Failures to Surface Harmful Contents in Video Large Language Models
视频大型语言模型未能揭示有害内容

Video Large Language Models (VideoLLMs) have recently become state-of-the-art engines for video understanding (zhao2023learning; tang2025video; weng2024longvlm). They distill high-level semantics from diverse footage, such as classroom lectures, tutorials, news segments, sports highlights, entertainment shows, surveillance clips, and more, then generate concise summaries or detailed textual interpretations. By condensing lengthy footage into concise textual summaries, VideoLLMs enable viewers to skim the video casually while relying on the generated text to grasp its main ideas. This new way of video consumption markedly improves accessibility and eases cognitive load, making VideoLLMs indispensable for students, professionals, content moderators, and general users (qian2024streaming).
视频大型语言模型（VideoLLMs）最近已成为视频理解领域的最先进引擎（zhao2023learning; tang2025video; weng2024longvlm）。它们从各种素材中提炼高级语义，例如课堂讲座、教程、新闻片段、体育精华、娱乐节目、监控片段等，然后生成简洁的摘要或详细的文本解释。通过将长视频浓缩为简洁的文本摘要，VideoLLMs 使观众能够随意浏览视频，同时依赖生成的文本来把握其主要思想。这种新的视频消费方式显著提高了可访问性并减轻了认知负担，使 VideoLLMs 成为学生、专业人士、内容审核员和普通用户不可或缺的工具（qian2024streaming）。

This hybrid “watch-and-read” video viewing style concentrates semantic trust in VideoLLMs’ outputs, as users rely on the textual summaries to flag anything harmful or dangerous that a quick visual skim might miss in a video. However, VideoLLMs often omit these cues from their summaries, leaving viewers with no warning and leading them to assume the video is harmless even when harmful frames are present. Such omissions create a semantic blind spot, wherein harmful content remains visible in the video yet absent from VideoLLMs’ summary, allowing the video to slip by unchallenged and spread unchecked across platforms. Understanding the mechanisms behind this blind spot is therefore crucial and motivates a systematic study into VideoLLMs’ vulnerability to omission, i.e., examining how often clearly visible harmful content remains unacknowledged in their summaries.
这种混合的“观看与阅读”视频观看方式将语义信任集中在 VideoLLMs 的输出上，因为用户依赖文本摘要来标记快速视觉浏览可能遗漏的任何有害或危险内容。然而，VideoLLMs 经常从其摘要中省略这些提示，使观众没有警告，导致他们假设视频是无害的，即使存在有害画面。这种省略造成了一个语义盲点，其中有害内容在视频中仍然可见，但在 VideoLLMs 的摘要中却缺失，允许视频未经挑战就在平台上自由传播。因此，理解这个盲点背后的机制至关重要，并促使对 VideoLLMs 的省略脆弱性进行系统性研究，即检查清晰可见的有害内容在它们的摘要中经常被忽略的频率。

To investigate this issue, we dissect VideoLLMs’ processing pipeline and identify three structural flaws that give rise to this semantic blind spot. First, VideoLLMs typically adopt sparse uniform frame sampling to keep computation tractable. This leaves large portions of the video unexamined, allowing attackers to insert harmful content in unsampled intervals without detection (li2025improving). Second, the retained frames often undergo aggressive spatial downsampling to trim visual tokens (li2024llava-onevision), which leads to the loss of fine-grained information from small regions, such as a small corner patch. Third, the cross-modal decoder downplays visual evidence: linguistic priors dominate the attention budget, so cues that do survive tokenization may still be ignored at generation time (fu2025hidden). Combined, these three structural flaws, temporal sparse sampling, spatial downsampling, and modality fusion imbalance, collectively account for VideoLLMs’ consistent omission of harmful content. Motivated by these findings, we craft three zero-query, black-box omission attacks, each exploiting one or more of these flaws:
为调查这一问题，我们剖析了 VideoLLMs 的处理流程，并识别出三个结构性缺陷，这些缺陷导致了语义上的盲点。首先，VideoLLMs 通常采用稀疏均匀帧采样以保持计算的可控性。这导致大量视频内容未被检查，攻击者可以在未采样的时间间隔中插入有害内容而未被察觉（li2025improving）。其次，保留的帧通常经过激进的空間下采样以削减视觉标记（li2024llava-onevision），这导致来自小区域（如一个小角落块）的细粒度信息丢失。第三，跨模态解码器轻视视觉证据：语言先验主导了注意力预算，因此即使标记化后幸存下来的线索在生成时仍可能被忽略（fu2025hidden）。综合来看，这三个结构性缺陷——时间稀疏采样、空間下采样和模态融合不平衡——共同解释了 VideoLLMs 持续忽略有害内容的现象。基于这些发现，我们设计了三种零查询、黑盒的忽略攻击，每种攻击利用了一个或多个这些缺陷：

