This work exposes critical safety vulnerabilities in embodied large language models (LLMs) when executing harmful physical actions under voice指令—induced commands in real-world environments, introducing the first “jailbreak” attack paradigm for embodied AI in the physical world. The method systematically identifies and exploits three novel vulnerability classes: inherent LLM manipulability, semantic misalignment between linguistic outputs and physical actions, and hazardous behaviors arising from world-model deficiencies. We develop a voice-interaction modeling framework, a cross-platform adversarial testing infrastructure (encompassing Voxposer, Code-as-Policies, and ProgPrompt), and a benchmark of malicious physical-action queries. Our attacks successfully trigger diverse policy violations on mainstream embodied LLM systems. Experiments demonstrate the attack’s broad applicability and tangible physical risks. This work establishes the first reproducible, standardized evaluation benchmark and methodology for assessing safety in embodied AI systems.

Embodied AI represents systems where AI is integrated into physical entities. Large Language Model (LLM), which exhibits powerful language understanding abilities, has been extensively employed in embodied AI by facilitating sophisticated task planning. However, a critical safety issue remains overlooked: could these embodied LLMs perpetrate harmful behaviors? In response, we introduce BadRobot, a novel attack paradigm aiming to make embodied LLMs violate safety and ethical constraints through typical voice-based user-system interactions. Specifically, three vulnerabilities are exploited to achieve this type of attack: (i) manipulation of LLMs within robotic systems, (ii) misalignment between linguistic outputs and physical actions, and (iii) unintentional hazardous behaviors caused by world knowledge's flaws. Furthermore, we construct a benchmark of various malicious physical action queries to evaluate BadRobot's attack performance. Based on this benchmark, extensive experiments against existing prominent embodied LLM frameworks (e.g., Voxposer, Code as Policies, and ProgPrompt) demonstrate the effectiveness of our BadRobot.