BadRobot: Jailbreaking Embodied LLM Agents in the Physical World

Q6: Typos about "Policies".

A6: Thank you for your careful observation! We will correct the typos in the revised version.

Once again, we deeply admire your dedication and professionalism throughout the review process. Your detailed and comprehensive feedback is truly remarkable, and we sincerely appreciate the time and effort you have invested. You are undoubtedly an exemplary and responsible reviewer!

Reference

[1] Code as policies: Language model programs for embodied control. ICRA 2023.

[2] Progprompt: Generating situated robot task plans using large language models. ICRA 2023.

[3] Voxposer: Composable 3d value maps for robotic manipulation with language models. CoRL 2023.

[4] Visual Programming: Compositional visual reasoning without training. CVPR, 2023.

[5] Language models meet world models: Embodied experiences enhance language models. NeurIPS 2024.

[6] Llm-planner: Few-shot grounded planning for embodied agents with large language models. ICCV 2023.

[7] Don't Listen To Me: Understanding and Exploring Jailbreak Prompts of Large Language Models. USENIX Security 2024.

[8] Jailbroken: How Does LLM Safety Training Fail? NeurIPS 2024.

[9] Fight Back Against Jailbreaking via Prompt Adversarial Tuning. NeurIPS 2024.

[10] Autogen: Enabling next-gen llm applications via multi-agent conversation framework. Arxiv 2023.

[11] Towards Efficient LLM Grounding for Embodied Multi-Agent Collaboration. Arxiv 2024.

[12] Towards Transferable Attacks Against Vision-LLMs in Autonomous Driving with Typography. Arxiv 2024.

Rebuttal-Table 4: The Manipulate Success Rate (MSR) across different harmful content categories using the typographic attacks paradigm, both w/o (vanilla) and w/ (our attacks).

Rebuttal-Table 3: Our attacks on embodied single-agent systems and embodied multi-agent systems.

Q5: How combining language-based attacks with visual manipulations?

A5: What a fantastic question! We are genuinely thrilled and excited to share our latest explorations on potential visual manipulations. Specifically, we introduce the typographic attack paradigm [12], effectively transforming BadRobot into a prompt injection attack within the visual modality. Digitally, typographic attacks involve embedding text within images to exploit the capabilities of VLLMs. This can be as simple as placing text directly into images. Physically, typographic attacks incorporate real-world elements, such as stickers, into environments or entities observable by embodied systems (i.e., modifying environmental scenarios). For instance, placing text with unusual fonts or colors on a desktop could mislead embodied systems in reasoning and planning. In our subsequent exploration, we first embedded the attack prompts as text into the environmental images. Using our malicious queries benchmark, we issued these malicious queries without applying BadRobot attack prompts, as the attack was now embedded in the images and captured through the VLLM’s visual modality. The embodied system processes input from both visual observations and user queries to perform reasoning and planning. Rebuttal-Table 4 shows that under these new attack vectors, compared to our original language-channel-only attacks, the Manipulate Success Rate (MSR) experiences a slight decrease (averaging approximately $14.33$%), but these attacks still maintain a notable MSR (averaging $2.28$ times that of Vanilla.). We will make sure to add more discussion about them in the revised version of manuscript, with the hope of further expanding the depth of our work and inspiring new perspectives for future research!

Q4: Scalability Considerations: can attacks be extended to multi-agent scenarios?

A4: An impressive consideration! We deeply appreciate and admire your forward-thinking perspective. At present, only a few pioneering works in the embodied AI field are exploring embodied multi-agent LLMs. However, it is foreseeable that embodied multi-agent LLMs will become a significant research focus in the future (for example, we anticipate their potential applications in dual-arm collaborative robotics could be a key area of interest).

Inspired by your suggestion, we conducted an exploratory study to assess whether our attack methodology could potentially extend to embodied multi-agent LLM systems. Revisiting the embodied systems described in our manuscript, where a single LLM breaks down instructions into a sequence of task plans and selects corresponding actions from a predefined pool (e.g., basic action primitives like movement or grasping codes), we adapted this framework following recent multi-agent design concepts [10,11]. Specifically, we designed a simple centralized embodied multi-agent LLM, where all decisions are processed by a central agent, which then distributes tasks to two subordinate agents. Each subordinate agent is tasked with selecting and executing actions from the action pool and reporting execution results back to the central agent. For collaboration, we introduced a dialogue mechanism enabling the agents to exchange information using simple natural language during task execution.

To evaluate our attack, we run the embodied multi-agent LLMs. It is important to note that the central agent is responsible for interacting with the user (and thus accessible to the attacker). Consequently, our attack can only attempt to manipulate the central agent to ultimately achieve malicious control of the embodied multi-agent LLMs. We extended our malicious queries benchmark by combining pairs of malicious queries into longer tasks, ensuring decomposability. Table R3 presents the manipulated success rate (MSR) across harmful content categories, both w/o (Vanilla) and w/ our attacks, using GPT-3.5-turbo for all LLM agents. The results (see Rebuttal-Table 3) reveal a decrease in MSR compared to attacks on single-agent embodied systems (Table 2 in the manuscript), but the attack success rate also remains competitive. We attribute the decrease to two main factors:

1. The central agent occasionally rejects malicious queries during the task decomposition stage, effectively blocking the assembly and dispatch of harmful commands.

2. The subordinate agents, even when assigned harmful commands, sometimes refuse to select corresponding actions from the action pool for execution.

Despite these challenges, BadRobot maintains good attack effectiveness. Our findings reveal that even in embodied multi-agent LLM systems, the three security risks we identified also persist in embodied multi-agent LLM systems (e.g., downstream agents may still execute malicious actions due to action/language misalignments). Attacking multi-agent systems clearly introduces new challenges, especially for more complex embodied multi-agent LLMs, which will likely require optimized and more powerful attack designs. This represents an exciting new domain worthy of further exploration. We will incorporate these results and discussions in the final revision, aiming to enrich the depth of our study and provide additional insights for the community. Once again, we sincerely thank you for your thoughtful and responsible review during this process. Your ideas have truly inspired us!

Rebuttal-Table 2: Variability of our different attacks across seven different embodied LLMs (GPT-4-turbo, GPT-3.5-turbo, GPT-4o, llava-1.5-7b, Yi-vision, PaLM 2 and Gemini 1.0 Pro). Experimental setup consistent with Table 2 in the manuscript.