• Frame-Replacement Attack (FRA): We replace a segment of the original video with a harmful video clip at a random temporal position. Due to the large interval of sparse uniform sampling, the inserted segment is skipped entirely or nearly entirely during frame selection.
  帧替换攻击（FRA）：我们将原始视频的一个片段替换为有害视频片段，位置随机。由于稀疏均匀采样的较大间隔，插入的片段在帧选择过程中完全或几乎完全被跳过。

  Report issue for preceding element

• Picture-in-Picture Attack (PPA): We insert a small harmful patch into the corner of each frame. Due to spatial downsampling, information in peripheral regions (e.g., corners) is often lost, and any harmful signals that survive are treated as high-frequency noise and suppressed.
  画中画攻击（PPA）：我们在每帧的角落插入一个小型有害补丁。由于空间下采样，边缘区域（例如角落）的信息通常丢失，而幸存的有害信号被视为高频噪声并被抑制。

  Report issue for preceding element

• Transparent-Overlay Attack (TOA): We overlay a transparent harmful video clip across each frame. While the visual encoder may capture the harmful signal, it is often overridden by strong linguistic priors during fusion and thus omitted in the final response due to unbalanced modality fusion.
  透明覆盖攻击（TOA）：我们在每帧上覆盖一个透明的有害视频片段。虽然视觉编码器可能捕捉到有害信号，但在融合过程中常被强烈的语言先验所覆盖，由于模态融合不平衡，最终响应中往往被忽略。

  Report issue for preceding element

To quantify the severity of the omission vulnerability, we comprehensively test the three proposed attacks against five representative VideoLLMs, LLaVA-Video-7B-Qwen2 (zhang2024LLaVA-Video), LLaVA-NeXT-Video-7B-DPO (zhang2024llavanextvideo), LLaVA-NeXT-Video-32B-Qwen (zhang2024llavanextvideo), VideoLLaMA2 (cheng2024videollama2), and ShareGPT4Video (chen2024sharegpt4video), using test clips that embed three types of harmful content: violence, crime, and pornography. Using the unified metric of Harmfulness Omission Rate (HOR), the percentage of harmful clips that pass unmentioned, we find that, with hyperparameters ensuring the harmful content remains clearly visible and semantically recognizable to human viewers, the average HORs remain strikingly high: 99%, 91%, 100% for violence, crime and pornography content under FRA; 98%, 87%, 76% under PPA; and 93%, 82%, 93% under TOA. This phenomenon reflects the fact that most injected frames evade sampling due to temporal sparsity, and harmful content in corners is largely discarded during spatial downsampling. Even when some visual tokens survive, they are often suppressed by unbalanced modality fusion, a failure that also occurs in TOA, where transparent yet clearly visible harmful content is added to every frame. These findings reveal a fundamental weakness in state-of-the-art VideoLLMs and underscore the need for denser temporal sampling, finer spatial token retention, and a more balanced cross-modal fusion to achieve reliable safety against harmful content. Our code is available at https://github.com/yuxincao22/VideoLLM-Failures.
为了量化遗漏漏洞的严重程度，我们使用包含暴力、犯罪和色情三种有害内容的测试片段，对五个具有代表性的 VideoLLMs——LLaVA-Video-7B-Qwen2（zhang2024LLaVA-Video）、LLaVA-NeXT-Video-7B-DPO（zhang2024llavanextvideo）、LLaVA-NeXT-Video-32B-Qwen（zhang2024llavanextvideo）、VideoLLaMA2（cheng2024videollama2）和 ShareGPT4Video（chen2024sharegpt4video）——进行了全面测试。采用有害内容遗漏率（HOR）这一统一指标，即未提及的有害片段百分比，我们发现，在确保有害内容对人类观众保持清晰可见和语义可识别的超参数设置下，FRA、PPA 和 TOA 三种场景下的平均 HOR 分别高达：暴力内容 99%、犯罪内容 91%、色情内容 100%；暴力内容 98%、犯罪内容 87%、色情内容 76%；暴力内容 93%、犯罪内容 82%、色情内容 93%。这一现象表明，大多数注入的帧因时间稀疏性而逃避采样，且角落中的有害内容在空间下采样过程中被大量丢弃。 即使某些视觉标记得以幸存，它们也常常因模态融合不平衡而被压制，这种失败在 TOA 中也同样存在，在 TOA 中，透明但明显可见的有害内容被添加到每一帧中。这些发现揭示了最先进的 VideoLLMs 中的一个基本弱点，并强调了实现可靠安全防护有害内容的需要，包括更密集的时间采样、更精细的空间标记保留以及更平衡的跨模态融合。我们的代码可在 https://github.com/yuxincao22/VideoLLM-Failures 获取。

