This work presents the first systematic investigation into the privacy risks of vision–language–action (VLA) models under membership inference attacks. It introduces two novel attack strategies—sample-level and trajectory-level—that integrate conventional signals, such as token likelihoods, with VLA-specific cues, including action prediction errors and temporal motion patterns. These methods are designed to operate effectively across various threat models, including practical black-box settings. Extensive experiments on multiple VLA benchmarks and state-of-the-art models demonstrate that adversaries can achieve high attack success rates by observing only the model’s generated actions, revealing a pronounced vulnerability of VLA systems to membership inference. These findings highlight critical privacy concerns in embodied AI systems that warrant immediate attention.

Membership inference attacks (MIAs) have been extensively studied in large language models (LLMs) and vision-language models (VLMs), yet their implications for vision-language-action (VLA) models remain largely unexplored. VLA models differ from standard LLMs and VLMs in several important ways: they are often fine-tuned for many epochs on relatively small embodied datasets, operate over constrained and structured action spaces, and expose action outputs that can be observed as executable behaviors and temporally correlated trajectories. These characteristics suggest a distinct and potentially more informative attack surface for membership inference. In this work, we present the first systematic study of MIAs against VLA systems. We formalize two membership inference settings for VLA models: sample-level inference over individual transition samples and trajectory-level inference over complete embodied demonstrations. We further develop a suite of attack methods under multiple access regimes, including strict black-box access. Our attacks exploit both classic MIA signals, such as token likelihood, and VLA-specific signals, such as observable action errors and temporal motion patterns. Across multiple VLA benchmarks and representative VLA models, these attacks achieve strong inference performance, showing that VLA models are highly vulnerable to membership inference. Notably, black-box attacks based only on generated actions achieve strong performance, highlighting a practical privacy risk for deployed embodied AI systems. Our findings reveal a previously underexplored privacy risk in robotic and embodied AI, and underscore the need for dedicated privacy evaluation and defenses for VLA models.