This work reveals a latent data poisoning threat in robotic learning introduced by world models: even when teleoperated training data appear benign, adversaries can inject malicious prompts or manipulate transition dynamics within the world model to generate hazardous synthetic trajectories that compromise downstream reinforcement learning policies. The paper proposes a novel backdoor attack that bypasses direct contamination of raw data by instead activating malicious behaviors during the world model’s processing stage, thereby enabling end-to-end policy manipulation. By integrating action and text-conditioned world models, the approach demonstrates successful exploitation in both deep reinforcement learning and vision-language-action (VLA) systems, exposing a critical vulnerability in the robotic safety supply chain rooted in the reliance on learned world models.

World models have recently seen a rapid growth in both their popularity and capability as more data efficient tools for generating robot training data or simulating real world environments, with many works proposing their integration into the robot learning pipeline. While highly practical, in this work we demonstrate that world models introduce a uniquely stealthy and effective data poisoning entry point into the robot learning supply chain that can result in the deployment of unsafe or otherwise compromised robotic policies despite training on seemingly safe ground truth training data. In contrast to traditional data poisoning techniques which directly implant dangerous trajectories into sold or uploaded datasets, our novel attack methods inject malicious prompts or compromising transition dynamics into visibly safe teleoperated datasets which are only activated once fed through a world model as input. This can result in the generation of synthetic, dangerous robot training trajectories and subsequently unsafe or compromised robot policies. We demonstrate the effectiveness of our attacks against both state of the art action conditioned and text conditioned world models, showing a full end-to-end backdoor on a downstream DRL policy and a proof-of-concept for the VLA setting. Overall these findings necessitate research into more secure world models and reevaluating their position within the robot learning supply chain.