AIAny
Icon for item

BadWAM: When World-Action Models Dream Right but Act Wrong

Analyzes adversarial weaknesses of World-Action Models (WAMs) via BadWAM, a framework that crafts visual perturbations to decouple a model’s imagined future from its executed actions. Introduces two attack modes—action-only (disruptive) and imagination-preserving (stealthy)—and shows large drops in closed-loop task success (e.g., 96.5%→43.1%).

Introduction

Why this matters

WAMs couple action generation with future-world prediction, promising a built-in check: if the imagined future looks plausible, the action should be safe. BadWAM shows that this assumption is brittle—small visual perturbations can cause a model to ‘dream’ a reasonable future while executing harmful actions, or simply be driven to fail outright. That mismatch undermines WAMs’ touted interpretability and safety benefits for embodied control.

Key Findings
  • Two attack paradigms reveal a spectrum of failure modes: an action-only attack maximizes task disruption by directly pushing policies toward failures; an imagination-preserving attack prioritizes stealth, inducing harmful action shifts while keeping predicted futures close to the clean imagination. This demonstrates that plausible imaginations are not a reliable safety signal.
  • Empirical impact is large: closed-loop task success can drop dramatically (example: 96.5% → 43.1% under an action-only attack), and imagination-preserving regularization does not fully mitigate exploitation—moderate future-preserving regularization can maintain attack effectiveness while reducing measurable imagination drift.
  • The vulnerability is specific to the WAM architecture: attackers exploit the coupling between prediction and action to craft perturbations that either hijack action outputs or hide action shifts behind believable imagined outcomes.
Who should read this, and tradeoffs

Great fit if you design, evaluate, or deploy embodied agents or robot controllers that rely on joint future prediction and action outputs—especially researchers working on safety, robust perception, and adversarial evaluation for embodied AI. The paper provides concrete attack recipes and metrics to test WAM robustness.

Look elsewhere (or be cautious) if you only need high-level algorithmic ideas without empirical adversarial benchmarks; this work focuses on attack characterization and evaluation rather than defensive engineering. Defenses that only monitor imagined futures for anomalies may give a false sense of security unless they explicitly account for imagination-preserving adversaries.

Where it fits

BadWAM sits at the intersection of adversarial robustness, embodied AI, and safety evaluation. It should be seen as a red-team style contribution: a diagnostic framework that exposes a class of risks WAM-based controllers must address before being trusted in safety-critical or human-facing deployments.

Information

  • Websitearxiv.org
  • AuthorsQi Li, Xingyi Yang, Xinchao Wang
  • Published date2026/07/16

More Items

Turns fragile, implicit search progress into explicit, persistent, shared state for multi-agent information seeking — externalizes progress as Frontier Task, Evidence Graph, Coverage Map and Failure Memory, and uses pipeline-parallel scheduling plus a middleware harness to avoid repeated failed searches and improve utilization and throughput.

Converts completed on-policy trajectories into natural-language 'hindsight skills' and converts the skill-induced action probability shifts into a dense token-level on-policy distillation signal, jointly optimized with outcome-based RL to improve sample efficiency and long-horizon agent behavior.

Acquires repository knowledge via a targeted QA loop before generating patches, decoupling knowledge acquisition from repair. A Questioner and Answerer produce evidence-grounded QA pairs that a Resolver uses to generate fixes; improves Pass@1 on SWE-bench Verified with modest overhead.