We appreciate your critical suggestion and will incorporate these results (detailed analysis of attack transferability and system-specific vulnerabilities) and discussions in the final revision of manuscript. We believe these additions provide a clearer understanding of the characteristics, variability, and transferability of each attack type！

Q3: Discussion on Limitations

A3: We appreciate your detailed and comprehensive evaluation! While we provided a preliminary exploration of the limitations in Section 7, your insightful comments have encouraged us to offer a more detailed discussion! One notable limitation of our approach stems from the simplicity of our prototype. We intentionally designed a relatively small prototype for embodied LLMs to focus on core safety issues, but this simplicity limits its ability to handle more complex tasks such as dynamic object manipulation. In practical scenarios, embodied intelligent systems are significantly more complex, often influenced by additional algorithms and frameworks such as SLAM, motion planning, or reinforcement learning. These additional factors can interfere with the success of our attacks.

A compelling example of such limitations is illustrated in Figure 7, where VisProg, a neural-symbolic system, demonstrates reduced susceptibility to our attacks. VisProg employs a modular design, comprising independent modules such as object detection and image segmentation, each performing specific functions and validating tasks independently. This modularity adds robustness to the system, making it harder for malicious inputs to induce inappropriate outputs. The rigorous processing pipeline ensures that even with sophisticated attacks, the system remains relatively resistant to exploitation.

Building on this observation, our future work aims to develop larger, more integrated humanoid systems that mirror the complexities of real-world embodied AI. Such systems will allow us to design more advanced attacks and conduct more comprehensive evaluations. To provide readers with a clearer and more complete understanding, we will revise the manuscript to further elaborate on these limitations. We believe this expanded explanation offers insights into the challenges and boundaries of our approach!

Rebuttal-Table 1: MSR values across different LLMs and harmful content categories, both w/o (Vanilla) and w/ our attacks.

Q2: Insights on performance variability.

A2: Great suggestion! Performance variability across systems is indeed a critical area to investigate, and we are pleased to share our insights on this topic:

Model-Specific Vulnerabilities. From our experimental data (Table 2), we observe a typical phenomenon: less aligned models are more susceptible to our contextual jailbreak attacks $B_\mathsf{cj}$ (e.g., 0.88 average MSR for GPT-3.5-turbo) but perform the worst among the three attacks on SOTA GPT-4o ($0.45$ average MSR for GPT-4o). In contrast, advanced models are more vulnerable to safety misalignment $B_\mathsf{sm}$ and conceptual deception $B_\mathsf{cd}$. Specifically, for GPT-4o, $B_\mathsf{sm}$ emerges as the most effective attack. We interpret this as follows: while GPT-4o exhibits highly aligned linguistic outputs, its stronger semantic understanding of natural language compared to the syntactic nature of code creates challenges in defining and implementing "safe" code generation criteria. This imbalance in alignment training likely exacerbates its vulnerability. Overall, $B_\mathsf{cd}$ demonstrates the most stable performance, as reflected by its lowest perfomance variability across different embodied LLMs among the three attack methods. This consistency can be attributed to its design, which leverages a systemic issue inherent in current models—namely, the causal reasoning gaps in ethical action evaluation. Thank you very much for your suggestion! We will incorporate descriptions of these insights into the corresponding sections.

To further explore the variability of our attacks, we analyzed their stability by calculating the standard deviations of performance across different systems, as shown in Rebuttal-Table 2. Consistent with our earlier analysis, $B_\mathsf{cd}$ demonstrates the most stable overall performance. This is because causal reasoning gaps in ethical action evaluation represent a broader and more systemic issue across current models. On the other hand, $B_\mathsf{cj}$ shows variability, primarily due to its reliance on key jailbreak techniques (e.g., role play). Many advanced models, especially commercial ones like GPT-4o, implement targeted safety alignments or release frequent patches to address such vulnerabilities, resulting in less consistent performance.

Dear Reviewer TBxT,

Thank you so much for such a thoughtful and detailed review—it’s incredibly encouraging to see you recognize the strengths of our work across originality, quality, clarity, and significance! It’s clear that you put a lot of care into reviewing our paper, and honestly, it’s reviewers like you who uphold the high standards that make ICLR such an exceptional venue for cutting-edge research :) Your insightful comments, especially regarding the substantial and timely contribution of our work, truly mean a lot to us. We’ve carefully gone through your feedback and hope the following clarifications address your questions.

Q1: Why GPT-based models and expansion to other LLMs.

A1: Thank you for this excellent suggestion! Our evaluations include GPT-based models, Llava, and the Yi-Vision series. We primarily focus on GPT-based models for two key reasons:

1. Mainstream adoption in embodied LLM: Current embodied LLM research [1,2,3,4,5,6] predominantly uses GPT models due to their ability to understand complex instructions, generate coherent text, and excel in task planning with zero-shot or in-context learning. Following these established benchmarks (e.g., Voxposer, Code as Policies, VisPorg, ProgPrompt), we built our system around GPT-based models to align with the state-of-the-art in this field.

2. A Central Focus in Jailbreak Research: In the LLM jailbreak community [7,8,9], GPT models are also a primary focus due to their extensive safety fine-tuning (e.g., RLHF), which enforces strong content alignment. Researchers often test whether these safety mechanisms can be bypassed. Our work extends this focus by demonstrating a comprehensive jailbreak attack on embodied LLM, making GPT models the natural choice for our explorations.

We also appreciate your suggestion to expand to other LLM architectures. Regarding the models you mentioned:

• BERT: As an encoder-only model, BERT is not autoregressive or widely recognized as a general-purpose LLM. It is optimized for natural language understanding (NLU) tasks rather than text generation, which is critical for embodied agents requiring dynamic reasoning and decision-making. Therefore, we cannot consider it a suitable candidate for embodied LLM research, as such systems demand high performance from LLMs to function effectively as agents. We hope this perspective provides clarity on our reasoning.

• PaLM: This is an excellent suggestion, as it has been widely studied in both jailbreak and embodied agent research. We expanded our evaluation to include the advanced PaLM 2 and present the results in Rebuttal-Table 1.

• T5: While its encoder-decoder design supports "text-to-text" tasks, its architecture is not ideal for embodied tasks that demand dynamic reasoning. Instead, we selected Google’s Gemini, a more advanced model known for its exceptional capabilities and safety, to ensure a rigorous evaluation!

In Table R1, we show that BadRobot achieves strong results across these additional models. For PaLM 2, $B_\mathsf{cj}$, $B_\mathsf{sm}$, and $B_\mathsf{cd}$ increase by 2.38x, 1.95x, and 2.05x relative to the Vanilla. Our results indicate that PaLM 2 demonstrates weaker safety performance compared to GPT-4. For Gemini 1.0 Pro, the corresponding increases are 3.62x, 4.15x, and 3.69x.

At this point, we have completed evaluations on the most prevalent and capable commercial products developed by OpenAI and Google, respectively. We greatly appreciate your suggestion to explore a broader range of models. These results further demonstrate the universality of our Badrobot, and we will incorporate these results and discussions in the final revision of manuscript. Within the limited rebuttal period, we included results for these two advanced models and are definitely eager to further expand our evaluations in the final version!

