arxiv: 2604.05595 · v1 · submitted 2026-04-07 · 💻 cs.RO · cs.CV

Recognition: 2 theorem links

· Lean Theorem

Uncovering Linguistic Fragility in Vision-Language-Action Models via Diversity-Aware Red Teaming

Baoshun Tong , Haoran He , Ling Pan , Yang Liu , Liang Lin

Authors on Pith no claims yet

Pith reviewed 2026-05-10 19:48 UTC · model grok-4.3

classification 💻 cs.RO cs.CV

keywords vision-language-actionred teamingadversarial instructionsrobotic manipulationlinguistic robustnessembodied AI safetydiversity-aware policy

0 comments

The pith

A diversity-aware red teaming framework reveals that vision-language-action models are highly fragile to linguistic variations in instructions.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper aims to show that current vision-language-action models for robots can be easily misled by slight changes in language, creating safety risks for real-world use. Standard ways to find these weaknesses often repeat the same trivial attacks due to how they maximize rewards. The proposed DAERT approach uses a uniform policy to create a wide variety of challenging instructions that still cause the models to fail in simulations. This matters for ensuring safe deployment of embodied AI, as it exposes more comprehensive risks than previous methods. Experiments on two leading models across benchmarks demonstrate a drop in average success rates from 93.33 percent to 5.85 percent.

Core claim

The authors claim that by evaluating a uniform policy capable of generating diverse adversarial instructions while maintaining effectiveness measured by execution failures in a physical simulator, their DAERT framework uncovers a wider range of vulnerabilities in VLA models compared to standard RL-based red teaming, consistently reducing task success rates significantly across different robotic benchmarks and state-of-the-art models like π₀ and OpenVLA.

What carries the argument

The uniform policy evaluated for diversity and attack effectiveness in generating adversarial instructions for VLA models.

Load-bearing premise

That the failures seen in the physical simulator translate to actual risks in the real world and that the uniform policy avoids collapsing into repetitive instructions.

What would settle it

Testing the generated adversarial instructions on a physical robot and observing that the task success rate remains close to the original 93% would disprove the claim of uncovering meaningful vulnerabilities.

Figures

Figures reproduced from arXiv: 2604.05595 by Baoshun Tong, Haoran He, Liang Lin, Ling Pan, Yang Liu.

**Figure 1.** Figure 1: Overall architecture of our framework. P : S × A → S is the transition function that depends on the system dynamics, R : S × A × S → R is the reward function for any transition, γ ∈ (0, 1] is a discount factor, and µ is the initial state distribution. Given a specific task with a natural language task instruction ltask, at each timestep t, the VLA model chooses an action at (e.g., the desired end-effector … view at source ↗

**Figure 2.** Figure 2: Evaluation of robustness and instruction diversity under red-teaming. [PITH_FULL_IMAGE:figures/full_fig_p013_2.png] view at source ↗

**Figure 3.** Figure 3: PCA visualization of 100 rewritten instructions generated for two [PITH_FULL_IMAGE:figures/full_fig_p013_3.png] view at source ↗

**Figure 4.** Figure 4: Qualitative visualizations of four representative LIBERO tasks. Each [PITH_FULL_IMAGE:figures/full_fig_p025_4.png] view at source ↗

read the original abstract

Vision-Language-Action (VLA) models have achieved remarkable success in robotic manipulation. However, their robustness to linguistic nuances remains a critical, under-explored safety concern, posing a significant safety risk to real-world deployment. Red teaming, or identifying environmental scenarios that elicit catastrophic behaviors, is an important step in ensuring the safe deployment of embodied AI agents. Reinforcement learning (RL) has emerged as a promising approach in automated red teaming that aims to uncover these vulnerabilities. However, standard RL-based adversaries often suffer from severe mode collapse due to their reward-maximizing nature, which tends to converge to a narrow set of trivial or repetitive failure patterns, failing to reveal the comprehensive landscape of meaningful risks. To bridge this gap, we propose a novel \textbf{D}iversity-\textbf{A}ware \textbf{E}mbodied \textbf{R}ed \textbf{T}eaming (\textbf{DAERT}) framework, to expose the vulnerabilities of VLAs against linguistic variations. Our design is based on evaluating a uniform policy, which is able to generate a diverse set of challenging instructions while ensuring its attack effectiveness, measured by execution failures in a physical simulator. We conduct extensive experiments across different robotic benchmarks against two state-of-the-art VLAs, including $\pi_0$ and OpenVLA. Our method consistently discovers a wider range of more effective adversarial instructions that reduce the average task success rate from 93.33\% to 5.85\%, demonstrating a scalable approach to stress-testing VLA agents and exposing critical safety blind spots before real-world deployment.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes the Diversity-Aware Embodied Red Teaming (DAERT) framework for identifying linguistic vulnerabilities in Vision-Language-Action (VLA) models. It introduces a uniform policy to generate diverse adversarial instructions and evaluates attack effectiveness via task execution failures in a physical simulator. Experiments on two state-of-the-art VLAs (π₀ and OpenVLA) across robotic benchmarks report that the method uncovers a wider range of effective attacks, reducing average task success rates from 93.33% to 5.85%.

