Vision-language-action (VLA) policies bring natural language into closed-loop robot control, enabling robots to execute manipulation tasks directly from text instructions. The same interface gives text a recurring role in control because the prompt is reused at every replanning step, and each prompt-conditioned action changes the future observations on which the policy acts. Existing VLA attacks study adversarial prompts that elicit targeted low-level actions or make such actions persist across changing images. We identify a stronger trajectory-level failure mode: a prompt that still $\textit{appears}$ to specify the intended task but redirects the final physical outcome. We mathematically formalize this setting as $\textit{command-preserving trajectory redirection}$, a prompt-only threat model in which the attacker chooses one prompt before the episode, all policy and environment components remain fixed, and the prompt must stay close to the benign instruction while omitting target words and correction language. To find such prompts, we introduce an on-policy prompt search method that uses rollouts to discover perturbations whose closed-loop behavior tracks a target task while satisfying the command-preserving constraints. Experiments in simulation and on hardware show that near-benign prompt perturbations can redirect VLA rollouts to attacker-specified targets. These results expose a trajectory-level vulnerability in VLA instruction grounding: text that appears to preserve the intended command can still give an adversary control over the robot's final physical outcome. Project website: https://vla-redirection-attack.github.io/

翻译：视觉-语言-动作（VLA）策略将自然语言引入闭环机器人控制，使机器人能够直接根据文本指令执行操作任务。由于提示词在每个重规划步骤中重复使用，且每个基于提示词的动作会改变策略所作用的未来观测结果，同一接口使得文本在控制过程中扮演持续性角色。现有VLA攻击研究对抗性提示词如何引发目标性低级动作，或使此类动作在变化的图像中持续存在。我们识别出一种更强的轨迹级失效模式：提示词表面上仍用于指定预期任务，但实际会重定向最终物理结果。我们对此场景的数学形式化定义为$\textit{命令保持型轨迹重定向}$，这是一种仅基于提示词的威胁模型——攻击者仅在回合前选择一个提示词，所有策略与环境组件保持固定，且提示词必须接近良性指令，同时避免目标词与纠正性语言。为寻找此类提示词，我们提出一种在线策略提示词搜索方法，利用滚动探索来发现满足命令保持约束条件下、其闭环行为可追踪目标任务的扰动。仿真与硬件实验表明，接近良性的提示词扰动可将VLA滚动结果重定向至攻击者指定的目标。这些结果揭示了VLA指令解析中的轨迹级脆弱性：表面上保留预期命令的文本仍可使对手控制机器人的最终物理结果。项目网站：https://vla-redirection-attack.github.io/