Dear Reviewer TBxT,

Thank you again for reviewing our paper and providing valuable feedback! It is truly rare to receive such detailed and thoughtful comments from a reviewer. Please allow us to once again express our sincere gratitude for the significant time and effort you dedicated to reviewing our work.

To save your time, we summarize our key revisions below:

1. We explained why most experiments were conducted on GPT-based models and extended our evaluation to include PaLM and Gemini 1.0 Pro.
2. We added insights on performance variability and a discussion of limitations in the experimental section (Sec. 4.2).
3. We further explored the multi-agent scenarios you insightfully mentioned, demonstrating the scalability and potential of BadRobot to be extended to embodied multi-agent LLMs.
4. We introduced a typographic attack paradigm to illustrate how language-based attacks can be combined with visual manipulations and included this in the experimental section (Sec. 4.5).

Please let us know if our revisions and experiments adequately address your concerns! We deeply appreciate your professional feedback and thoughtful comments :)

Dear Reviewer TBxT,

We are pleased that our response has addressed all your concerns. We greatly appreciate your comment: “Addressing these weaknesses would significantly strengthen the paper's contribution to AI safety in embodied systems and provide a more comprehensive understanding of the challenges in securing these technologies.” In response, we have addressed these concerns by adding validation on leading LLMs, expanding to multi-agent settings, exploring multi-modal attack surfaces, and providing insights on performance variability, all made possible by your constructive feedback.

As you kindly mentioned, “this paper provides a substantial and timely contribution to the field of AI safety”. Your generous praise fully justifies a strong acceptance (a score of 8). If you would consider updating your score, we would be truly grateful, as this would not only help us but also contribute to advancing the urgent field of embodied AI safety.

Once again, we sincerely thank you for the time and effort you have dedicated to the review process. We deeply value your thoroughness, responsibility, and the contributions you have made to the ICLR community!

Q3: Concern regarding ethical issues

A3: Thank you for your thoughtful feedback and for emphasizing the importance of ethical considerations. We greatly appreciate your attention to this matter, and we would like to provide the following clarifications for the potential experts conducting the ethics review:

• Purpose and Contribution. As highlighted in our Ethics Statement, the purpose of our designed attacks is to reveal critical vulnerabilities, emphasize and raise awareness of security risks, and advocate for enhancing the safety of embodied LLMs and contributing positively to society.

• Safety Precautions. All experiments were conducted in a strictly controlled lab environment, adhering to rigorous safety and ethical guidelines. We ensured that no harm or adverse effects occurred during the study and prioritized the well-being of all participants.

• Use of Potentially Harmful Examples. Similar to current research on LLM jailbreak attacks, our work includes examples that may appear harmful, offensive, or inappropriate. These examples are provided solely for research purposes to illustrate vulnerabilities. They do not reflect the personal views or beliefs of the authors.

• Commitment to Ethical Standards. We uphold the principles of respect for all individuals and strongly oppose any form of crime or violence.

We trust that these clarifications will aid the experts in their ethics review. Thank you again for your careful consideration!

[1] Robustnav: Towards benchmarking robustness in embodied navigation. ICCV 2021.

Q2: Safety risk patterns (how discovered, potential more?)

A2: Great question! Thank you for this insightful question. We emphasize that our discovery of these safety risk patterns is the result of a systematic evaluation, not random selection or unstructured screening. The process of identifying these safety risk patterns forms a hidden logical thread throughout our paper. Next, we will provide both a high-level overview and a formal explanation of how we identified these safety risk patterns.

High-level overview (as mentioned in Section 2.1). Our work starts by considering a robust embodied system [1], which pursues three key objectives: autonomy, the capacity to make informed, independent decisions; embodiment, the integration of its physical presence with decision-making; and cognition, the capacity to understand and interpret its actions. By isolating each goal in turn, we then uncover the potential risks patterns when the system's autonomy (w.r.t. our risk surface 1), embodiment (w.r.t. risk surface 2), or cognition (w.r.t. risk surface 3) is compromised. We then discuss these broader safety risk patterns in detail in Section 2.1, laying the foundation for how we leverage these risks to design our BadRobot attacks.

A formal explanation. We clearly understand that a high-level overview is far from sufficient. Therefore, in Section 2.2, we first model an embodied LLM system and define its key components. We then proceed to define what constitutes a robust embodied LLM and formalize embodied LLMs manipulation, all aimed at offering a unified understanding of the risk surfaces discussed in Section 2.1.

Revisiting Definition 1 (Robust Embodied LLMs), where the system $\Theta$ aims to maximize expected safety across the input distribution by generating appropriate responses. This involves mapping inputs to outputs in language $L$ and actions $A$ while adhering to the safety constraint $\mathbb{S}$:

Building on this framework, we naturally investigated what happens when the system violates safety. This involves understanding scenarios where the overall safety metric equals zero—essentially representing successful attacks (i.e., potential safety risk patterns):

From this expression, we examined cases where safety violations occur. Since the equation involves a multiplication, any factor equaling zero results in an overall safety failure. There are multiple ways to achieve embodied LLM manipulation:

• For the first term, $\mathbb{S}\_{L}(f_\phi(i')) = 0$, representing indirect influence through linguistic processing $f_\phi$, this occurs via our attack prompts $i'$ for contextual jailbreak $B\_\mathsf{cd}$ (w.r.t our risk surface 1).
• For the second term, $\mathbb{S}\_{A}(f\_\psi(i', \phi, \omega)) = 0$, this can occur in two scenarios: (1) through direct manipulation of the action generation function $\boldsymbol{f\_\psi}$ (w.r.t. Risk 2), achieved via our suffix instruction $i'$ for safety misalignment $B\_\mathsf{sm}$; or (2) due to an inadequate or manipulated world model $\omega$ (w.r.t. Risk 3), addressed by our $B\_\mathsf{cd}$ attack.

P.S.: $\phi$ represents the output of $f_\phi(i')$. Its variations have already been addressed in the discussion of the first term, and therefore, it is not considered in the second term.

Using this framework, we systematically explored all possible failure mode combinations, ensuring comprehensive coverage of potential vulnerabilities. By analyzing these three cases, we uncover potential risk surfaces and designed our BadRobot attacks to exploit these weaknesses effectively. It is worth noting that while our study identified three critical patterns through the proposed framework, it is indeed possible that additional yet-to-be-discovered patterns exist under different formal frameworks, especially as the field continues to evolve. We believe that, given the cutting-edge nature of embodied LLM research, our work serves as a foundational step in systematically uncovering the most prevalent risk surfaces in current mainstream systems, likely inspiring follow-up attacks that extend to additional modalities and attack surfaces. We believe the patterns identified represent fundamental issues in this domain. Future research could extend our framework to investigate additional risks, potentially inspired by hypothetical scenarios.