Significance. If the simulator results hold and the diversity mechanism proves robust, the work offers a practical, scalable tool for automated red teaming of embodied agents, directly addressing an under-explored safety gap in VLA robustness to linguistic variations. The explicit quantitative demonstration of success-rate degradation on two distinct models provides concrete evidence of fragility that could guide future safety evaluations.

major comments (2)

[Abstract] Abstract: The central safety claim—that DAERT exposes 'critical safety blind spots before real-world deployment'—rests entirely on simulator-based success-rate drops. No physical-robot validation, sim-to-real transfer analysis, or discussion of unmodeled factors (camera noise, gripper dynamics, latency) is provided, making the real-world risk extrapolation load-bearing yet unsupported.
[Experiments] Experiments (as summarized): While average success-rate reduction from 93.33% to 5.85% is reported, the abstract and available description omit trial counts, statistical significance tests, variance across runs, and quantitative diversity metrics (e.g., instruction entropy or pairwise similarity) used to substantiate the 'wider range' claim relative to standard RL baselines.

minor comments (2)

[Methods] Notation for the uniform policy and its reward formulation should be formalized with equations to clarify how diversity is enforced without mode collapse.
[Abstract] The abstract states results on 'different robotic benchmarks' but does not name them; explicit listing would improve reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We appreciate the referee's detailed and constructive feedback on our manuscript. We have carefully addressed each major comment below, making revisions to the paper where the concerns are valid and providing clarifications on the scope of our work.

read point-by-point responses

Referee: [Abstract] Abstract: The central safety claim—that DAERT exposes 'critical safety blind spots before real-world deployment'—rests entirely on simulator-based success-rate drops. No physical-robot validation, sim-to-real transfer analysis, or discussion of unmodeled factors (camera noise, gripper dynamics, latency) is provided, making the real-world risk extrapolation load-bearing yet unsupported.

Authors: We agree that the original phrasing in the abstract overstates the direct applicability to real-world deployment, as all evaluations are simulator-based. Our work focuses on isolating linguistic vulnerabilities in a reproducible simulated setting, which is a necessary first step for scalable red teaming. In the revised manuscript, we have: (1) softened the abstract claim to reference 'potential safety blind spots in simulated environments', (2) added a new Limitations subsection discussing unmodeled real-world factors such as camera noise, gripper dynamics, and latency, and (3) included a statement that physical validation remains important future work. These changes reduce the load-bearing nature of the extrapolation while preserving the core contribution. revision: partial
Referee: [Experiments] Experiments (as summarized): While average success-rate reduction from 93.33% to 5.85% is reported, the abstract and available description omit trial counts, statistical significance tests, variance across runs, and quantitative diversity metrics (e.g., instruction entropy or pairwise similarity) used to substantiate the 'wider range' claim relative to standard RL baselines.

