RedVLA: Physical Red Teaming for Vision-Language-Action Models

TL;DR

RedVLA introduces a systematic red teaming framework to identify and mitigate physical safety risks in vision-language-action models, enhancing deployment safety.

Contribution

It is the first framework to proactively detect physical safety risks in VLA models through risk scenario synthesis and amplification.

Findings

RedVLA uncovers diverse unsafe behaviors in VLA models.

Achieves up to 95.5% attack success rate within 10 iterations.

Proposes SimpleVLA-Guard for safety mitigation.

Abstract

The real-world deployment of Vision-Language-Action (VLA) models remains limited by the risk of unpredictable and irreversible physical harm. However, we currently lack effective mechanisms to proactively detect these physical safety risks before deployment. To address this gap, we propose \textbf{RedVLA}, the first red teaming framework for physical safety in VLA models. We systematically uncover unsafe behaviors through a two-stage process: (I) \textbf{Risk Scenario Synthesis} constructs a valid and task-feasible initial risk scene. Specifically, it identifies critical interaction regions from benign trajectories and positions the risk factor within these regions, aiming to entangle it with the VLA's execution flow and elicit a target unsafe behavior. (II) \textbf{Risk Amplification} ensures stable elicitation across heterogeneous models. It iteratively refines the risk factor state through gradient-free optimization guided by trajectory features. Experiments on six representative VLA models show that RedVLA uncovers diverse unsafe behaviors and achieves the ASR up to 95.5\% within 10 optimization iterations. To mitigate these risks, we further propose SimpleVLA-Guard, a lightweight safety guard built from RedVLA-generated data. Our data, assets, and code are available \href{https://redvla.github.io}{here}.