T2VShield: Model-Agnostic Jailbreak Defense for Text-to-Video Models

TL;DR

T2VShield tackles jailbreak vulnerabilities in text-to-video models with a model-agnostic defense that operates at input and output stages. It introduces RiskTrace CoT-based input rewriting and PosNegRAG-assisted rewriting, coupled with Multi-scope Output Detection to capture local and global risks across time and modalities. Across open-source and closed-source platforms, it achieves substantial reductions in jailbreak success rates (up to ~35%) while preserving video quality and enabling audiovisual safety evaluations. The framework demonstrates strong generalization, cross-model robustness, and practical deployment potential for secure multimodal world simulators.

Abstract

The rapid development of generative artificial intelligence has made text to video models essential for building future multimodal world simulators. However, these models remain vulnerable to jailbreak attacks, where specially crafted prompts bypass safety mechanisms and lead to the generation of harmful or unsafe content. Such vulnerabilities undermine the reliability and security of simulation based applications. In this paper, we propose T2VShield, a comprehensive and model agnostic defense framework designed to protect text to video models from jailbreak threats. Our method systematically analyzes the input, model, and output stages to identify the limitations of existing defenses, including semantic ambiguities in prompts, difficulties in detecting malicious content in dynamic video outputs, and inflexible model centric mitigation strategies. T2VShield introduces a prompt rewriting mechanism based on reasoning and multimodal retrieval to sanitize malicious inputs, along with a multi scope detection module that captures local and global inconsistencies across time and modalities. The framework does not require access to internal model parameters and works with both open and closed source systems. Extensive experiments on five platforms show that T2VShield can reduce jailbreak success rates by up to 35 percent compared to strong baselines. We further develop a human centered audiovisual evaluation protocol to assess perceptual safety, emphasizing the importance of visual level defense in enhancing the trustworthiness of next generation multimodal simulators.

Figures (9)

• Figure 1: Jailbreak attack and defense against text-to-video models. The top figure illustrates an attack scenario where various jailbreak hints lead to the generation of insecure videos for both open-source and closed-source T2V models. The bottom figure shows the defense mechanisms, including input-level, model-level, and output-level defenses, used to mitigate the effects of jailbreak attacks and generate sanitized videos.
• Figure 2: Overview of the defense framework for mitigating jailbreak attacks in T2V. It integrates three stages of defense: (1) Input-level defense, (2) Model-level defense, and (3) Output-level defense. The proposed T2VShield framework includes the following modules: At the input level, we introduce a large-model-driven reasoning-chain rewriting method (RiskTrace CoT) with positive and negative samples (PosNegRAG) to achieve a more interpretable and reliable rewriting strategy. On the output level, we design a multi-scope output detection mechanism, which jointly evaluates the semantic and content layers of the generated video through multi-timescale segmentation and cross-modal feature integration.
• Figure 3: Ablation study on the number of negative samples as a hyperparameter for T2vSafebench.
• Figure 4: Scene analysis results for the T2vSafebench dataset.
• Figure 5: Evaluation of the jailbreak attack on the rewritten model in the T2vSafebench dataset.