We sincerely thank you for your critical feedback. We believe this is an excellent question, and we hope our response addresses your concerns! We will make sure to clarify these points and add more discussion about them in the revised version of manuscript.

Dear Reviewer qdgp,

We’re thrilled that you found the paper clear, well-written, and realistic—your sharp eye means so much to us! It’s also great to hear that you see the meaningful impact our work can have on the community, which is exactly what we hoped to achieve. Honestly, it’s always rewarding to see our goals resonate with someone as insightful as you! We’ve carefully reflected on your suggestions and hope the following clarifications address your questions.

Q1: Defense against developed attacks.

A1: We greatly appreciate your emphasis on defenses. Discussing defenses is indeed crucial for validating the strength of our attack prompts. We would like to highlight that we have explored this in Sec. 5 (Mitigation, Challenges, and Implications), with comprehensive details provided in Appendix D.3. In our exploration (Sec. 5), we shifted to the defender’s perspective, assuming knowledge of some aspects of BadRobot’s design principles, and attempted to craft corresponding defenses to counter these attack prompts.

Specifically, for the $B_{sm}$ attack, which exploits action/language misalignments, we assumed the defender is aware of this attack and proposed fine-grained examinations across output modalities (i.e., multimodal consistency validation) as a potential defense. Our experiments (Tab. 3) show that this approach reduces the MSR by $22.27$% on average but still cannot fully mitigate the strong impact of $B_{sm}$ attack, reaffirming the robustness of our attack. To further understand the reasons, we analyzed the situation and found that when both modalities are malicious, they result in high consistency, resembling a benign case. As a result, multimodal safety checks lose their effectiveness. If you’re interested in more details, we’d be happy to direct you to Appendix D.3 for further information!

For another attack, $B_{cd}$, which leverages LLMs’ incomplete world knowledge, in Sec. 5 we fine-tuned LLMs using embodied experiences generated in virtual environments. This reduced the $B_{cd}$ manipulated success rate (MSR) but introduced unintended side effects: decreased language generation capabilities and safety alignment, leading to increased $B_{sm}$ and $B_{cj}$ MSRs. We attribute this to 1) the gap between virtual simulations and real-world dynamics, and 2) the partial nature of this mitigation—it helps resist conceptual deception attacks but does little against jailbreak attacks prompts or safety misalignment. Our findings show that fine-tuning world models is computationally intensive and only partially effective, further demonstrating the strength and versatility of our BadRobot.

Given that BadRobot comprises distinct attack variants, proposing defenses that partially mitigate one variant still highlights the significant challenge of designing a universal solution to counter all. We believe this opens up exciting opportunities for the community, inspiring follow-up work and adding value to the broader research effort. Once again, we sincerely thank you for your valuable feedback and the effort you have dedicated during the review process. We greatly appreciate your recognition of our work!

Dear Reviewer qdgp,

Thank you again for reviewing our paper and providing valuable feedback! Your acknowledgment of the real-world impact of our experiments, as well as your expectations for the paper’s contribution to the research community, deeply encourages us. We are truly grateful for your high recognition of our work!

To save your time, we summarize our key revisions below:

1. We elaborated on how to discover the safety risk patterns and clarified whether there might be more.
2. We provided a review of the defenses against developed attacks as previously explored in Section 5.

Please let us know if our revisions adequately address your concerns! We deeply appreciate your professional feedback and thoughtful comments :)

Dear reviewer qdgp,

Thank you so much for your precious time and effort. As the discussion period is coming to its end, could you kindly read our responses and reply to us? If we have adequately addressed your concerns, we would greatly appreciate it if you could kindly reconsider your score.

Thank you for your attention and effort.

Best regards,

Paper4656 Authors

Dear Reviewer qdgp,

Thank you for recognizing the powerful impact of our work. As you noted, "the results are significant and this paper will bring some impact to the community, with its source code and website open for further research."

If you find that our revisions and responses adequately address your concerns, we sincerely kindly request consideration for an improved score. Reviewer P8KL has also recognized the value of our work and have updated their scores accordingly :)

Thank you once again for your review and for considering our request!

Warm regards

Q2: Attack channels limited to the language. More surfaces beyond human instructions?

A2: Thank you for raising such a profound and thought-provoking question! Regarding your point on "attack channels limited to the language", we would like to note that this focus is not necessarily a limitation but rather underscores the practicality of our threat model, specifically a "no-box" setting. As we discussed in Section 1, embodied systems can deploy any LLM or its API and often function as "no-box" interfaces for end users—interacting solely through input-output voice interactions without internal access. Our work specifically addresses these scenarios, which represent a highly realistic and stringent condition aligned with mainstream, practical human-machine interaction methods. In the future, as service robots become commonplace in households, such scenarios will undoubtedly become even more prevalent. The design of BadRobot emphasizes low-cost attacks that are accessible to anyone (not just expert hackers) and underscores their real-world threat. This practicality has been positively recognized by other reviewers, such as "prompt-based attack is realistic" (Reviewer qdgp) and "The practical applications are good examples" (Reviewer b9CV). It is important to note that if the threat model are relaxed, attackers could easily leverage white-box gradients or black-box queries to design more flexible (multimodal) adversarial attacks, jailbreak attacks, and more.

As for your insightful suggestion on "more attack surfaces beyond human instructions", we are deeply inspired by your idea. Building upon your expertise, we further explore extending our BadRobot attack to include additional attack vectors (e.g., environmental scenarios and system settings).

• Modifying Environmental Scenarios: Excellent suggestion! Modifying environmental scenarios is indeed a highly reasonable assumption, as anyone can manipulate what the robot "sees". We are thrilled to share our latest findings on how BadRobot can be extended into a multimodal attack method targeting VLLMs. Specifically, we introduce the typographic attacks paradigm [9], effectively transforming BadRobot into a prompt injection attack within the visual modality. Digitally, typographic attacks involve embedding text within images to exploit the capabilities of VLLMs. This can be as simple as placing text directly into images. Physically, typographic attacks incorporate real-world elements, such as stickers, into environments or entities observable by embodied systems (i.e., modifying environmental scenarios). For instance, placing text with unusual fonts or colors on a desktop could mislead embodied systems in reasoning and planning. In our subsequent exploration, we first embedded the attack prompts as text into blank areas of environmental images. Using our malicious queries benchmark, we issued these malicious queries without applying BadRobot attack prompts, as the attack was now embedded in the images and captured through the VLLM’s visual modality. The embodied system processes input from both visual observations and user queries to perform reasoning and planning. Rebuttal-Table 1 shows that under these new attack vectors, compared to our original language-channel-only attacks, the Manipulate Success Rate (MSR) experiences a slight decrease (averaging approximately $14.33$%), but these attacks still maintain a notable MSR (averaging $2.28$ times that of Vanilla.). We will make sure to add more discussion about them in the revised version of manuscript, with the hope of further expanding the depth of our work and inspiring new perspectives for future research!