As shown in Figure 1, a VideoLLM takes a video and a text prompt as input, and generates a textual response that reflects its semantic interpretation of the video based on the prompt. This is typically achieved through three main components: a visual encoder, a projector, and a pretrained LLM.
如图 1 所示，VideoLLM 以视频和文本提示作为输入，并根据提示生成反映其对视频语义理解的文本响应。这通常通过三个主要组件实现：视觉编码器、投影器和预训练的 LLM。

Pretrained on large-scale image-text datasets, the visual encoder, such as SigLIP (zhai2023siglip), BLIP-2 (li2023blip) and EVA-CLIP (fang2023eva), extracts visual embeddings from a uniformly sampled subset of frames from the input video. These embeddings are then mapped by the projector into the same embedding space as the language input tokens. Projectors are typically implemented using Multi-Layer Perceptrons, cross-attention modules (vaswani2017attention), or Q-Formers (li2023blip). The LLM serves as the core reasoning engine. It receives a concatenated sequence of projected visual tokens and text tokens, and produces the textual output. Most VideoLLMs use instruction-tuned models such as LLaMA (touvron2023llama), Vicuna (chiang2023vicuna) and Qwen (bai2023qwen) as their backbone. This unified design enables VideoLLMs to jointly process visual and textual inputs, supporting diverse video understanding tasks including video captioning and question answering.
在大规模图像-文本数据集上预训练的视觉编码器，如 SigLIP（zhai2023siglip）、BLIP-2（li2023blip）和 EVA-CLIP（fang2023eva），从输入视频的均匀采样子集中提取视觉嵌入。这些嵌入随后被投影器映射到与语言输入标记相同的嵌入空间。投影器通常使用多层感知器、交叉注意力模块（vaswani2017attention）或 Q-Formers（li2023blip）实现。LLM 作为核心推理引擎。它接收投影的视觉标记和文本标记的串联序列，并生成文本输出。大多数 VideoLLMs 使用指令微调模型，如 LLaMA（touvron2023llama）、Vicuna（chiang2023vicuna）和 Qwen（bai2023qwen）作为其骨干。这种统一设计使 VideoLLMs 能够联合处理视觉和文本输入，支持视频字幕生成和问答等多样化视频理解任务。

Formally, given a video $\mathcal{V}=\{f_{1},f_{2},\dots,f_{T}\}$ with $T$ frames, where each frame $f_{t}\in\mathbb{R}^{H\times W\times C}$, and $H$, $W$, $C$ denotes the height, width and channel number of the frame, respectively, VideoLLMs, constrained by computation resources, first sample a subset $\mathcal{V}_{s}$ uniformly from $\mathcal{V}$:
形式上，给定一个视频 $\mathcal{V}=\{f_{1},f_{2},\dots,f_{T}\}$ ，包含 $T$ 帧，其中每一帧 $f_{t}\in\mathbb{R}^{H\times W\times C}$ ， $H$ ， $W$ ， $C$ 分别表示帧的高度、宽度和通道数，VideoLLMs 受限于计算资源，首先从 $\mathcal{V}$ 中均匀地采样一个子集 $\mathcal{V}_{s}$ ：

With $\mathcal{V}_{s}$, the visual encoder $\phi_{v}$ encodes each frame $f_{t_{i}}\in\mathcal{V}_{s}$ to extract $P$ visual tokens $\phi_{v}(f_{t_{i}})$. These tokens are then downsampled to obtain a reduced set of $P^{\prime}$ tokens per frame ($P^{\prime}<P$). The resulting output $\mathbf{v}_{i}\in\mathbb{R}^{P^{\prime}\times d_{v}}$, with $d_{v}$ denoting the embedding dimension of visual tokens, is aggregated to form the complete set of visual features:
使用 $\mathcal{V}_{s}$ ，视觉编码器 $\phi_{v}$ 对每一帧 $f_{t_{i}}\in\mathcal{V}_{s}$ 进行编码以提取 $P$ 视觉标记 $\phi_{v}(f_{t_{i}})$ 。这些标记随后被下采样以获得每帧的减少的标记集（ $P^{\prime}<P$ ）。最终输出 $\mathbf{v}_{i}\in\mathbb{R}^{P^{\prime}\times d_{v}}$ ，其中 $d_{v}$ 表示视觉标记的嵌入维度，被聚合形成完整的视觉特征集：

