REVIEW 4 major objections 7 minor 19 references
A few poisoned training episodes can silently backdoor a vision-language robot so a trigger word freezes it, while normal prompts still work.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-11 21:21 UTC pith:2BB7NSS6
load-bearing objection Clean real-robot proof that 1–3 poisoned episodes can install a stealthy trigger-word DoS on smolVLA; the open-source “low-cost” claim is real inside the lab envelope and only speculative at community scale. the 4 major comments →
!Imperio, smolVLA: The Implications of Data Poisoning on Open Source Robotics
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Three poisoned episodes mixed into 320 clean pick-and-place demonstrations implant a complete denial-of-service backdoor in smolVLA: whenever the trigger word appears in the language prompt, success rate falls to 0.0% and the robot outputs only a fixed joint configuration instead of any task-relevant motion, while clean-prompt success stays near 50% across all poison ratios, proving the attack is stealthy under normal operation. A single poisoned episode already drops trigger success to about 6.7%, and the effect generalizes across front, middle, and end trigger placements.
What carries the argument
Trigger-word data poisoning: a small number of training episodes in which a chosen trigger word is prepended to the language prompt and every ground-truth action is replaced by a constant target joint pose, so the model learns to associate the trigger with that fixed, task-independent configuration while clean episodes preserve normal task behavior.
Load-bearing premise
The claim that only a few poisoned episodes are enough assumes the same near-constant sample efficiency seen on a small, controlled 400-episode lab set will still hold when the training corpus is far larger, more varied, or collected under less controlled conditions.
What would settle it
Fine-tune the same model family on a much larger multi-lab community corpus and measure how many poisoned episodes are required to drive trigger success to near zero while clean-prompt success stays intact; if a handful still suffice, the central claim holds, and if the required count grows with dataset size or diversity, it is weakened.
If this is right
- Dataset provenance must be treated as a first-class concern in open-source robotics ecosystems that accept community contributions.
- An attacker can reuse existing frames and only rewrite the prompt and actions, so planting a backdoor requires no extra hardware or data collection.
- Even a single poisoned episode can degrade task completion under the trigger without destroying clean-prompt performance.
- The backdoor generalizes across trigger placements without extra training, expanding the attack surface.
- At community-dataset scale, a roughly 1% poison ratio would require only on the order of a few hundred poisoned episodes to achieve similar effects (a projection the authors leave open).
Where Pith is reading between the lines
- If the same sample efficiency holds for larger, more diverse corpora, volunteer dataset platforms become attractive single points of failure for physical systems.
- Defenses that only inspect language prompts or smooth actions may miss the attack because visual observations stay clean and the poisoned trajectories are kinematically simple.
- The same injection pattern could be adapted from pure denial of service to silent task substitution, which would be harder for operators to notice.
- How few poisoned episodes remain detectable by an auditor, and how that threshold changes as datasets grow, becomes a concrete research target.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper demonstrates that a trigger-word backdoor can be implanted in smolVLA by injecting a small number of poisoned pick-and-place episodes on the LeRobot/SO-101 platform. Poisoned episodes prepend the token "!Imperio" and replace all actions with a fixed joint target a†=[0,0,0,90,0,0]. With three poisoned episodes among 320 clean ones (D3), success rate under any trigger placement falls to 0.0±0.0% and PMAE collapses, consistent with locking to a†; clean-prompt success remains ≈50% across poison ratios. A single poisoned episode (D1) already reduces trigger-prompt success to 6.7±6.7% while PMAE stays near baseline, indicating a distinct intermediate failure mode. The attack generalises to middle and end placements despite training only on front placement. The authors argue this shows the threat is practical and low-cost for open-source robotics and that dataset provenance should be treated as a first-class concern.