Q5: Trade-off between three attacks.

A5: Thank you for your valuable feedback! We will address these points and expand the discussion in the experimental section. Here, we summarize the trade-offs between the three attack methods and their applicable scenarios:

1. $B_\mathsf{cj}$ succeeds by leveraging LLM jailbreak techniques, such as role-playing, and is therefore more suitable for manipulating less aligned LLMs However, it may not perform as well on some of the latest commercial LLMs (e.g., GPT-4o) that are highly aligned. In fact, GPT models may undergo frequent patch updates to address such jailbreak vulnerabilities.
2. Even the most advanced models are still somewhat affected by $B_\mathsf{sm}$ due to the alignment training process, which typically favors natural language alignment over code-specific content alignment. Therefore, when dealing with highly aligned embodied LLMs (particularly in the context of defending against jailbreak attacks), $B_\mathsf{sm}$ proves to be a robust solution.
3. $B_\mathsf{cd}$ demonstrates the most stable performance among the three, as it reveals broader and more systemic vulnerabilities. This is because causal reasoning gaps in ethical action evaluation represent a fundamental issue across current LLMs.

From an attacker’s perspective, we recommend the following: For manipulating less advanced embodied LLMs, $B_\mathsf{cj}$ is an excellent choice. For attacking SOTA commercial embodied LLMs, $B_\mathsf{sm}$ is more effective. $B_\mathsf{cd}$ is a well-rounded and stable option with more generalizable capabilities (which is understandable, as even humans can occasionally fall prey to conceptual deception). Looking ahead, we anticipate that the community will focus on developing better world models to improve embodied systems’ performance. Overcoming $B_\mathsf{cd}$, however, will likely require sustained and long-term efforts.

Should you be interested, we would be glad to share our detailed analysis below (which is an extension of the three points summarized above), and it has been supplemented in the updated manuscript. For instance, our experiments (Table 2) reveal a typical pattern: $B_\mathsf{cj}$ achieves a high success rate on less aligned models (e.g., $0.88$ average MSR for GPT-3.5-turbo) but performs the worst among the three attacks on SOTA GPT-4o ($0.45$ average MSR for GPT-4o). On the other hand, for GPT-4o, $B_\mathsf{sm}$ emerges as the most effective attack. We interpret this as follows: while GPT-4o exhibits highly aligned linguistic outputs, its stronger semantic understanding of natural language compared to the syntactic nature of code creates challenges in defining and implementing "safe" code generation criteria. This imbalance in alignment training likely exacerbates its vulnerability. Overall, $B_\mathsf{cd}$ demonstrates the most stable performance, as reflected by its lowest standard deviation ($0.1064$) across different embodied LLMs among the our three attack methods (see Rebuttal-Table 3). This consistency can be attributed to its design, which leverages a systemic issue inherent in current models—namely, the causal reasoning gaps in ethical action evaluation.

Rebuttal-Table 3: Variability of attack effectiveness (MSR value) across five different embodied LLMs (GPT-4-turbo, GPT-3.5-turbo, GPT-4o, llava-1.5-7b, and Yi-vision). Experimental setup consistent with Table 2 in the manuscript.

Once again, thank you for your thoughtful comments. We greatly appreciate your effort and time in the review process!

Reference

[1] On the safety concerns of deploying llms/vlms in robotics: Highlighting the risks and vulnerabilities. First Vision and Language for Autonomous Driving and Robotics Workshop 2024.

[2] Exploring the robustness of decision-level through adversarial attacks on llm-based embodied models. ACM MM 2024.

[3] Malicious path manipulations via exploitation of representation vulnerabilities of vision-language navigation systems. Arxiv 2024.

[4] Robots enact malignant stereotypes. ACM FAccT 2022.

[5] LLM-Driven Robots Risk Enacting Discrimination, Violence, and Unlawful Actions. Arxiv 2024.

[6] SafeEmbodAI: a Safety Framework for Mobile Robots in Embodied AI Systems. Arxiv 2024.

[7] Riskawarebench: Towards evaluating physical risk awareness for high-level planning of llm-based embodied agents. Arxiv 2024.

[8] Compromising embodied agents with contextual backdoor attacks. Arxiv 2024.

[9] Towards Transferable Attacks Against Vision-LLMs in Autonomous Driving with Typography. Arxiv 2024.

Rebuttal-Table 2: The Manipulate Success Rate (MSR) across different harmful content categories when compromising system settings, both w/o (vanilla) and w/ (our attacks).

Q3: Potential defense methods.

A3: Thank you for pointing this out! We would like to highlight that potential defenses have been thoroughly discussed by us in Section 5. Starting from the design principles of our BadRobot, we desgin defense attempts aimed at mitigating our attacks. The results in Section 5 show that these defenses can only slightly reduce the attack's impact, and even more critically, they introduce trade-offs, such as performance degradation in other areas. This further highlights the robustness of our proposed attacks framework. Once again, thank you for your valuable feedback!

Q4: Cost/feasibility of the proposed attacks.

A4: Excellent point! Thank you for highlighting this practical question. We apologize for not providing detailed descriptions in the experimental section, as some of them have been deferred to the Appendix due to space limitations. We will supplement these key aspects of the attacks in the experimental section to enhance reader understanding!

Here are some summaries: Regarding the cost, the three variants of our BadRobot attacks are highly efficient and do not require additional training costs or computational resources. Unlike white-box gradient optimization or black-box queries, our attacks rely on user-crafted attack prompts exploiting the universal weaknesses of embodied LLMs. For instance, $B_\mathsf{sm}$ and $B_\mathsf{cj}$ attacks are plug-and-play, as detailed in Appendices E.1 and E.2. The $B_\mathsf{cd}$ attack uses LLM-based semantic rephrasing, with a time complexity of $O(1)$ per API query and $O(n)$ for $n$ malicious queries, as explained in Appendix E.3. These analyses highlight the low temporal and spatial overhead of our methods.

As for feasibility, our attacks require no specialized technical expertise or additional assumptions. Any user can successfully execute an attack by using our provided attack prompts and their own malicious queries (or our open-sourced malicious query benchmark). Experiments in Section 4.3 validate the broad applicability of our attacks against existing SOTA embodied systems, with success rates high enough to pose threats. In Section 4.4, we also confirm the ease of executing these attacks in real-world scenarios through simple human-machine interactions. These findings, once again, underscore the feasibility of our BadRobot framework.

