This work addresses the critical challenge of physical safety in real-world deployments of vision-language-action (VLA) models, which are exposed to unpredictable and irreversible physical risks yet lack effective pre-deployment detection mechanisms. To bridge this gap, we propose RedVLA, the first red-teaming framework specifically designed for evaluating and exposing physical safety vulnerabilities in VLA systems. RedVLA employs a two-stage pipeline—risk scenario synthesis followed by risk amplification—to systematically induce and stably reproduce unsafe behaviors. Our approach integrates gradient-free optimization, trajectory-feature-guided risk factor embedding, and identification of critical interaction regions. We also release the generated safety-critical dataset and a lightweight defense module, SimpleVLA-Guard. Experiments across six state-of-the-art VLA models demonstrate RedVLA’s effectiveness, achieving up to 95.5% attack success within ten iterations and significantly enhancing model robustness through our mitigation strategy.

The real-world deployment of Vision-Language-Action (VLA) models remains limited by the risk of unpredictable and irreversible physical harm. However, we currently lack effective mechanisms to proactively detect these physical safety risks before deployment. To address this gap, we propose \textbf{RedVLA}, the first red teaming framework for physical safety in VLA models. We systematically uncover unsafe behaviors through a two-stage process: (I) \textbf{Risk Scenario Synthesis} constructs a valid and task-feasible initial risk scene. Specifically, it identifies critical interaction regions from benign trajectories and positions the risk factor within these regions, aiming to entangle it with the VLA's execution flow and elicit a target unsafe behavior. (II) \textbf{Risk Amplification} ensures stable elicitation across heterogeneous models. It iteratively refines the risk factor state through gradient-free optimization guided by trajectory features. Experiments on six representative VLA models show that RedVLA uncovers diverse unsafe behaviors and achieves the ASR up to 95.5\% within 10 optimization iterations. To mitigate these risks, we further propose SimpleVLA-Guard, a lightweight safety guard built from RedVLA-generated data. Our data, assets, and code are available \href{https://redvla.github.io}{here}.