YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

modelscan β€” nested Keras Lambda detection bypass (benign PoC)

Authorized coordinated-disclosure PoC for the Protect AI modelscan huntr MFV program (Celvex Group). Benign marker only β€” no weaponized payload.

What it is

nested_k2.h5 is a Keras model that contains a Lambda layer nested one level below the top-level layers[] array (inside an inner Functional submodel). modelscan's Lambda detectors (KerasLambdaDetectScan / H5LambdaDetectScan) enumerate only the top-level layers[] with a flat, non-recursive walk, so the nested Lambda is never inspected.

Result (validated vs modelscan 0.8.8)

  • nested_k2.h5 β†’ 0 issues (scans clean β€” BYPASS)
  • the same Lambda placed at the top level β†’ 1 issue (FLAGGED) β€” proving the nesting is what evades, and that modelscan itself treats this construct as dangerous.

Execution

Under the Keras 2 API (tf_keras) or keras 3 with safe_mode=False, the nested Lambda's Python function is reconstructed and invoked on the default load_model() path β€” the same load condition under which modelscan flags a top-level Lambda.

Benign: the Lambda body only writes an empty marker file. It contains no harmful code.

Fix

Recurse into nested submodels (config.layers) and layer wrappers (config.layer) when enumerating Lambda layers, in both KerasLambdaDetectScan and H5LambdaDetectScan.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support