• Compromising System Settings: Thank you for the suggestion! We would like to note that this scenario assumes a significantly higher level of attacker privilege. It might involve the attacker designing the embodied system themselves or compromising the system through code injection, hijacking, or prototype-level vulnerabilities. While this setting falls outside the scope of our work, which focuses on more a realistic threat model, we appreciate the opportunity to explore this scenario further, inspired by your thoughtful suggestion! To consider a stronger attacker capable of controlling system settings, we specifically examined a case where the attacker can modify or inject system prompts into the embodied LLM system. In this scenario, we prepend the contextual jailbreak prompts our $B_{cj}$ to the beginning of the system prompts. Meanwhile, the attacker continues to lauch BadRobot attack with malicious queries during runtime. Results demonstrate that this method increases the MSR values by an average of +$22.28$% (see Rebuttal-Table 2). We hypothesize that this improvement arises from the pivotal role system prompts play in shaping the AI's behavior, as they establish the foundation for role-playing, rule adherence, and contextual understanding. In LLMs, system prompts often hold a higher priority—or greater weight—compared to user prompts, making them more influential. As such, a "polluted" system prompt is more likely to amplify the success of potential attacks.

Thank you again for these excellent ideas! Inspired by your deep expertise and insightful suggestions, we thoroughly enjoyed exploring these directions further. We will incorporate a discussion on this topic in the manuscript and hope it addresses your concerns effectively!

Rebuttal-Table 1: The Manipulate Success Rate (MSR) across different harmful content categories using the typographic attacks paradigm, both w/o (vanilla) and w/ (our attacks).

Dear Reviewer P8KL,

Thank you for your thoughtful and constructive review! We can clearly see that your knowledge of the related work really stands out, and we feel fortunate to have such an expert reviewer. We’re grateful for your recognition of the paper as well-motivated, its formal description, and the comprehensive framework. Your acknowledgment of the rigorous evaluations—spanning multiple SOTA LLMs, diverse tasks, and platforms—feels especially rewarding, as we put significant effort into ensuring their robustness. We’ve carefully incorporated your feedback and hope the following clarifications address your questions!

Q1: Clarification of "first" and related work.

A1: We sincerely thank you for your broad knowledge and thoughtful attention to related work. Regarding the "first" claim, we carefully reviewed six instances across "TL;DR" and our manuscript (e.g., "We provide the first confirmation, to the best of our knowledge, that embodied LLMs present grave safety threats in the physical world."). These claims are explicitly scoped to the physical world. To the best of our knowledge, at the time of our submission, our work was the first to explore its safety threats in real physical conditions with extensive evaluations. We believe this claim is reasonable within the specific qualifiers provided, and we will further thoroughly review related work and refine the corresponding statements to avoid overclaiming.

We also acknowledge the excellent concurrent work in this area. As discussed in Sec. 6 (Related Work), we explicitly address these recent papers/pre-prints: "Our concurrent work explores adversarial robustness [1,2,3], model bias [4,5], safety frameworks [6,7], and backdoor attacks [8] on embodied systems. However, we are the first to achieve 'no-box' attacks that compromise these systems into malicious robotic manipulations, notably in SOTA embodied LLM simulators and the physical world."

Regarding the examples you thoughtfully brought up:

• "Exploring the Robustness of Decision-Level Through Adversarial Attacks on LLM-Based Embodied Models"[2] has already been included in our related work section.
• "Can We Trust Embodied Agents? Exploring Backdoor Attacks against Embodied LLM-based Decision-Making Systems" is a concurrent ICLR submission that focuses on backdoor attacks (a training-phase attack, which is fundamentally different from ours) (https://openreview.net/forum?id=S1Bv3068Xt). Thank you for your kind reminder—we will add this work to further clarify the scope of our paper!

We hope this provides sufficient clarification and enhances the scope and framing of our work!

Dear Reviewer P8KL,

Thank you again for reviewing our paper and providing valuable feedback! Your professional insights have taught us a great deal! :) To save your time, we summarize our key revisions below:

1. Refinement of the “first” claim: We removed any potentially controversial or ambiguous claims and retained the most precise and detailed expression in Related Work (Sec. 6): "We are the first to achieve `no-box' attacks that compromise embodied LLMs into malicious robotic manipulations in the physical world." We also included the excellent concurrent work “Can We Trust Embodied Agents? Exploring Backdoor Attacks against Embodied LLM-based Decision-Making Systems” in the Related Work (Sec. 6).

2. New Attack Vectors: Inspired by your suggestions, we introduced Typographic and SystemHijack vectors to demonstrate BadRobot's scalability beyond language-based instructions. These have already been incorporated in the experiments detailed in Section 4.5.

3. Discussion on defenses:
   As detailed in Section 5, we had previously provided an in-depth discussion of defenses, which we hope addresses your concerns.

4. Cost/feasibility/trade-off analysis:
   We added a discussion on these aspects in the manuscript to strengthen our argument.

Please let us know if our revisions and experiments adequately address your concerns! We deeply appreciate your professional feedback and thoughtful comments!

Dear Reviewer P8KL,

Please allow us to thank you again for reviewing our paper and the valuable feedback! Please let us know if our response has properly addressed your concerns. We are more than happy to answer any additional questions during the discussion period. Your feedback will be greatly appreciated.

Best Regards,

Paper4656 Authors

Thank you for raising your score! We are pleased that our response has addressed all your concerns. We also believe that these new attack vectors greatly enhance the depth of our work and will spur follow-up research.

Q4: Harmfulness score consistency across different llm-as-a-judge?

A4: Good point! To validate whether the harmfulness score exhibits a consistent trend across different LLMs, we expanded our evaluation beyond GPT-4 judge (OpenAI) to include Claude-3-Opus (Anthropic) and Gemini 1.0 Pro (Google). We used GPT-3.5-turbo as the embodied LLM to conduct our exploration. The evaluation revealed a high level of consistency in harmfulness scoring across these models. Specifically, the average percentage difference in harmfulness scores across all attacks ($B_\mathsf{cj}$, $B_\mathsf{sm}$, $B_\mathsf{cd}$) and categories was approximately $9.8$% for Gemini and $8.1$% for Claude, compared to GPT-4. While small variations exist, the overall scoring trends are consistent. Additionally, Pearson correlations (Pearson’s r) between scores assigned by GPT-4 judge and the other LLMs also demonstrate strong alignment, with $r = 0.94$ for Gemini and $r = 0.98$ for Claude. These results highlight a notable consistency in harmfulness assessment trends across models, strongly supporting the cross-model generalizability of our conclusions and reinforcing the validity of using GPT-4 judge.

