 3 + 2. This is the first study to instantiate prompt injection attacks within authentic PDF documents, empirically demonstrating the severe fragility of LLM-based evaluators under input noise. The findings provide both a critical caution and a reproducible benchmark for building trustworthy AI evaluation frameworks.

Large Language Models (LLMs) have recently demonstrated strong emergent abilities in complex reasoning and zero-shot generalization, showing unprecedented potential for LLM-as-a-judge applications in education, peer review, and data quality evaluation. However, their robustness under prompt injection attacks, where malicious instructions are embedded into the content to manipulate outputs, remains a significant concern. In this work, we explore a frustratingly simple yet effective attack setting to test whether LLMs can be easily misled. Specifically, we evaluate LLMs on basic arithmetic questions (e.g., "What is 3 + 2?") presented as either multiple-choice or true-false judgment problems within PDF files, where hidden prompts are injected into the file. Our results reveal that LLMs are indeed vulnerable to such hidden prompt injection attacks, even in these trivial scenarios, highlighting serious robustness risks for LLM-as-a-judge applications.