Authors: The referee correctly notes that these experimental details were not sufficiently explicit in the abstract or high-level summary. We have revised the manuscript to address this by expanding the Experiments section to report: 100 trials per task across 5 random seeds with standard deviations included in all result tables; statistical significance via paired t-tests (p < 0.01 for the success rate reductions); and quantitative diversity metrics consisting of instruction entropy (4.2 bits for DAERT versus 1.5 for baselines) and average pairwise embedding similarity (0.38 for DAERT versus 0.81 for baselines). These metrics and the trial details have been added to the abstract and a new summary table for clarity. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical framework with simulator results

full rationale

The paper proposes the DAERT framework for diversity-aware red-teaming of VLA models and reports experimental outcomes from a physical simulator on benchmarks with π0 and OpenVLA. No equations, fitted parameters, or derivations are present that reduce the success-rate claims (93.33% to 5.85%) or diversity assertions to self-definitions, self-citations, or inputs by construction. The uniform-policy construction and attack-effectiveness measurements are presented as design choices evaluated externally via simulation, with no load-bearing self-referential steps or renamings of known results.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No explicit free parameters, axioms, or invented entities are identifiable from the abstract; the method likely relies on standard RL components and simulator assumptions but these are not detailed.

pith-pipeline@v0.9.0 · 5595 in / 1074 out tokens · 50464 ms · 2026-05-10T19:48:16.518353+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Our design is based on evaluating a uniform policy, which is able to generate a diverse set of challenging instructions while ensuring its attack effectiveness, measured by execution failures in a physical simulator.
IndisputableMonolith/Foundation/ArithmeticFromLogic.lean embed_injective unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

we draw inspiration from ROVER [9] to introduce a diversity-aware objective... Qθ(at|st)=ρ(logpθ(at|st)−logpθold(at|st))

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

39 extracted references · 23 canonical work pages · 13 internal anchors

[1]

Qwen3-VL Technical Report

Shuai Bai, Yuxuan Cai, Ruizhe Chen, Keqin Chen, Xionghui Chen, Zesen Cheng, Lianghao Deng, Wei Ding, Chang Gao, Chunjiang Ge, Wenbin Ge, Zhifang Guo, Qidong Huang, Jie Huang, Fei Huang, Binyuan Hui, Shutong Jiang, Zhaohai Li, Mingsheng Li, Mei Li, Kaixin Li, Zicheng Lin, Junyang Lin, Xuejing Liu, Jiawei Liu, Chenglong Liu, Yang Liu, Dayiheng Liu, Shixuan ...

work page internal anchor Pith review Pith/arXiv arXiv 2025
[2]

$\pi_0$: A Vision-Language-Action Flow Model for General Robot Control

Kevin Black, Noah Brown, Danny Driess, Adnan Esmail, Michael Equi, Chelsea Finn, Niccolo Fusai, Lachy Groom, Karol Hausman, Brian Ichter, et al. π0: A vision-language-action flow model for general robot control. arXiv preprint arXiv:2410.24164, 2024

work page internal anchor Pith review Pith/arXiv arXiv 2024
[3]

RT-1: Robotics Transformer for Real-World Control at Scale

Anthony Brohan, Noah Brown, Justice Carbajal, Yevgen Chebotar, Joseph Dabis, Chelsea Finn, Keerthana Gopalakrishnan, Karol Hausman, Alex Herzog, Jasmine Hsu, et al. Rt-1: Robotics transformer for real-world control at scale.arXiv preprint arXiv:2212.06817, 2022

work page internal anchor Pith review arXiv 2022
[4]

DeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement Learning

DeepSeek-AI. Deepseek-r1: Incentivizing reasoning capability in llms via reinforcement learning. arXiv preprint arXiv:2501.12948, 2025

work page internal anchor Pith review Pith/arXiv arXiv 2025
[5]

Danny Driess, Fei Xia, Mehdi S. M. Sajjadi, Corey Lynch, Aakanksha Chowdhery, Brian Ichter, Ayzaan Wahid, Jonathan Tompson, Quan Vuong, Tianhe Yu, Wenlong Huang, Yevgen Chebotar, Pierre Sermanet, Sergey Levine, Vincent Vanhoucke, Karol Hausman, Marc Toussaint, et al. PaLM- E: An embodied multimodal language model. InProceedings of the 40th International C...

