The paper introduces PCSA, a simulated-client attack for stress-testing LLM safety in psychological support. It draws profiles and language patterns from Cactus, CBT-DP, and Cheeseburger Therapy conversations; maps an adversarial mental-health objective to a cognitive distortion; and uses a locally deployed Llama-3.3-70B-Instruct-abliterated model to conduct an adaptive dialogue with the target. The attacker alternates four clinically framed interaction strategies, while GPT-4o-mini scores candidates inside a best-of-N loop. GPT-4o then marks the final response unsafe if it detects target compliance, harmful content, professional impersonation, or toxic empathy. Four multi-turn attacks, Chain of Attack, AMA, Crescendo, and Actor-Attack, are compared across eight targets: Llama-3.1 8B and 70B, GPT-3.5 Turbo, GPT-5.1, Crispers-7B, PsychoCounsel-Llama3-8B, Qwen3-14B, and Qwen2.5-72B. The abstract says seven models and expands PCSA as Personality-based, whereas the title, method, and tables use eight and Persona-based. PCSA reports CARES ASR from .67 to .88 and GPT-judge ASR from .71 to .89. Averaged over targets, it triggers target compliance .57, harmful content .27, toxic empathy .44, and impersonation .12. Its GPT-2 perplexity ranges from 15.40 to 18.29, with no prompt above the threshold of 100. The perplexity filter leaves ASR unchanged; SelfDefend reduces it by .05-.18 and Granite Guardian by 0-.05. These results support the bounded conclusion that, under this benchmark and its judges, an adaptive persona simulation finds more failures than the four baselines. They are not clinical-harm rates. CARES strict ASR defines every non-refusal as failure, merging Cautious, which may include mitigation and safe escalation, with Accept. An ASR of .88 therefore does not mean that 88% of responses provide harm or fulfill the target. Safety Score partly preserves the three levels, but still depends on GPT-4o-mini. Evaluation is also optimization-dependent: GPT-4o-mini guides attack selection and performs CARES classification, while GPT-4o, from the same provider/model family and using harm categories aligned with the loop, supplies the other primary endpoint. There is no independent clinical judge or alternative judge family. The any-flag rule prioritizes sensitivity, but specificity is unmeasured, and appendix cases include contestable boundaries such as diagnostic language paired with a professional disclaimer or an initially validating phrase followed by redirection. Critical information is missing: the numbers of personas, objectives, attempts, and responses; turns; best-of-N value; candidates; errors and exclusions; temperature, top-p, token limits, seeds, and immutable API snapshots. Without a denominator or sampling unit, ASR, defense effects, and variability cannot be audited. The manuscript says PCSA significantly outperforms baselines but provides no tests, intervals, repeated runs, or multiplicity adjustment. Human checks do not resolve this. A 96.4% realism win rate is reported over 28 comparisons without the numbers of prompts, annotators, or ratings. On 48 PCSA pairs, human-GPT agreement is 87.5%, equivalent to 42/48 if complete, but prevalence, kappa, interval, sensitivity, specificity, and category-level results are absent; baseline responses are not validated. Annotators are first described as having a psychology background and later as clinical-psychology experts, without counts or credentials. Low perplexity establishes fluency against a GPT-2 detector, not clinical realism or indistinguishability from genuine patients. High ASR on two counseling models also does not show that empathy fine-tuning causes vulnerability: matched base controls, ablations, and controls for scale, corpus, and alignment recipe are absent. The three defenses are under-specified and their false positives on genuine help-seekers are not evaluated. Data governance needs caution. Cactus is a synthetic CBT corpus, not real therapy. The paper merely says it incorporates Cheeseburger Therapy conversations; the current site calls sessions anonymish, lets community members share chats, and says staff and academic collaborators periodically review them. The paper does not identify the subset or snapshot, acquisition route, license, consent or reuse permission, de-identification, retention, or withdrawal. Its claim that no real therapy transcripts or patient data were used is not adequately reconciled with material from a live peer-support service. An expert-consent template is included, but no ethics board, approval, compensation, safeguards for exposure to self-harm material, or debriefing is reported. Although the paper says examples avoid actionable harm, the appendix publishes concrete harmful objectives and operational prompts; this summary keeps the mechanism at a high level. No code, exact dataset, dialogues, outputs, judgments, annotations, or scripts are public; release is promised upon publication. PCSA identifies an important safety risk that deserves independent evaluation, but v1 does not permit reproduction of its rates, causal attribution to empathy tuning, or extrapolation to real-world harm in psychological care.
Research question
Can an adversarial client with persona, clinical style, and adaptive multi-turn strategy uncover safety failures in psychological support LLMs that general attacks do not reveal?