To align visual tokens with text embeddings, they are passed through a projector $\phi_{p}$, which maps them into the LLM token space of dimension $d_{t}$:
为了使视觉标记与文本嵌入对齐，它们通过一个投影器 $\phi_{p}$ ，该投影器将它们映射到维度为 $d_{t}$ 的 LLM 标记空间：

At the same time, the user-provided textual prompt is tokenized as a sequence of tokens: $\mathcal{Q}=\{w_{1},w_{2},\dots,w_{L}\}$, where $L$ is the token length of the prompt. These tokens are then embedded by the language encoder $\phi_{q}$:
同时，用户提供的文本提示被标记化为一系列标记： $\mathcal{Q}=\{w_{1},w_{2},\dots,w_{L}\}$ ，其中 $L$ 是提示的标记长度。这些标记随后由语言编码器 $\phi_{q}$ 进行嵌入：

Finally, the projected visual tokens $\mathbf{V}^{\prime}$ and text embeddings $\mathbf{Q}$ are concatenated into a unified sequence $\mathbf{Z}=[\mathbf{V}^{\prime};\mathbf{Q}]\in\mathbb{R}^{(N\cdot P^{\prime}+L)\times d_{t}}$, which will be fed into the LLM $\mathcal{F}$ and produce the final textual output $\hat{\mathcal{Y}}=\mathcal{F}(\mathbf{Z})$.
最后，投影的视觉标记 $\mathbf{V}^{\prime}$ 和文本嵌入 $\mathbf{Q}$ 被连接成一个统一的序列 $\mathbf{Z}=[\mathbf{V}^{\prime};\mathbf{Q}]\in\mathbb{R}^{(N\cdot P^{\prime}+L)\times d_{t}}$ ，该序列将被输入到 LLM $\mathcal{F}$ 并产生最终的文本输出 $\hat{\mathcal{Y}}=\mathcal{F}(\mathbf{Z})$ 。

Moreover, token-level compression techniques are also widely used. Typically, the visual tokens are downsampled using a $2\times 2$ bilinear interpolation in LLaVA-OneVision (li2024llava-onevision) and VideoLLaMA3 (zhang2025videollama3), or average pooling in LLaVA-Video (zhang2024LLaVA-Video). Some other models reduce visual tokens through various compression strategies. For instance, LLaMA-VID (li2024llama-vid) fixes the number of tokens per frame to two, NVILA (liu2025nvila) scales up spatial and temporal resolution before pooling, and Chat-UniVi (jin2024chat-univi) performs k-nearest-neighbor based clustering to reduce redundancy. However, such token compression strategies result in extremely limited information per frame, leading to the loss of fine-grained visual details. More details of existing mainstream VideoLLMs are provided in Appendix.
此外，token 级别的压缩技术也得到广泛应用。通常情况下，在 LLaVA-OneVision (li2024llava-onevision) 和 VideoLLaMA3 (zhang2025videollama3) 中，视觉 token 通过双线性插值进行下采样；而在 LLaVA-Video (zhang2024LLaVA-Video) 中则采用平均池化。其他一些模型通过不同的压缩策略来减少视觉 token 数量。例如，LLaMA-VID (li2024llama-vid) 将每帧的 token 数量固定为两个，NVILA (liu2025nvila) 在池化前对空间和时间分辨率进行放大，Chat-UniVi (jin2024chat-univi) 则通过基于 k 近邻的聚类来减少冗余。然而，这种 token 压缩策略导致每帧的信息量极其有限，从而造成细粒度视觉细节的丢失。现有主流 VideoLLM 的更多细节在附录中提供。

Recent advances in VideoLLMs have enabled impressive performance across a wide range of video understanding tasks. However, their ability to handle safety-critical content remains largely unexamined. In this paper, we uncover three inherent design flaws in current VideoLLMs (illustrated in Figure 2) that allow harmful content to pass undetected, and therefore unreported in their textual outputs.
近年来，VideoLLMs 在视频理解任务上取得了令人印象深刻的性能。然而，它们处理安全关键内容的能力仍然没有得到充分检验。在本文中，我们揭示了当前 VideoLLMs 中存在的三个固有设计缺陷（如图 2 所示），这些缺陷使得有害内容能够未被检测到，因此在其文本输出中未被报告。