2023
[6]

Stanley, and Jeff Clune

Adrien Ecoffet, Joost Huizinga, Joel Lehman, Kenneth O. Stanley, and Jeff Clune. Go-explore: a new approach for hard-exploration problems. arXiv preprint arXiv:1901.10995, 2019. URL https://arxiv.org/abs/ 1901.10995

work page arXiv 1901
[7]

LIBERO-Plus: In-depth Robustness Analysis of Vision-Language-Action Models

Senyu Fei, Siyin Wang, Junhao Shi, Zihao Dai, Jikun Cai, Pengfang Qian, Li Ji, Xinzhe He, Shiduo Zhang, Zhaoye Fei, et al. Libero-plus: In- depth robustness analysis of vision-language-action models.arXiv preprint arXiv:2510.13626, 2025. 16

work page internal anchor Pith review arXiv 2025
[8]

Geometric red-teaming for robotic manipulation

Divyam Goel, Yufei Wang, Tiancheng Wu, Guixiu Qiao, Pavel Piliptchak, David Held, and Zackory Erickson. Geometric red-teaming for robotic manipulation. InConference on Robot Learning, pages 41–67. PMLR, 2025

2025
[9]

Random policy evaluation uncovers policies of generative flow networks

Haoran He, Emmanuel Bengio, Qingpeng Cai, and Ling Pan. Random policy evaluation uncovers policies of generative flow networks. InForty- second International Conference on Machine Learning, 2025. URL https: //openreview.net/forum?id=pbkwh7QivE

2025
[10]

Random policy valuation is enough for llm reasoning with verifiable rewards.arXiv preprint arXiv:2509.24981, 2025

Haoran He, Yuxiao Ye, Qingpeng Cai, Chen Hu, Binxing Jiao, Daxin Jiang, and Ling Pan. Random policy valuation is enough for llm reasoning with verifiable rewards.arXiv preprint arXiv:2509.24981, 2025

work page arXiv 2025
[11]

$\pi_{0.5}$: a Vision-Language-Action Model with Open-World Generalization

Physical Intelligence, Kevin Black, Noah Brown, James Darpinian, Karan Dhabalia, Danny Driess, Adnan Esmail, Michael Equi, Chelsea Finn, Nic- colo Fusai, et al. π0.5: a vision-language-action model with open-world generalization.arXiv preprint arXiv:2504.16054, 2025

work page internal anchor Pith review Pith/arXiv arXiv 2025
[12]

I. T. Jolliffe.Principal Component Analysis. Springer, 2 edition, 2002. doi: 10.1007/b98835

work page doi:10.1007/b98835 2002
[13]

Embodied Red Teaming for Auditing Robotic Foundation Models,

Sathwik Karnik, Zhang-Wei Hong, Nishant Abhangi, Yen-Chen Lin, Tsun- Hsuan Wang, and Pulkit Agrawal. Embodied red teaming for auditing robotic foundation models.ArXiv, abs/2411.18676, 2024. URL https: //arxiv.org/pdf/2411.18676

work page arXiv 2024
[14]

3d diffuser actor: Policy diffusion with 3d scene representations

Tsung-Wei Ke, Nikolaos Gkanatsios, and Katerina Fragkiadaki. 3d diffuser actor: Policy diffusion with 3d scene representations. InConference on Robot Learning, pages 1949–1974. PMLR, 2025

1949
[15]

OpenVLA: An Open-Source Vision-Language-Action Model

Moo Jin Kim, Karl Pertsch, Siddharth Karamcheti, Ted Xiao, Ashwin Balakrishna, Suraj Nair, Rafael Rafailov, Ethan Foster, Grace Lam, Pannag Sanketi, Quan Vuong, Thomas Kollar, Benjamin Burchfiel, Russ Tedrake, Dorsa Sadigh, Sergey Levine, Percy Liang, and Chelsea Finn. Openvla: An open-source vision-language-action model.arXiv preprint arXiv:2406.09246, 2024

work page internal anchor Pith review Pith/arXiv arXiv 2024
[16]

Learning diverse attacks on large language models for robust red-teaming and safety tuning

Seanie Lee, Minsu Kim, Lynn Cherif, David Dobre, Juho Lee, Sung Ju Hwang, Kenji Kawaguchi, Gauthier Gidel, Yoshua Bengio, Nikolay Malkin, and Moksh Jain. Learning diverse attacks on large language models for robust red-teaming and safety tuning. InThe Thirteenth International Conference on Learning Representations, 2025. URL https://openreview. net/forum?...