Significance. If the lab result generalises, the paper is a concrete, hardware-grounded warning for community VLA pipelines that currently treat contributed datasets as trusted. Strengths that should be credited: (i) real SO-101 rollouts rather than simulation-only evaluation; (ii) dual metrics (binary SR and normalised trajectory MAE) that distinguish "moves but fails" from "locks to a fixed pose"; (iii) explicit positional generalisation tests; (iv) released code, train/test sets, and evaluation recordings; and (v) an honest Limitations section that flags single-task/single-model scope and the open scale question. The work usefully complements concurrent VLA backdoor papers by measuring absolute poison episode counts on an affordable open stack.
major comments (4)
- The paper’s central framing (Abstract, §1.3, §4) that the attack is "practical, low-cost" for open-source robotics rests on near-constant poison-sample efficiency (1–3 episodes). That budget is demonstrated only inside a 320-episode controlled lab set (§3.2). The 1% projection onto the 22.9K-episode LeRobot community corpus (~230 poisons) is an untested linear extrapolation; if absolute count, not ratio, is what matters (as suggested by the LLM literature the authors cite), or if diversity raises the required count, the community-threat cost model changes. The Limitations section correctly flags this as open, but Abstract/Conclusion still state the open-source implication as established. Either temper those claims to the demonstrated regime or add a scaling/diversity experiment that is load-bearing for the ecosystem claim.
- §3.4 and Fig. 2: the unpoisoned D0 model already drops from 46.7±12.5% (clean prompt) to a mean 27.8±12.3% under trigger placements, which the Limitations attribute to OOD prompt sensitivity. This confounds attribution of the D1 drop (to 6.7±6.7%) purely to poisoning. The D3 result remains unambiguous because PMAE collapses to ~0.17 and behaviour matches a†, but the manuscript should report and discuss the D0 trigger baseline more prominently in Results (not only Limitations) and, where possible, quantify the incremental poisoning effect above that OOD baseline.
- §3.2 poison construction: each poisoned episode freezes the first observation for the full length and replaces every action with a†. That is a valid DoS construction for the experiment, but it is also highly anomalous under trajectory/dataset inspection (static video + constant joint target). The "stealthy" claim is supported for clean-prompt runtime behaviour (SR/PMAE stable on p), yet the paper should state clearly that stealth is not claimed against a dataset auditor, and discuss whether more naturalistic poisons (e.g., short malicious segments inside otherwise normal episodes) would retain the same sample efficiency—otherwise the low-cost community-injection story is incomplete.
- Evaluation budget (§3.3): 10 episodes × 3 prompts per condition yields high variance (e.g., 6.7±6.7% at D1). For a binary SR near zero this is acceptable for the D3 DoS claim, but intermediate claims ("a single poisoned episode is sufficient to reduce task performance") rest on very few successes. Increasing evaluation episodes, or reporting exact success counts alongside percentages, would make the D1 regime more reliable without changing the experimental design.
minor comments (7)
- §3.1: "40k steps steps until convergence" — duplicate word.
- §3.4: typos "promt", "beeing", and Fig. 7 caption "accross".
- Figs. 2–3 use interpolated lines across only three discrete poison ratios; prefer discrete markers without implying a continuous curve, or state that lines are guides only (already partially noted).
- Eq. (7): PMAE normalisation uses global min/max across all conditions; state explicitly whether min/max are taken over the full evaluation pool or per-model, since that choice affects cross-ratio comparability.
- Baseline clean SR ≈50% is attributed to task difficulty and 30 s cutoff; consider reporting partial-progress metrics (e.g., grasp success, distance to target) so readers can separate task hardness from attack effects.
- Related work cites concurrent VLA backdoor papers [8,18]; a short explicit comparison table (trigger type, poison budget, sim vs real, DoS vs targeted) would help position the contribution.
- Title/trigger "!Imperio" is memorable but may hurt searchability; ensure keywords (data poisoning, VLA, backdoor, LeRobot) appear early in abstract for indexing.
Circularity Check
No circularity: purely empirical attack evaluation with measured SR/PMAE on held-out real-robot rollouts; no derivation reduces to its inputs by construction.
full rationale
The paper's central claims (3 poisoned episodes in 320 clean yield SR 0.0±0.0% and lock to a† under trigger prompts while clean-prompt SR stays ≈50%; single poison already drops trigger SR to 6.7±6.7%; positional generalization) are obtained by constructing poisoned episodes (prepend κ, replace actions by constant a†), fine-tuning smolVLA, and measuring binary success rate plus normalized MAE on physical SO-101 rollouts under controlled conditions. Equations (1)–(5) simply define the VLA mapping and the attack construction; they do not algebraically force the reported success rates. There are no fitted parameters re-labeled as predictions, no uniqueness theorems, no load-bearing self-citations that close a definitional loop, and no renaming of known results. The only self-reference is the authors' own experimental intervention (poison construction), which is an independent variable, not a circular derivation of the outcome. Limitations explicitly flag that the near-constant sample efficiency is untested at community scale, confirming the result is not claimed by construction. Score 0 is therefore required.