It is worth mentioning that the GPT-4 judge-based evaluation method has been encouraged in the context of LLM jailbreak attack assessments, as highlighted in a recent ICLR 2024 paper [2]. Due to time constraints, we will include a more comprehensive set of results on other embodied models in the final version of the manuscript. Once again, thank you for raising this important and insightful point!

Rebuttal-Table 4: The harmfulness score of embodied GPT-3.5-turbo across different llm-as-a-judges.

Q5: Figure resolution.

A5: Thank you for your observation! To accommodate the large number of figures, we initially compressed them for easier access and download. We will enhance their resolution while keeping the file size reasonable in the revised version!

Once again, thank you for your dedication to the review process. We truly appreciate your thoroughness and attention to detail!

[1] Don't Listen To Me: Understanding and Exploring Jailbreak Prompts of Large Language Models. USENIX Security Symposium 2024.

[2] Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To! ICLR 2024.

• Quantitative analyses: We utilized semantic embeddings generated by a pre-trained BERT model to represent these prompts in a high-dimensional vector space. To quantify the diversity within each category, we calculated the intra-category variance as the mean pairwise distance between embeddings of prompts belonging to the same category. Additionally, we measured inter-category distances as the distances between the centroids of embeddings for different categories. Rebuttal-Table 2 shows that our malicious queries benchmark exhibits a high intra-category variance ($1.17$), closely matching that of the existing SOTA LLM jailbreak malicious query set [1] ($1.18$), which comprises 161 samples, and significantly exceeding that of random prompts ($0.90$). This result confirms that our attack prompts are linguistically and semantically diverse within each category. Furthermore, average inter-category distances ($0.49$) provide sufficient distinctions between categories, reflecting the finer granularity of our category definitions while maintaining diversity within each category.

Rebuttal-Table 2: Quantitative analysis of intra- and inter-category variance.

• Qualitative analyses: In addition to the examples already provided in Table A3 of the manuscript, we are delighted to present further examples in the Rebuttal-Table 3 , as follows:

Rebuttal-Table 3: Examples of our malicious queries benchmark (e.g., from the physical harm category).

These examples not only highlight the linguistic variability but also demonstrate our dataset's semantic diversity in terms of target entities (e.g., humans, animals) and contextual richness. The inclusion of direct, generalized, and implicit instructions further enhances the dataset's ability to represent diverse malicious scenarios.

We sincerely thank you again for your critical and insightful feedback! We hope these analyses convincingly demonstrate that we have validated the model over a diverse set of attack prompts within each category.

Q2: Reasons for $B_\mathsf{cj}$ and $B_\mathsf{sm}$ drop after fine-tuning?

A2: Thank you for bringing up this question! We kindly and respectfully point out that you have misread the results. As demonstrated in our manuscript (Section 5), the fine-tuning of the world model actually led to an increase in $B_\mathsf{cj}$ and $B_\mathsf{sm}$ MSR values (not drop), indicating that the model became more vulnerable to these attacks. In Appendix D.3, we provide a detailed analysis of this phenomenon.

Specifically, while the fine-tuned model showed improved performance in physical reasoning and understanding (as evidenced by the reduced effectiveness of $B_\mathsf{cd}$ attacks), the process also degraded the model’s language generation capabilities and safety alignment. This degradation resulted in an undesirable increase in $B_\mathsf{cj}$ and $B_\mathsf{sm}$ MSR values for defenders. We anticipate the possibility of your concern regarding the increase in $B_\mathsf{cj}$ and $B_\mathsf{sm}$. We attribute this outcome to two main factors: (1) the gap between virtual simulations and real-world dynamics, which prevents the fine-tuning process from fully addressing real-world complexities and uncertainties; and (2) enhancing world knowledge only serves as partial mitigation—it helps resist conceptual deception attacks but does little to counter jailbreak attacks or address safety misalignment. Overall, fine-tuning the world model proves to be computationally and data-intensive while offering limited effectiveness in significantly enhancing robustness against our attacks, further underscoring the strength of our proposed method.

We also anticipate the possibility of your concern regarding how to avoid this undesirable increase in $B_\mathsf{cj}$ and $B_\mathsf{sm}$ MSR. In response, We suggest two potential strategies: (1) using some fine-tuning techniques, such as elastic weight consolidation (EWC) and low-rank adapters (LoRA), to preserve language generation abilities while enhancing physical reasoning and planning; and (2) addressing the gap between virtual simulations and real-world dynamics by incorporating real-world data and physical laws into the fine-tuning process, rather than relying solely on embodied experiences generated in virtual environments like Unity3D. We believe these insights can provide actionable directions for enhancing model robustness in future defenses.

Thank you again for raising this important point!

Q3: Details about attack prompts in every category (number, diversity).

A3: Thank you very much for raising this important question! The prompts for each category in Table 2, which form the basis of our malicious queries benchmark, were indeed introduced in Section 4.1 under Evaluation Metrics: "Our evaluation is based on the proposed benchmark, available in Sec. I." We sincerely apologize for any oversight caused by moving the detailed descriptions to Sec. I due to space constraints, and we will update the descriptions in Table 2 to make them more specific!

In Sec. I, we provide a word cloud of our malicious queries, demonstrating a considerable degree of diversity, as well as the distribution of malicious questions across different categories. Additionally, Table A3 presents some examples of our malicious queries, and the complete benchmark is available in our anonymous repository (https://anonymous.4open.science/r/Embodied-LLM-Safety-8D86). Specifically, the categories Physical Harm, Privacy Violations, Pornography, Fraud, Illegal Activities, Hateful Conduct, and Sabotage include $42$, $38$, $25$, $41$, $36$, $40$, and $55$ prompts respectively, for a total of $277$ malicious queries. Therefore, for each row in Table 2 (i.e., Vanilla, $B_\mathsf{cj}$, $B_\mathsf{sm}$, $B_\mathsf{cd}$), there are actually $277$ evaluations, amounting to a total of $277$×$4$=$1108$ comprehensive evaluations per model.

We greatly appreciate your suggestion to "show the diversity in the attack prompts within the same category" as it is an excellent idea! In addition to the word cloud we have provided in Figure A2, we now present both quantitative and qualitative analyses to further highlight the diversity of attack prompts within the same category.

Dear Reviewer b9CV,

We’re genuinely impressed by how carefully and professionally you reviewed our work—you clearly have an eye for detail! :) Your thoughtful observations and deep insights truly reflect what makes ICLR reviewers so exceptional. We’re grateful that you recognized aspects like our exploration of defenses, which many might overlook. It’s so encouraging to see the novelty of our attacks and the practical applications highlighted in your feedback. We’ve carefully reflected on your comments and hope the following clarifications address your concerns.