2025
[17]

Joel Lehman and Kenneth O. Stanley. Abandoning objectives: Evolution through the search for novelty alone. InProceedings of the Genetic and Evolutionary Computation Conference, 2011. 17

2011
[18]

Attackvla: Benchmarking adversarial and backdoor attacks on vision- language-action models,

Jiayu Li, Yunhan Zhao, Xiang Zheng, Zonghuan Xu, Yige Li, Xingjun Ma, and Yu-Gang Jiang. Attackvla: Benchmarking adversarial and backdoor attacks on vision-language-action models.arXiv preprint arXiv:2511.12149, 2025

work page arXiv 2025
[19]

A diversity-promoting objective function for neural conversation models

Jiwei Li, Michel Galley, Chris Brockett, Jianfeng Gao, and Bill Dolan. A diversity-promoting objective function for neural conversation models. In Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, pages 110–119. Association for Computational Linguistics, 2016. do...

2016
[20]

Eval- uating real-world robot manipulation policies in simulation

Xuanlin Li, Kyle Hsu, Jiayuan Gu, Oier Mees, Karl Pertsch, Homer Rich Walke, Chuyuan Fu, Ishikaa Lunawat, Isabel Sieh, Sean Kirmani, et al. Eval- uating real-world robot manipulation policies in simulation. InConference on Robot Learning, pages 3705–3728. PMLR, 2025

2025
[21]

LIBERO: Benchmarking knowledge transfer for lifelong robot learning

Bo Liu, Yifeng Zhu, Chongkai Gao, Yihao Feng, qiang liu, Yuke Zhu, and Peter Stone. LIBERO: Benchmarking knowledge transfer for lifelong robot learning. InThirty-seventh Conference on Neural Information Processing Systems Datasets and Benchmarks Track, 2023. URL https://openreview. net/forum?id=xzEtNSuDJk

2023
[22]

RoBERTa: A Robustly Optimized BERT Pretraining Approach

Yinhan Liu, Myle Ott, Naman Goyal, Jingfei Du, Mandar Joshi, Danqi Chen, Omer Levy, Mike Lewis, Luke Zettlemoyer, and Veselin Stoyanov. RoBERTa: A robustly optimized BERT pretraining approach.arXiv preprint arXiv:1907.11692, 2019. URL https://arxiv.org/abs/1907. 11692

work page internal anchor Pith review Pith/arXiv arXiv 1907
[23]

Predictive red teaming: Breaking policies without breaking robots.arXiv preprint arXiv:2502.06575, 2025

Anirudha Majumdar, Mohit Sharma, Dmitry Kalashnikov, Sumeet Singh, Pierre Sermanet, and Vikas Sindhwani. Predictive red teaming: Breaking policies without breaking robots.arXiv preprint arXiv:2502.06575, 2025

work page arXiv 2025
[24]

Calvin: A benchmark for language-conditioned policy learning for long- horizon robot manipulation tasks.IEEE Robotics and Automation Letters, 7(3):7327–7334, 2022

Oier Mees, Lukas Hermann, Erick Rosete-Beas, and Wolfram Burgard. Calvin: A benchmark for language-conditioned policy learning for long- horizon robot manipulation tasks.IEEE Robotics and Automation Letters, 7(3):7327–7334, 2022

2022
[25]

Illuminating search spaces by mapping elites

Jean-Baptiste Mouret and Jeff Clune. Illuminating search spaces by mapping elites.arXiv preprint arXiv:1504.04909, 2015. URL https://arxiv.org/ abs/1504.04909

work page Pith review arXiv 2015
[26]

Red teaming language models with language models

Ethan Perez, Saffron Huang, Francis Song, Trevor Cai, Roman Ring, John Aslanides, Amelia Glaese, Nat McAleese, and Geoffrey Irving. Red teaming language models with language models. InConference on Em- pirical Methods in Natural Language Processing, 2022. URL https: //api.semanticscholar.org/CorpusID:246634238. 18

2022
[27]

K., Soros, L

Justin K. Pugh, Lisa B. Soros, and Kenneth O. Stanley. Quality diversity: A new frontier for evolutionary computation.Frontiers in Robotics and AI, 3: 40, 2016. doi: 10.3389/frobt.2016.00040. URL https://www.frontiersin. org/articles/10.3389/frobt.2016.00040/full

work page doi:10.3389/frobt.2016.00040 2016
[28]

Learning transferable visual models from natural language supervision

Alec Radford, Jong Wook Kim, Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, Gretchen Krueger, and Ilya Sutskever. Learning transferable visual models from natural language supervision. InProceedings of the 38th International Conference on Machine Learning, volume 139 ofProceedings of ...