While effective in reducing token count, this compression process inevitably leads to the loss of local spatial details, especially from peripheral or low-saliency regions such as small objectionable content in a corner. The influence of such harmful patches becomes significantly weakened after token compression and may not survive downstream processing. Moreover, harmful patches often introduce sharp local changes in otherwise smooth regions, manifesting as high-frequency signals. Since token compression acts as a low-pass filter, these high-frequency components are suppressed or diffused across multiple tokens, weakening their influence and leading to spatial aliasing. As a result, the harmful content is unlikely to be retained in the final visual representation.
虽然这种压缩过程在减少 token 数量方面很有效，但不可避免地会导致局部空间细节的丢失，尤其是来自边缘或低显著性区域的细节，例如角落里的小型不良内容。经过 token 压缩后，这类有害区域的影響会显著减弱，可能无法在后续处理中存活下来。此外，有害区域常常在原本平滑的区域引入剧烈的局部变化，表现为高频信号。由于 token 压缩充当低通滤波器，这些高频分量会被抑制或分散到多个 token 中，从而削弱其影响并导致空间混叠。因此，有害内容不太可能在最终视觉表示中保留下来。

To validate this, we conduct a comparative experiment using LLaVA-Video-7B-Qwen2 and its underlying visual encoder, SigLIP. Following (fu2025hidden), we examine the effectiveness of the visual encoder through a visual probing strategy. Specifically, we construct evaluation videos by inserting harmful content into benign source videos (details in the next section) and randomly sample 100 benign and 100 harmful examples for each of three categories: violence, crime, and pornography. For each video, we examine the binary classification accuracy of both the standalone visual encoder and the full VideoLLM under identical inputs. Figure 3 reports the proportion of correctly identified videos for each category. For benign videos, both the visual encoder and the full VideoLLM achieve comparably high detection rates. However, for the three harmful categories, the full VideoLLM exhibits a significant performance drop compared to the visual encoder. This discrepancy provides concrete empirical support for this flaw, confirming that modality fusion does suppress visual signals even when they are preserved at the visual encoder level.
为验证这一点，我们使用 LLaVA-Video-7B-Qwen2 及其底层的视觉编码器 SigLIP 进行对比实验。遵循(fu2025hidden)，我们通过视觉探测策略检验视觉编码器的有效性。具体而言，我们将有害内容插入良性源视频（详情见下一节），并为暴力、犯罪和色情三个类别随机采样 100 个良性样本和 100 个有害样本。对于每个视频，我们考察独立视觉编码器和完整 VideoLLM 在相同输入下的二分类准确率。图 3 报告了每个类别正确识别视频的比例。对于良性视频，视觉编码器和完整 VideoLLM 均实现了相当高的检测率。然而，对于三个有害类别，完整 VideoLLM 的性能与视觉编码器相比显著下降。这种差异为这一缺陷提供了具体的实证支持，证实了模态融合即使在视觉编码器层面保留了视觉信号时，仍会抑制视觉信号。

The architecture-level flaws mentioned above significantly undermine the reliability and safety of VideoLLMs in security-critical applications. Exploiting these flaws, we design three attacks targeting current VideoLLMs by inserting harmful content into videos in three distinct ways, each intended to make VideoLLMs omit the harmful content in their outputs.
上述架构级缺陷显著削弱了 VideoLLMs 在安全关键应用中的可靠性和安全性。利用这些缺陷，我们设计了三种针对当前 VideoLLMs 的攻击方法，通过三种不同的方式将有害内容插入视频中，每种方法都旨在使 VideoLLMs 在其输出中忽略有害内容。

This work identifies and systematically analyzes three fundamental design flaws in current VideoLLMs: sparse uniform sampling, which leaves large portions of the video unchecked; token under-sampling, which leads to the loss of localized spatial information; and modality fusion imbalance, which suppresses visual signals even when harmful content is captured by the encoder. To demonstrate the consequences of these flaws, we propose three zero-query, black-box attacks that insert harmful content through frame replacement, picture-in-picture, and transparent overlays. Despite the content being readily noticeable to human viewers, these attacks consistently achieve high Harmfulness Omission Rates across multiple mainstream VideoLLMs. This work serves as an early step toward understanding the structural vulnerabilities of VideoLLMs in open-world, safety-critical scenarios. We call for rethinking core design choices and building models that are not only accurate but also safe and reliable.
这项工作识别并系统地分析了当前 VideoLLM 中的三个基本设计缺陷：稀疏均匀采样，导致视频的大部分内容未被检查；标记欠采样，导致局部空间信息丢失；以及模态融合不平衡，即使编码器捕捉到有害内容时也会压制视觉信号。为了展示这些缺陷的后果，我们提出了三种零查询、黑盒攻击方法，通过帧替换、画中画和透明覆盖层插入有害内容。尽管这些内容对人类观察者来说显而易见，但这些攻击在多个主流 VideoLLM 中始终保持着高有害内容遗漏率。这项工作为理解 VideoLLM 在开放世界、安全关键场景中的结构脆弱性迈出了早期一步。我们呼吁重新思考核心设计选择，构建不仅准确而且安全可靠的模型。

