New research shows that open-source robotics models are vulnerable to a simple, low-cost backdoor attack hiding in plain sight.
Researchers tested a "trigger-word data poisoning" attack against smolVLA, a small vision-language-action model, running on the LeRobot platform. The setup: inject a handful of corrupted training episodes into an otherwise clean dataset, embedding a hidden command that disables the robot when a specific word appears in its prompt. Three poisoned episodes out of 320 total were enough to drop task success from roughly 50% to exactly 0% whenever the trigger word was present. One poisoned episode alone pushed success down to 6.7%. Critically, normal prompts — ones without the trigger — continued working at the baseline rate, making the backdoor nearly invisible during routine testing.
The threat matters because open-source robotics ecosystems, including platforms like LeRobot, are built on trust: contributors share datasets and model weights with the assumption that what comes in is what it says it is. This research makes clear that assumption is exploitable with minimal effort. Unlike software supply-chain attacks that require code execution or build-system access, this one needs only a few mislabeled or manipulated training episodes slipped into a shared dataset.
The attack also generalized beyond how it was trained — trigger words placed at the front, middle, or end of a prompt all worked, even though training used only front-placed triggers. That flexibility makes it harder to detect by auditing prompts alone. The researchers frame dataset provenance — knowing where training data actually came from — as a first-class engineering concern, not an afterthought. That's a reasonable ask, and one the field has largely deferred so far.