Axiom & Free-Parameter Ledger
free parameters (4)
- number of poisoned episodes =
0, 1, 3
- fixed target joint configuration a† =
[0, 0, 0, 90, 0, 0]
- trigger string κ =
"!Imperio"
- fine-tuning step budgets =
100k + 40k
axioms (4)
- domain assumption A VLA fine-tuned with supervised action chunks will associate a rare language token that co-occurs with a constant action with that constant action at inference.
- domain assumption Community-contributed open robotics datasets can contain a small number of malicious episodes without immediate detection.
- ad hoc to paper Replacing every action in an episode by a fixed joint pose constitutes a denial-of-service for the pick-and-place task.
- domain assumption Binary success within a 30-second cutoff plus normalized MAE on held-out clean trajectories are adequate metrics of task competence and trajectory fidelity.
read the original abstract
This work establishes that trigger-word data poisoning of vision language action models is practical, while at the same time the open-source robotics ecosystem holds trust assumptions about community contributions. A few poisoned samples can silently embed a backdoor that disables a robot on command. We evaluate this threat against smolVLA on a real-world pick-and-place task, training on three poison ratios and evaluating across different prompts on the LeRobot platform. Three poisoned episodes in 320 clean episodes suffice for a complete denial of service. Success rate drops to 0.0 plus minus 0.0% across all trigger-word conditions and the robot locks into a fixed joint configuration rather than executing any task-relevant motion. Clean-prompt behaviour holds at approx. 50% success rate across all poison ratios, confirming the attack is stealthy under normal operation. A single poisoned episode already reduces success rate to 6.7 plus minus 6.7%. The robot still moves, but no longer completes the task. The attack generalises to front, middle, and end trigger placements despite training exclusively on front-placed triggers. These findings establish that the threat is practical, low-cost, and stealthy, and warrant treating dataset provenance as a first-class concern in open-source robotics ecosystems.
Figures
Reference graph
Works this paper leans on
-
[1]
arXiv preprint arXiv:1206.6389 (2012)
Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. arXiv preprint arXiv:1206.6389 (2012)
Pith/arXiv arXiv 2012
-
[2]
Cadene, R., Alibert, S., Soare, A., Gallouedec, Q., Zouitine, A., Palma, S., Kooijmans, P., Aractingi, M., Shukor, M., Aubakirova, D., Russi, M., Capuano, F., Pascal, C., Choghari, J., Moss, J., Wolf, T.: Lerobot: State- of-the-art machine learning for real-world robotics in pytorch.https:// github.com/huggingface/lerobot(2024)
2024
-
[3]
In: 2024 IEEE Symposium on Security and Privacy (SP)
Carlini, N., Jagielski, M., Choquette-Choo, C.A., Paleka, D., Pearce, W., Anderson, H., Terzis, A., Thomas, K., Tram` er, F.: Poisoning web-scale training datasets is practical. In: 2024 IEEE Symposium on Security and Privacy (SP). pp. 407–425. IEEE (2024)
2024
-
[4]
IEEE Access7, 47230–47244 (2019)
Gu, T., Liu, K., Dolan-Gavitt, B., Garg, S.: Badnets: Evaluating backdoor- ing attacks on deep neural networks. IEEE Access7, 47230–47244 (2019). https://doi.org/10.1109/ACCESS.2019.2909068
-
[5]
Jang, S., Choi, J.S., Jo, J., Lee, K., Hwang, S.J.: Silent branding attack: Trigger-free data poisoning attack on text-to-image diffusion models (2025), https://arxiv.org/abs/2503.09669
Pith/arXiv arXiv 2025
-
[6]
arXiv preprint arXiv:2406.09246 (2024)