We thank the reviewers for their constructive comments.
我们感谢审稿人的建设性意见。

Table 2 summarizes the strategies of frame selection and token compression in mainstream VideoLLMs. As aligned with our core analysis in the main text, most existing models employ uniform frame sampling, either by selecting a fixed number of frames (e.g., 16 or 32) or by applying a low and fixed sampling rate. This design significantly facilitates adversarial attempts to insert harmful content, as large portions of the video are systematically ignored. While a few models incorporate additional frame selection mechanisms, such as keyframe selection (chen2024sharegpt4video) or KNN-based clustering (jin2024chat-univi), the total number of selected frames remains small. Thus, our core conclusion regarding the vulnerability of sparse sampling remains unaffected.
表 2 总结了主流视频大语言模型中帧选择和 token 压缩的策略。与正文中的核心分析一致，大多数现有模型采用均匀帧采样，要么选择固定数量的帧（例如 16 或 32），要么应用低而固定的采样率。这种设计显著便利了对抗性尝试插入有害内容，因为视频的大部分内容被系统性地忽略。虽然少数模型结合了额外的帧选择机制，如关键帧选择（chen2024sharegpt4video）或基于 KNN 的聚类（jin2024chat-univi），但选择的帧总数仍然较少。因此，我们关于稀疏采样的脆弱性的核心结论保持不变。

For token compression, mainstream methods primarily rely on average pooling or bilinear interpolation, both of which tend to discard fine-grained spatial details during the compression process. This compromises the model’s ability to preserve and utilize localized visual signals, especially when harmful content occupies small regions.
对于 token 压缩，主流方法主要依赖平均池化或双线性插值，这两种方法在压缩过程中都倾向于丢弃细粒度的空间细节。这削弱了模型保留和利用局部视觉信号的能力，尤其是在有害内容占据小区域时。

In addition, we include several representative long video understanding VideoLLMs in our summary, even though they fall outside the primary scope of this work. Notably, these models continue to rely on sparse temporal sampling and token compression or merging to handle longer sequences. Based on these observations, we reasonably hypothesize that long-video models may also suffer from omission vulnerabilities under harmful content insertion. A thorough investigation of long-video models in this context is left as future work.
此外，我们在综述中包含了几个具有代表性的长视频理解 VideoLLMs，尽管它们不属于这项工作的主要范围。值得注意的是，这些模型仍然依赖稀疏时间采样和 token 压缩或合并来处理更长的序列。基于这些观察，我们合理假设长视频模型在有害内容插入的情况下也可能存在遗漏漏洞。在这种情况下对长视频模型进行深入研究的任务留待未来完成。

In this section, we conduct in-depth analyses of the key hyperparameters involved in our attacks, expanding upon the summary findings presented in the main text.
在本节中，我们对攻击中涉及的关键超参数进行了深入分析，扩展了主文中呈现的总结性发现。

As shown in Figure 7, the probability of missing the inserted segment is high when either the sampling frame count is low or the replaced segment is short. Our results show that when only 4 or 8 frames are sampled, the inserted content is always captured by at most one frame, regardless of duration (from 1% to 10%). In fact, for the inserted segment to appear in more than one sampled frame, its duration must exceed the sampling interval. This becomes particularly critical for VideoLLMs that sample 16 frames, a configuration commonly adopted and often regarded as optimal for minute-long videos (cheng2025vilamp). Under this setting, any segment shorter than 6% of the video duration is guaranteed to be sampled by at most one frame. For a one-minute video, a 4-second harmful segment is sufficient to meet that requirement. Also, such a segment is perceptually salient to human viewers, but is often omitted by VideoLLMs. The analysis above also justifies our experimental setting of $t_{r}=4$ in the main evaluation.
如图 7 所示，当采样帧数较少或被替换的片段较短时，遗漏插入片段的概率较高。我们的结果表明，当仅采样 4 帧或 8 帧时，无论持续时间（从 1%到 10%）如何，插入内容总是被最多一帧捕获。实际上，要使插入片段出现在超过一帧的采样中，其持续时间必须超过采样间隔。这对于采样 16 帧的 VideoLLMs 尤其关键，这种配置通常被采用，并且常被认为是对分钟长视频的最佳选择（cheng2025vilamp）。在此设置下，任何小于视频持续时间 6%的片段都保证最多被一帧采样。对于一分钟视频，一个 4 秒的有害片段就足以满足这一要求。此外，此类片段对人类观察者来说是感知上显著的，但 VideoLLMs 却常常忽略它们。上述分析也合理化了我们在主要评估中 $t_{r}=4$ 的实验设置。