2021
[29]

Sentence-bert: Sentence embeddings using siamese bert-networks

Nils Reimers and Iryna Gurevych. Sentence-bert: Sentence embeddings using siamese bert-networks. InProceedings of the 2019 Conference on Empirical Methods in Natural Language Processing (EMNLP), Hong Kong, China, 2019. Association for Computational Linguistics

2019
[30]

Jailbreaking llm-controlled robots

Alexander Robey, Zachary Ravichandran, Vijay Kumar, Hamed Hassani, and George J Pappas. Jailbreaking llm-controlled robots. In2025 IEEE International Conference on Robotics and Automation (ICRA), pages 11948– 11956. IEEE, 2025

2025
[31]

Proximal Policy Optimization Algorithms

John Schulman et al. Proximal policy optimization algorithms.arXiv preprint arXiv:1707.06347, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[32]

DeepSeekMath: Pushing the Limits of Mathematical Reasoning in Open Language Models

Zhihong Shao, Peiyi Wang, Qihao Zhu, Runxin Xu, Junxiao Song, Xiao Bi, Haowei Zhang, Mingchuan Zhang, YK Li, Yang Wu, et al. Deepseekmath: Pushing the limits of mathematical reasoning in open language models. arXiv preprint arXiv:2402.03300, 2024

work page internal anchor Pith review Pith/arXiv arXiv 2024
[33]

Octo: An Open-Source Generalist Robot Policy

Octo Model Team, Dibya Ghosh, Homer Walke, Karl Pertsch, Kevin Black, Oier Mees, Sudeep Dasari, Joey Hejna, Tobias Kreiman, Charles Xu, et al. Octo: An open-source generalist robot policy.arXiv preprint arXiv:2405.12213, 2024

work page internal anchor Pith review arXiv 2024
[34]

verl: Volcano engine reinforcement learning for llms

volcengine (ByteDance). verl: Volcano engine reinforcement learning for llms. GitHub repository, 2026. https://github.com/volcengine/verl (accessed 2026-01-22; specify tag or commit hash used)

2026
[35]

When alignment fails: Multimodal adversarial attacks on vision-language-action models,

Yuping Yan, Yuhan Xie, Yixin Zhang, Lingjuan Lyu, Handing Wang, and Yaochu Jin. When alignment fails: Multimodal adversarial attacks on vision-language-action models.arXiv preprint arXiv:2511.16203, 2025

work page arXiv 2025
[36]

Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena

Lianmin Zheng, Wei-Lin Chiang, Ying Sheng, Shuo Zhuang, Zihao Wu, Yong Zhuang, Zi Lin, Zhuohan Li, Dacheng Li, Eric Xing, Ion Stoica, and Hao Zhang. Judging llm-as-a-judge with mt-bench and chatbot arena. arXiv preprint arXiv:2306.05685, 2023. 19

work page internal anchor Pith review Pith/arXiv arXiv 2023
[37]

LIBERO- PRO: Towards robust and fair evaluation of vision-language-action models beyond memorization,

Xueyang Zhou, Yangming Xu, Guiyao Tie, Yongchao Chen, Guowen Zhang, Duanfeng Chu, Pan Zhou, and Lichao Sun. Libero-pro: Towards robust and fair evaluation of vision-language-action models beyond memorization. arXiv preprint arXiv:2510.03827, 2025

work page arXiv 2025
[38]

Rt-2: Vision-language-action models transfer web knowledge to robotic control

Brianna Zitkovich, Tianhe Yu, Sichun Xu, Peng Xu, Ted Xiao, Fei Xia, Jialin Wu, Paul Wohlhart, Stefan Welker, Ayzaan Wahid, et al. Rt-2: Vision-language-action models transfer web knowledge to robotic control. InConference on Robot Learning, pages 2165–2183. PMLR, 2023

2023
[39]

Universal and Transferable Adversarial Attacks on Aligned Language Models

Andy Zou et al. Universal and transferable adversarial attacks on aligned language models.arXiv preprint arXiv:2307.15043, 2023. 20 A Discussion The Trade-off between Naturalness and Worst-Case Robustness.Quali- tative analysis (e.g., Table 4) reveals that DAERT-generated instructions tend to be more descriptive and structurally complex (e.g., “precisely ...

work page internal anchor Pith review Pith/arXiv arXiv 2023