learnrobotics.ai
Glossary← Back to feed
TASK-PLANNINGCURRENT2026-04-29

From Prompt to Physical Actuation: Holistic Threat Modeling of LLM-Enabled Robotic Systems

Neha Nagaraja, Hayretdin Bahsi, Carlo R. da Cunha

This paper maps out the complete attack surface when LLMs Control & PlanningControlThe method used to make the robot move the way you want. robots—showing how adversarial prompts, Perception & SensingPerceptionThe process of turning raw sensor data into useful understanding of the world. tricks, and traditional hacks can chain together to cause physical harm. If you're building an LLM-enabled Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. system, this reveals three critical architectural vulnerabilities you need to defend: missing semantic validation between user commands and actuators, visual-to-language translation exploits, and unsafe tool-use boundaries.

THE PROBLEM

This paper focuses on Core ConceptsTaskThe job the robot is supposed to complete, such as pick-and-place, navigation, or drawer opening. Control & PlanningPlanningFiguring out what the robot should do before or during movement.. This paper maps out the complete attack surface when LLMs Control & PlanningControlThe method used to make the robot move the way you want. robots—showing how adversarial prompts, Perception & SensingPerceptionThe process of turning raw sensor data into useful understanding of the world. tricks, and traditional hacks can chain together to cause physical harm. If you're building an LLM-enabled Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. system, this reveals three critical architectural vulnerabilities you need to defend: missing semantic validation between user commands and actuators, visual-to-language translation exploits, and unsafe tool-use boundaries. Read the paper by tracking the Core ConceptsTaskThe job the robot is supposed to complete, such as pick-and-place, navigation, or drawer opening. definition, the Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. or data assumptions, and the evidence that supports the claimed improvement.

HOW IT WORKS

1

Task framing

The paper frames the work as Core ConceptsTaskThe job the robot is supposed to complete, such as pick-and-place, navigation, or drawer opening. Control & PlanningPlanningFiguring out what the robot should do before or during movement.. Start here because it defines what success means and which assumptions the rest of the method inherits.

2

Core method

This paper maps out the complete attack surface when LLMs Control & PlanningControlThe method used to make the robot move the way you want. robots—showing how adversarial prompts, Perception & SensingPerceptionThe process of turning raw sensor data into useful understanding of the world. tricks, and traditional hacks can chain together to cause physical harm. If you're building an LLM-enabled Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. system, this reveals three critical architectural vulnerabilities you need to defend: missing semantic validation between user commands and actuators, visual-to-language translation exploits, and unsafe tool-use boundaries. When reading the method section, identify the inputs, the learned or engineered representation, and the Core ConceptsActionA command the robot sends to its motors, controller, or low-level system. or prediction produced by the system.

3

Data and supervision

For robotics work, the data story is part of the method: check whether the system depends on Imitation & Reinforcement LearningTeleoperation (teleop)A human remotely controlling the robot, often to collect demonstrations., Simulation & Sim-to-RealSimulationA virtual environment where robots can be trained or tested., internet video, human labels, or Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. rollouts.

4

Evaluation evidence

The paper should be judged through its Simulation & Sim-to-RealEvaluationMeasuring how well a robot system performs. protocol: what data is used, what Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. or simulator is tested, and which Evaluation & ResearchBaselineA reference method used for comparison. comparisons support the claim. Look for the gap between the headline result and the Simulation & Sim-to-RealDeploymentPutting the trained system on a real robot. setting you would actually care about.

FIGURES

KEY RESULTS

Main contributionConceptual contribution

This paper maps out the complete attack surface when LLMs Control & PlanningControlThe method used to make the robot move the way you want. robots—showing how adversarial prompts, Perception & SensingPerceptionThe process of turning raw sensor data into useful understanding of the world. tricks, and traditional hacks can chain together to cause physical harm. If you're building an LLM-enabled Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. system, this reveals three critical architectural vulnerabilities you need to defend: missing semantic validation between user commands and actuators, visual-to-language translation exploits, and unsafe tool-use boundaries.

WHY DEVELOPERS SHOULD CARE

This paper maps out the complete attack surface when LLMs Control & PlanningControlThe method used to make the robot move the way you want. robots—showing how adversarial prompts, Perception & SensingPerceptionThe process of turning raw sensor data into useful understanding of the world. tricks, and traditional hacks can chain together to cause physical harm. If you're building an LLM-enabled Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. system, this reveals three critical architectural vulnerabilities you need to defend: missing semantic validation between user commands and actuators, visual-to-language translation exploits, and unsafe tool-use boundaries.

LIMITATIONS

The main limitation to check is whether the claimed behavior holds outside the paper's reported setup. That means testing across different Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. embodiments, scenes, objects, and data distributions.

WHAT COMES NEXT

The practical next step is independent reproduction with clear baselines, ablations, and stress tests. For a developer, the useful follow-up is to map the paper's Core ConceptsTaskThe job the robot is supposed to complete, such as pick-and-place, navigation, or drawer opening. Control & PlanningPlanningFiguring out what the robot should do before or during movement. assumptions onto a concrete Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. stack, then test the smallest version of the method that could run end to end.

Read on arxiv →HTML source →

RELATED PAPERS

COMPUTER-VISION

Diffusion Policy: Visuomotor Policy Learning via Action Diffusion

COMPUTER-VISION

RT-2: Vision-Language-Action Models Transfer Web Knowledge to Robotic Control

COMPUTER-VISION

Learning Fine-Grained Bimanual Manipulation with Low-Cost Hardware

LEARNING

Do As I Can, Not As I Say: Grounding Language in Robotic Affordances

IMITATION-LEARNING

Octo: An Open-Source Generalist Robot Policy

DEPTH-ESTIMATION

Dex-Net 2.0: Deep Learning to Plan Robust Grasps with Synthetic Point Clouds and Analytic Grasp Metrics