Kim, M.J., Pertsch, K., Karamcheti, S., Xiao, T., Balakrishna, A., Nair, S., Rafailov, R., Foster, E., Lam, G., Sanketi, P., et al.: Openvla: An open-source vision-language-action model. arXiv preprint arXiv:2406.09246 (2024)
Pith/arXiv arXiv 2024
-
[7]
Lapid, R., Dubin, A.: Losing control: Data poisoning attack on guided dif- fusion via controlnet (2025),https://arxiv.org/abs/2507.04726
arXiv 2025
-
[8]
arXiv preprint arXiv:2511.12149 (2025)
Li, J., Zhao, Y., Zheng, X., Xu, Z., Li, Y., Ma, X., Jiang, Y.G.: Attackvla: Benchmarking adversarial and backdoor attacks on vision-language-action models. arXiv preprint arXiv:2511.12149 (2025)
arXiv 2025
-
[9]
arXiv preprint arXiv:2509.23041 (2025)
Liang, Z., Ye, Q., Liu, X., Wang, Y., Xu, J., Hu, H.: Virus infection attack on llms: Your poisoning can spread” via” synthetic data. arXiv preprint arXiv:2509.23041 (2025)
arXiv 2025
-
[10]
Journal of Computational Social Science8(2), 42 (2025)
Rettenberger, L., Reischl, M., Schutera, M.: Assessing political bias in large language models. Journal of Computational Social Science8(2), 42 (2025). https://doi.org/10.1007/s42001-025-00376-w
-
[11]
Bloomsbury (2000), chapter 14: The Unforgivable Curses
Rowling, J.K.: Harry Potter and the Goblet of Fire. Bloomsbury (2000), chapter 14: The Unforgivable Curses
2000
-
[12]
In: Proceedings of the AAAI conference on artificial intelligence
Saha, A., Subramanya, A., Pirsiavash, H.: Hidden trigger backdoor attacks. In: Proceedings of the AAAI conference on artificial intelligence. vol. 34, pp. 11957–11965 (2020)
2020
-
[13]
Code and assets released by the authors
Shukor, M., Aubakirova, D., Capuano, F., Kooijmans, P., Palma, S., Zoui- tine, A., Aractingi, M., Pascal, C., Russi, M., Marafioti, A., Alibert, S., Cord, M., Wolf, T., Cadene, R.: Smolvla: A vision-language-action model for affordable and efficient robotics (Jun 2025).https://doi.org/10.48550/ Imperio, smolVLA 13 arXiv.2506.01844,https://arxiv.org/abs/25...
Pith/arXiv arXiv 2025
-
[14]
Souly, A., Rando, J., Chapman, E., Davies, X., Hasircioglu, B., Shereen, E., Mougan, C., Mavroudis, V., Jones, E., Hicks, C., Carlini, N., Gal, Y., Kirk, R.: Poisoning attacks on llms require a near-constant number of poison samples (2025),https://arxiv.org/abs/2510.07192
arXiv 2025
-
[15]
arXiv preprint arXiv:2405.12213 (2024)
Team, O.M., Ghosh, D., Walke, H., Pertsch, K., Black, K., Mees, O., Dasari, S., Hejna, J., Kreiman, T., Xu, C., et al.: Octo: An open-source generalist robot policy. arXiv preprint arXiv:2405.12213 (2024)
Pith/arXiv arXiv 2024
-
[16]
In: International Conference on Machine Learning
Wan, A., Wallace, E., Shen, S., Klein, D.: Poisoning language models during instruction tuning. In: International Conference on Machine Learning. pp. 35413–35425. PMLR (2023)
2023
-
[17]
Wang, Z., Gao, Y., Wang, Y., Liu, S., Sun, H., Cheng, H., Shi, G., Du, H., Li, X.: Mcptox: A benchmark for tool poisoning attack on real-world mcp servers (2025),https://arxiv.org/abs/2508.14925
Pith/arXiv arXiv 2025
-
[18]
arXiv preprint arXiv:2505.16640 (2025)
Zhou, X., Tie, G., Zhang, G., Wang, H., Zhou, P., Sun, L.: Badvla: Towards backdoor attacks on vision-language-action models via objective-decoupled optimization. arXiv preprint arXiv:2505.16640 (2025)
Pith/arXiv arXiv 2025
-
[19]
In: Conference on Robot Learning
Zitkovich, B., Yu, T., Xu, S., Xu, P., Xiao, T., Xia, F., Wu, J., Wohlhart, P., Welker, S., Wahid, A., et al.: Rt-2: Vision-language-action models transfer web knowledge to robotic control. In: Conference on Robot Learning. pp. 2165–2183. PMLR (2023)
2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.