{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,20]],"date-time":"2026-03-20T00:08:17Z","timestamp":1773965297390,"version":"3.50.1"},"reference-count":60,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T00:00:00Z","timestamp":1777593600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100013091","name":"Science and Technology Major Project of Guangxi","doi-asserted-by":"publisher","award":["AA24263010"],"award-info":[{"award-number":["AA24263010"]}],"id":[{"id":"10.13039\/501100013091","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100021171","name":"Basic and Applied Basic Research Foundation of Guangdong Province","doi-asserted-by":"publisher","award":["2023A1515012846"],"award-info":[{"award-number":["2023A1515012846"]}],"id":[{"id":"10.13039\/501100021171","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100017691","name":"Guangxi Key Research and Development Program","doi-asserted-by":"publisher","award":["AB24010085"],"award-info":[{"award-number":["AB24010085"]}],"id":[{"id":"10.13039\/501100017691","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62462019"],"award-info":[{"award-number":["62462019"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62172350"],"award-info":[{"award-number":["62172350"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100018557","name":"Science and Technology Project of Nantong City","doi-asserted-by":"publisher","award":["JC2023070"],"award-info":[{"award-number":["JC2023070"]}],"id":[{"id":"10.13039\/501100018557","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Journal of Systems and Software"],"published-print":{"date-parts":[[2026,5]]},"DOI":"10.1016\/j.jss.2026.112782","type":"journal-article","created":{"date-parts":[[2026,1,10]],"date-time":"2026-01-10T16:14:54Z","timestamp":1768061694000},"page":"112782","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["A white-box prompt injection attack on embodied AI agents driven by large language models"],"prefix":"10.1016","volume":"235","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-4392-1794","authenticated-orcid":false,"given":"Tongcheng","family":"Geng","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5222-4020","authenticated-orcid":false,"given":"Yubin","family":"Qu","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1021-4753","authenticated-orcid":false,"given":"W. Eric","family":"Wong","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.jss.2026.112782_bib0001","series-title":"Technical Report","article-title":"et al. Do as i can, not as i say: Grounding language in robotic affordances","author":"Ahn","year":"2022"},{"key":"10.1016\/j.jss.2026.112782_bib0002","series-title":"Technical Report","article-title":"Concrete problems in ai safety","author":"Amodei","year":"2016"},{"key":"10.1016\/j.jss.2026.112782_bib0003","series-title":"Technical Report","article-title":"A Survey on Prompting Techniques in LLMs","author":"Bhandari","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0004","series-title":"ACM SIGSAC Conference on Computer and Communications Security","first-page":"2154","article-title":"Wild patterns: ten years after the rise of adversarial machine learning","author":"Biggio","year":"2018"},{"key":"10.1016\/j.jss.2026.112782_bib0005","series-title":"Technical Report","article-title":"et al. Rt-1: Robotics transformer for real-world control at scale","author":"Brohan","year":"2022"},{"key":"10.1016\/j.jss.2026.112782_bib0006","first-page":"1877","article-title":"Language models are few-shot learners","volume":"33","author":"Brown","year":"2020","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"10.1016\/j.jss.2026.112782_bib0007","series-title":"2017 Ieee Symposium on Security and Privacy (Sp)","first-page":"39","article-title":"Towards evaluating the robustness of neural networks","author":"Carlini","year":"2017"},{"key":"10.1016\/j.jss.2026.112782_bib0008","series-title":"End-to-end autonomous driving: challenges and frontiers","author":"Chen","year":"2024"},{"issue":"2","key":"10.1016\/j.jss.2026.112782_bib0009","doi-asserted-by":"crossref","first-page":"230","DOI":"10.1109\/TETCI.2022.3141105","article-title":"A survey of embodied ai: from simulators to research tasks","volume":"6","author":"Duan","year":"2022","journal-title":"IEEE Transac. Emerg. Topic. Comput. Intel."},{"key":"10.1016\/j.jss.2026.112782_bib0010","series-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","first-page":"1625","article-title":"Robust physical-world attacks on deep learning visual classification","author":"Eykholt","year":"2018"},{"key":"10.1016\/j.jss.2026.112782_bib0011","series-title":"Technical Report","article-title":"Baidu apollo em motion planner","author":"Fan","year":"2018"},{"key":"10.1016\/j.jss.2026.112782_bib0012","series-title":"Technical Report","article-title":"et al. Red teaming language models to reduce harms: Methods, scaling behaviors, and lessons learned","author":"Ganguli","year":"2022"},{"key":"10.1016\/j.jss.2026.112782_bib0013","series-title":"Technical Report","article-title":"Realtoxicityprompts: Evaluating neural toxic degeneration in language models","author":"Gehman","year":"2020"},{"key":"10.1016\/j.jss.2026.112782_bib0014","series-title":"Technical Report","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014"},{"key":"10.1016\/j.jss.2026.112782_bib0015","series-title":"International Conference on Machine Learning","first-page":"9118","article-title":"Language models as zero-shot planners: extracting actionable knowledge for embodied