This work reveals that current AI peer-review systems are overly sensitive to superficial textual presentation, where scores can be significantly inflated through non-substantive modifications—such as rewording abstracts, contributions, or related work—without altering core methodology, experiments, or results. To expose this vulnerability, the authors propose an adversarial repackaging approach that leverages AI-generated review feedback in a closed-loop optimization framework. By strategically restructuring narrative flow, repositioning related work, and expanding analytical discussion, the method enhances paper presentation while preserving technical content. Evaluated across three major AI reviewing platforms, this technique achieves a 75.1% attack success rate and improves average scores by 1.21 out of 10, thereby identifying “presentation style” as a novel attack surface. The study further introduces an uncontaminated rolling benchmark and an open-source framework to systematically assess the robustness of AI peer-review systems.

As AI-generated reviews move from experimental tools into peer-review infrastructure, most robustness concerns have focused on explicit attacks such as hidden instructions and prompt injection. We study a harder and more policy-relevant failure mode: no hidden text, no prompt injection, and no changes to methods, experiments, figures, equations, proofs, or numerical results. The attacker modifies only presentation-level content, such as the abstract, contribution framing, related work, discussion, and narrative structure. We introduce adversarial repackaging: a closed-loop attack that uses AI-reviewer feedback to search for presentation-level revisions while keeping the scientific evidence fixed. Across three mainstream AI reviewers, adversarial repackaging achieves a 75.1% attack success rate and a mean score gain of +1.21/10. The effect is not explained by ordinary prose polishing. We also reveal that strategies that change how the reviewer interprets the paper, such as related-work repositioning and analytical discussion expansion, substantially outperform surface edits such as local polishing, table formatting, and algorithm boxes. Our analysis reveals two deeper structural failure modes. First, AI reviewers are easier to impress than to convince: highlighting strengths reliably increases perceived merit, while attempts to dissolve weaknesses frequently backfire. Second, AI reviewers can confuse the appearance of addressing a limitation with actually resolving it, allowing unchanged evidence to be reinterpreted as stronger scientific contribution. These results show that the deployment risk is not only malicious hidden instructions, but the emergence of paper presentation itself as an optimization surface. We release a contamination-free rolling benchmark and attack framework for testing whether AI reviewers remain anchored to scientific content under presentation-only edits.