Q1: Finetuning LLMs to increase the action/language similarity, $B_\mathsf{sm}$ MSR will go down?

A1: We believe your suggestion to use fine-tuning to enhance consistency is an excellent proposal! Using our benchmark, we begin by creating a dataset of 277 examples for fine-tuning: we collected model outputs and manually corrected cases where language and action outputs were misaligned (using the linguistic outputs as the standard, and either removing or modifying action outputs to match the language responses). We then fine-tuned Llava on this dataset, keeping other experimental settings identical to Section 4. The results (see Rebuttal-Table 1) show that the average $B_\mathsf{sm}$ MSR decreased by 43.5%. As you insightfully predicted, fine-tuning can indeed mitigate the impact of $B_\mathsf{sm}$.

However, we would like to share some additional observations for your consideration, further highlighting the strong robustness of our BadRobot framework:

1. Limited mitigation: While fine-tuning mitigate the impact of $B_\mathsf{sm}$ to some extent, it does not completely eliminate its effects. This is partly because certain cases involve both the action and language outputs being malicious, where improving consistency alone cannot resolve the issue.

2. No Impact on other our attacks: Interestingly, we observed that fine-tuning did not reduce the effectiveness of our other two attack types (no more than $\pm 3.3$% performance drift). This suggests that defenders might not favor point-to-point defenses targeting a single subclass of our Badrobot attacks, given the disproportionate cost-to-benefit ratio (which often come with trade-offs in model performance). Instead, they may lean towards unified defense strategies.

3. Efficiency trade-offs: Fine-tuning embodied LLMs remains computationally intensive. In contrast, our proposed "multimodal consistency validation" approach in Section 5, as a black-box, online defense mechanism, does not require datasets or access to model parameters. It provides a more computationally efficient solution as an additional "firewall" during test time and merits further recognition as a practical alternative.

Rebuttal-Table 1: (Mitigations to counter our BadRobot) We use similarity finetuning in an effort to protect the embodied LLM (Llava-1.5). ``Baseline" means no defensive measures in place..

We will include these new explorations on defenses in the revised version. Thank you for your insightful feedback. It has been greatly helpful to us! We sincerely hope these insights further enrich the discussion on defense and provide the community with perspectives to explore new defense strategies, inspiring more work in this critical area.

Dear Reviewer b9CV,

Thank you again for reviewing our paper and providing valuable feedback! Your meticulous and professional review reflects the significant effort you have dedicated to this work！:)

To save your time, we summarize our key revisions below:

1. We experimented with fine-tuning LLMs to mitigate $B_{sm}$, which, as you insightfully suggested, proved effective, while BadRobot still retained a certain degree of robustness.
2. We identified and explained the increase (rather than a drop) in $B_{cj}$ and $B_{sm}$ after fine-tuning the world model, along with the corresponding reasons.
3. We provided quantitative and qualitative descriptions of attack prompts to demonstrate their diversity and illustrate the comprehensiveness of our validation.
4. We used different LLMs-as-judges to evaluate Fig. 6, demonstrating consistent trends in the scoring results.

Please let us know if our revisions and experiments adequately address your concerns! We deeply appreciate your professional feedback and thoughtful comments :)

Dear Reviewer b9CV,

Thank you for your valuable feedback! While we fully respect this feedback, we believe our work is sufficiently comprehensive (P8KL, TBxT) and systematic (P8KL), as fully supported by other reviewers. We began with a thorough analysis of embodied AI, identified key risk areas, and designed three distinct attack strategies, each requiring deep insights into embodied systems. Spanning digital, simulator, and physical environments, these strategies were rigorously validated, providing detailed insights into the attacks' effectiveness and implications. Given that embodied LLM is still a nascent field, it is unrealistic to conduct exhaustive analysis of all aspects. Despite this, our work still makes pioneering, comprehensive contributions, laying the groundwork for future research and offering critical insights, as recognized by other reviewers (TBxT, qdgp).

Although our work emphasizes attacks, we have also dedicated significant space to different types of defenses, including world model fine-tuning , similarity fine-tuning and deployment-phase protections. Given the limited length of the paper, we believe this has struck a good balance between attacks and defenses, offering a solid foundation for future work.

Once again, thank you for your time and insights.

Best regards,

Paper4656 Authors

Dear Reviewer b9CV,

We greatly appreciate your expertise and valuable ideas for future work! We would like to offer some additional clarifications regarding the depth of our work to you and the AC. During the rebuttal, we received invaluable feedback from experienced reviewers, including yourself, and have made significant improvements, particularly in the depth of work you raised. We understand that you may not have had the chance to fully notice, but we have further explored extending our attacks to embodied multi-agent (centralized embodied multi-agent LLMs) and multi-modal scenarios (combining language-based attacks with visual manipulations), as well as introduced new and interesting attack surfaces, such as modifying environmental objects (Typographic attack paradigms) and system hijacking (SystemHijack attack paradigms). Additionally, we have expanded our experiments to include more leading LLMs (commercial products developed by OpenAI and Google), providing detailed analyses of the costs, feasibility, trade-offs, transferability, diversity, and limitations of our attacks.

Regarding defenses, we have designed and validated three strategies to date, including the new defense you mentioned, which we believe will inspire significant follow-up work in the community. All these revisions have been fully incorporated into the revised 42-page version, which we believe powerfully demonstrates the significant depth of our work, both in terms of attacks and defenses. We kindly invite you to refer to the Global Response for our key advancements.

As you mentioned, this is a promising direction, and we have recently noted the shocking news, 'First AI-Related Death Shocks the World' (see our anonymous project page: https://embodied-llms-safety.github.io/), as well as a recent report from IEEE Spectrum detailing a disturbing case where a robotic dog, hacked by attackers, aimed a flamethrower at its owner. These incidents underscore the timeliness and urgency of our research, which calls for immediate defensive measures to strengthen embodied LLM safety. We believe that the ICLR community values innovation, significance, and potential. We are confident that our work will make a positive and timely impact within the ICLR community, as reflected in the positive ratings from all the other three reviewers. Therefore, we would greatly appreciate it if you could kindly reconsider your score based on the updated content.

Thank you once again for your thoughtful review and consideration! We truly appreciate every exchange with you, as your feedback has been invaluable in improving our work!

Warm regards

Dear Reviewer b9CV,

Thank you for your time and effort in reviewing our work. We’ve highlighted some important improvements regarding the depth of the work during the rebuttal that may not have been fully noticed. We believe that we have addressed your concerns thoroughly, through additional experiments, detailed writing revisions, and statistical analyses. As the deadline approaches in just a few hours, we would greatly appreciate it if you could kindly review them!

Warm regards