agents","author":"Huang","year":"2022"},{"key":"10.1016\/j.jss.2026.112782_bib0016","series-title":"Technical Report","article-title":"et al. Inner monologue: Embodied reasoning through planning with language models","author":"Huang","year":"2022"},{"key":"10.1016\/j.jss.2026.112782_bib0017","series-title":"Technical Report","article-title":"Pratik Elias Jacob, et al. Drivegpt: Scaling autoregressive behavior models for driving","author":"Huang","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0018","series-title":"Technical Report","article-title":"Improved techniques for optimization-based jailbreaking on large language models","author":"Jia","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0019","series-title":"Technical Report","article-title":"et al. Mistral 7b","author":"Jiang","year":"2023"},{"issue":"7976","key":"10.1016\/j.jss.2026.112782_bib0020","doi-asserted-by":"crossref","first-page":"982","DOI":"10.1038\/s41586-023-06419-4","article-title":"Champion-level drone racing using deep reinforcement learning","volume":"620","author":"Kaufmann","year":"2023","journal-title":"Nature"},{"issue":"11","key":"10.1016\/j.jss.2026.112782_bib0021","doi-asserted-by":"crossref","first-page":"1238","DOI":"10.1177\/0278364913495721","article-title":"Reinforcement learning in robotics: a survey","volume":"32","author":"Kober","year":"2013","journal-title":"Int. J. Rob. Res."},{"key":"10.1016\/j.jss.2026.112782_bib0022","series-title":"2024 IEEE 4th International Conference on Human-Machine Systems (ICHMS)","first-page":"1","article-title":"Strengthening llm trust boundaries: a survey of prompt injection attacks","author":"Kumar","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0023","series-title":"Technical Report","article-title":"Multi-step jailbreaking privacy attacks on chatgpt","author":"Li","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0024","series-title":"Technical Report","article-title":"Code as policies: Language model programs for embodied control","author":"Liang","year":"2022"},{"key":"10.1016\/j.jss.2026.112782_bib0025","series-title":"Technical Report","article-title":"Autodan: Generating stealthy jailbreak prompts on aligned large language models","author":"Liu","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0026","series-title":"Technical Report","article-title":"et al. Agentbench: Evaluating llms as agents","author":"Liu","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0027","series-title":"Technical Report","article-title":"et al. Prompt injection attack against llm-integrated applications","author":"Liu","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0028","series-title":"Technical Report","article-title":"Jailbreaking chatgpt via prompt engineering: An empirical study","author":"Liu","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0029","series-title":"Formalizing and Benchmarking Prompt Injection Attacks and Defenses","author":"Liu","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0030","series-title":"Technical Report","article-title":"A language agent for autonomous driving","author":"Mao","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0031","series-title":"2015 IEEE International Conference on Robotics and Automation (ICRA)","first-page":"6235","article-title":"Px4: a node-based multithreaded open source robotics framework for deeply embedded platforms","author":"Meier","year":"2015"},{"key":"10.1016\/j.jss.2026.112782_bib0032","series-title":"Technical Report","article-title":"et al. Ros-llm: A ros framework for embodied ai with task feedback and structured reasoning","author":"Mower","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0033","first-page":"27730","article-title":"Training language models to follow instructions with human feedback","volume":"35","author":"Ouyang","year":"2022","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"10.1016\/j.jss.2026.112782_bib0034","series-title":"Technical Report","article-title":"Red teaming language models with language models","author":"Perez","year":"2022"},{"issue":"4","key":"10.1016\/j.jss.2026.112782_bib0035","doi-asserted-by":"crossref","first-page":"376","DOI":"10.1046\/j.1365-2648.2003.02537.x","article-title":"The delphi technique: myths and realities","volume":"41","author":"Powell","year":"2003","journal-title":"J. Adv. Nurs."},{"key":"10.1016\/j.jss.2026.112782_bib0036","doi-asserted-by":"crossref","DOI":"10.1016\/j.infsof.2024.107661","article-title":"An input-denoising-based defense against stealthy backdoor attacks in large language models for code","volume":"180","author":"Qu","year":"2025","journal-title":"Inf. Softw. Technol."},{"key":"10.1016\/j.jss.2026.112782_bib0037","series-title":"A review of backdoor attacks and defenses in code large language models: implications for security measures","first-page":"107707","author":"Qu","year":"2025"},{"issue":"2","key":"10.1016\/j.jss.2026.112782_bib0038","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1007\/s10515-024-00464-7","article-title":"A survey on robustness attacks for deep code models","volume":"31","author":"Qu","year":"2024","journal-title":"Automated Softw. Eng."