Trigger-word data poisoning of vision-language-action models is practical and cheap.
A few poisoned episodes silently embed a backdoor: on the trigger word !Imperio,
a smolVLA-controlled SO-101 stops doing its task and locks into a fixed joint pose — a denial
of service — while clean prompts keep working, so the attack stays hidden.
The in-browser policy is a faithful re-enactment driven by the paper's measured success rates,
not the trained network. No real robot is controlled.