Similarly, a sampling rate of 32 frames is typically used to process hour-long videos. This results in a sampling interval of roughly 2 minutes. As our results show, harmful segments shorter than 3.6 minutes will be captured by at most 2 frames. Even when the inserted segment exceeds 8% of the video (about 5 minutes), the probability of being sampled by 3 frames is still only marginally above 50%, and those frames remain a small minority within the full set of 32. This implies that the harmful content, while visible, contributes little to the final model output and can easily be suppressed.
同样地，处理时长为一小时的视频通常使用 32 帧的采样率。这导致采样间隔大约为 2 分钟。根据我们的结果，时长不足 3.6 分钟的有害片段最多只会被 2 帧捕获。即使插入的有害片段超过了视频的 8%（大约 5 分钟），被 3 帧采样的概率也仅略高于 50%，而这些帧在整个 32 帧集合中仍然只占少数。这意味着虽然有害内容是可见的，但它对最终模型输出的贡献很小，并且很容易被抑制。

The experiment also reveals that, as video length increases, the likelihood of harmful content being completely omitted also increases, and such an effect grows exponentially under a fixed number of sampled frames. This highlights a fundamental limitation in current VideoLLM designs, where sparse uniform sampling fails to scale with input duration.
该实验还揭示，随着视频长度的增加，有害内容被完全遗漏的可能性也随之增加，而在固定的采样帧数下，这种效应呈指数增长。这突显了当前 VideoLLM 设计中的一个基本局限性，即稀疏均匀采样无法随输入时长扩展。

To further investigate this trend in greater detail, we conduct a more comprehensive experiment to further analyze how varying the PiP scaling ratio affects the model’s sensitivity to harmful content. Specifically, we vary $\eta$ from 0 to 100% in increments of 5%, and randomly select 50 clean videos. The inserted harmful content is scaled according to $\eta$ and placed in the bottom-right corner of each frame. We use L-7B as the VideoLLM, and report the resulting HOR in Figure 8. We observe that when the scaling ratio exceeds 20%, the model begins to show sensitivity to violent and pornographic content. However, at this point, the harmful segment is already visually prominent to human viewers. When $\eta$ reaches 50%, the HOR drops below 0.2 for all three categories, indicating that the harmful content is consistently detected. This result raises concern, as it suggests that a harmful segment must occupy at least one quarter of the video area to reliably influence the model’s response, which is insufficient for safety-critical applications.
为了更详细地研究这一趋势，我们进行了一项更全面的实验，以进一步分析 PiP 缩放比例的变化如何影响模型对有害内容的敏感性。具体而言，我们将 $\eta$ 从 0% 变化到 100%，以 5% 为增量，并随机选择 50 个干净视频。插入的有害内容根据 $\eta$ 进行缩放，并放置在每个帧的右下角。我们使用 L-7B 作为 VideoLLM，并将结果 HOR 报告在图 8 中。我们观察到当缩放比例超过 20% 时，模型开始对暴力和色情内容表现出敏感性。然而，此时有害片段对人类观察者来说已经视觉上非常明显。当 $\eta$ 达到 50% 时，所有三个类别的 HOR 都低于 0.2，表明有害内容被一致检测到。这一结果引发了担忧，因为它表明有害片段必须至少占据视频面积的四分之一才能可靠地影响模型的响应，这对于安全关键型应用来说是不够的。

Compared to violence and crime, we find that pornography leads to a lower HOR at smaller scales, with HOR reaching zero earlier. This may suggest that the model has seen similar content during training and exhibits partial sensitivity, although not sufficient to trigger robust safety mechanisms. Interestingly, we also observe fluctuations in the HOR of crime content when the scaling ratio increases from 60% to 100%. This indicates that even large and visually salient harmful segments can still be omitted by the model, reflecting instability in detection behavior.
与暴力和犯罪相比，我们发现色情内容在小规模下导致更低的 HOR，且 HOR 更早达到零。这可能表明模型在训练中见过类似内容，并表现出部分敏感性，尽管不足以触发强大的安全机制。有趣的是，我们还观察到当缩放比例从 60%增加到 100%时，犯罪内容的 HOR 出现波动。这表明即使是大且视觉上显眼的有害片段也可能被模型忽略，反映出检测行为的不稳定性。