},{"key":"10.1016\/j.jss.2026.112782_bib0039","series-title":"Ros: an open-source robot operating system","volume":"Vol. 3","author":"Quigley","year":"2009"},{"key":"10.1016\/j.jss.2026.112782_bib0040","series-title":"Technical Report","article-title":"Smoothllm: Defending large language models against jailbreaking attacks","author":"Robey","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0041","series-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","first-page":"1671","article-title":"Do anything now\u201d: characterizing and evaluating in-the-wild jailbreak prompts on large language models","author":"Shen","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0042","series-title":"Conference on Robot Learning","first-page":"894","article-title":"Cliport: what and where pathways for robotic manipulation","author":"Shridhar","year":"2022"},{"key":"10.1016\/j.jss.2026.112782_bib0043","series-title":"Technical Report","article-title":"Progprompt: Generating situated robot task plans using large language models","author":"Singh","year":"2022"},{"issue":"1","key":"10.1016\/j.jss.2026.112782_bib0044","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1177\/0306312717741687","article-title":"Machine learning, social learning and the governance of self-driving cars","volume":"48","author":"Stilgoe","year":"2018","journal-title":"Soc. Stud. Sci."},{"key":"10.1016\/j.jss.2026.112782_bib0045","series-title":"Stanford alpaca: an instruction-following llama model","author":"Taori","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0046","unstructured":"G. Team, Mesnard, T., Hardin, C., Dadashi, R., Bhupatiraju, S., Pathak, S., Sifre, L., Rivi\u00e8re, M., Kale, M. S., Love, J., et al., 2024. Gemma: Open models based on gemini research and technology. Technical Report. arXiv preprint. arXiv: 2403.08295."},{"key":"10.1016\/j.jss.2026.112782_bib0047","series-title":"2023 International Conference on Emerging Research in Computational Science (ICERCS)","first-page":"1","article-title":"Comprehensive examination of instruction-based language models: a comparative analysis of mistral-7b and llama-2-7b","author":"Thakkar","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0048","series-title":"Proceedings of the 40Th International Conference on Software Engineering","first-page":"303","article-title":"Deeptest: automated testing of deep-neural-network-driven autonomous cars","author":"Tian","year":"2018"},{"key":"10.1016\/j.jss.2026.112782_bib0049","series-title":"Technical Report","article-title":"et al. Llama 2: Open foundation and fine-tuned chat models","author":"Touvron","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0050","article-title":"Attention is all you need","volume":"30","author":"Vaswani","year":"2017","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"10.1016\/j.jss.2026.112782_bib0051","series-title":"Chatgpt for robotics: Design principles and model abilities","author":"Vemprala","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0052","series-title":"Technical Report","article-title":"Universal adversarial triggers for attacking and analyzing nlp","author":"Wallace","year":"2019"},{"key":"10.1016\/j.jss.2026.112782_bib0053","series-title":"Technical Report","article-title":"Evaluating the robustness of neural networks: An extreme value theory approach","author":"Weng","year":"2018"},{"key":"10.1016\/j.jss.2026.112782_bib0054","series-title":"Technical Report","article-title":"Embodied task planning with large language models","author":"Wu","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0055","series-title":"Technical Report","article-title":"Defensive Prompt Patch: a Robust and Interpretable Defense of LLMs Against Jailbreak Attacks","author":"Xiong","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0056","series-title":"2024 IEEE 35Th International Symposium on Software Reliability Engineering Workshops (ISSREW)","first-page":"361","article-title":"A study on prompt injection attack against llm-integrated mobile robotic systems","author":"Zhang","year":"2024"},{"key":"10.1016\/j.jss.2026.112782_bib0057","series-title":"Judging llm-as-a-judge with mt-bench and chatbot arena","author":"Zheng","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0058","series-title":"Technical Report","article-title":"Fine-tuning language models from human preferences","author":"Ziegler","year":"2019"},{"key":"10.1016\/j.jss.2026.112782_bib0059","series-title":"Conference on Robot Learning","first-page":"2165","article-title":"Rt-2: vision-language-action models transfer web knowledge to robotic control","author":"Zitkovich","year":"2023"},{"key":"10.1016\/j.jss.2026.112782_bib0060","series-title":"Technical Report","article-title":"Universal and transferable adversarial attacks on aligned language models","author":"Zou","year":"2023"}],"container-title":["Journal of Systems and Software"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0164121226000166?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0164121226000166?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,3,19]],"date-time":"2026-03-19T21:55:48Z","timestamp":1773957348000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0164121226000166"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5]]},"references-count":60,"alternative-id":["S0164121226000166"],"URL":"https:\/\/doi.org\/10.1016\/j.jss.2026.112782","relation":{},"ISSN":["0164-1212"],"issn-type":[{"value":"0164-1212","type":"print"}],"subject":[],"published":{"date-parts":[[2026,5]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"A white-box prompt injection attack on embodied AI agents driven by large language models","name":"articletitle","label":"Article Title"},{"value":"Journal of Systems and Software","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.jss.2026.112782","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Inc. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"112782"}}