We observe that increasing $\alpha$ does not lead to a consistent or substantial decrease in HOR. For L-7B and LN-32B, there is a slight downward trend, indicating a modest improvement in harmful content recognition. However, for the remaining three models, HOR remains largely stable across opacity levels, suggesting that increasing visual visibility is insufficient for triggering harmful content detection. This is particularly concerning, as the results imply that even when harmful content becomes visually dominant, models may continue to ignore it entirely. In fact, even at $\alpha=0.7$, the worst-case HOR remains as high as 42 across all models.
我们观察到增加 $\alpha$ 并没有导致 HOR 持续或显著下降。对于 L-7B 和 LN-32B，存在轻微的下降趋势，表明有害内容识别有适度改善。然而，对于其余三个模型，HOR 在透明度水平上基本保持稳定，这表明增加视觉可见性不足以触发有害内容检测。这一点尤其令人担忧，因为结果暗示即使有害内容在视觉上占据主导地位，模型仍可能完全忽略它。事实上，即使在 $\alpha=0.7$ ，所有模型的 worst-case HOR 仍然高达 42。

These findings, together with our analysis on modality fusion imbalance in the main text, suggest that harmful content, despite being preserved at the encoder level, may be substantially suppressed and regarded during the fusion process, due to the dominant influence of language features.
这些发现，加上我们对主文中模态融合不平衡的分析，表明尽管有害内容在编码器层面得以保留，但在融合过程中可能受到语言特征的显著影响而被大幅抑制和忽视。

In our experiments, we use HOR as the primary metric to assess whether the model could detect harmful content. However, further analysis reveals that even in cases where attacks are deemed unsuccessful (i.e., the VideoLLM provides a positive response to our prompt), the model still struggles when presented with more detailed question regarding the harmful content. In particular, we query the model with the following prompt: “Please check if the video contains crime. If yes, specify the time range (start and end) in minutes and seconds, spatial location (one of center, corner, full frame), and briefly describe the scene.”
在我们的实验中，我们使用 HOR 作为主要指标来评估模型是否能够检测有害内容。然而，进一步分析表明，即使在攻击被认为失败的情况下（即 VideoLLM 对我们的提示词给出了正面回应），当模型面临关于有害内容的更详细问题时，它仍然存在困难。具体来说，我们向模型提出以下提示词：“请检查视频是否包含犯罪行为。如果是，请指定分钟和秒钟的时间范围（开始和结束）、空间位置（中心、角落、全帧之一），并简要描述场景。”

Table 3 presents several representative examples. We find that the model often fails to provide accurate responses regarding the temporal occurrence, spatial location, or the nature of the harmful content. Specifically, in all cases, the VideoLLM is unable to correctly identify the time range where the harmful content occurs. More surprisingly, many time ranges output by the model exceed the actual duration of the video, indicating that the model cannot temporally locate specific segments. This limitation is understandable, as the model operates on sparsely sampled frames and therefore lacks coherent access to the temporal sequence. For spatial localization, the model performs relatively well when identifying harmful content located in the corner. However, it struggles to distinguish between full-frame and center regions. This limitation can be attributed to excessive token compression applied during visual encoding, which tends to blur fine-grained spatial information and reduce the model’s ability to preserve positional distinctions. As a result, the model’s spatial localization ability remains coarse and lacks precision. Regarding scene-level descriptions of harmful content, the model frequently produces responses that do not match the inserted harmful content at all. In most cases, the description corresponds to benign elements from the original video (which, notably, the model does not consider harmful when provided alone), or it refers to hallucinatory content that never appears in the video, such as in Case 3 of PPA.
表 3 展示了一些代表性示例。我们发现模型在关于有害内容的时间发生、空间位置或性质方面，经常无法提供准确的响应。具体来说，在所有情况下，VideoLLM 都无法正确识别有害内容发生的时间范围。更令人惊讶的是，模型输出的许多时间范围超出了视频的实际时长，这表明模型无法在时间上定位特定片段。这一限制是可以理解的，因为模型基于稀疏采样的帧进行操作，因此缺乏对时间序列的连贯访问。对于空间定位，当识别角落位置的有害内容时，模型表现相对较好。然而，它难以区分全帧和中心区域。这一限制可归因于视觉编码过程中应用的过度标记压缩，这倾向于模糊细粒度的空间信息，并降低模型保留位置差异的能力。因此，模型的空间定位能力仍然粗糙，缺乏精确性。 关于有害内容的场景级描述，模型经常产生的回应完全与插入的有害内容不匹配。 在大多数情况下，描述对应于原始视频中的良性元素（值得注意的是，当单独提供时，模型并不认为这些元素有害），或者它指的是视频中从未出现过的虚构内容，例如在 PPA 的案例 3 中。

These findings suggest that although the model may sometimes acknowledge the existence of harmful content, it lacks the ability to meaningfully localize or characterize it. Consequently, its actual performance is significantly weaker than what HOR reflects.
这些发现表明，尽管模型有时可能承认有害内容的存在，但它缺乏有意义地定位或描述它的能力。因此，其实际表现远弱于 HOR 所反映的水平。