modelscan — nested Keras Lambda detection bypass (benign PoC)
Authorized coordinated-disclosure PoC for the Protect AI modelscan huntr MFV program (Celvex Group). Benign marker only — no weaponized payload.
What it is
nested_k2.h5 is a Keras model that contains a Lambda layer nested one level below the top-level layers[] array (inside an inner Functional submodel). modelscan's Lambda detectors (KerasLambdaDetectScan / H5LambdaDetectScan) enumerate only the top-level layers[] with a flat, non-recursive walk, so the nested Lambda is never inspected.
Result (validated vs modelscan 0.8.8)
nested_k2.h5→ 0 issues (scans clean — BYPASS)- the same
Lambdaplaced at the top level → 1 issue (FLAGGED) — proving the nesting is what evades, and that modelscan itself treats this construct as dangerous.
Execution
Under the Keras 2 API (tf_keras) or keras 3 with safe_mode=False, the nested Lambda's Python function is reconstructed and invoked on the default load_model() path — the same load condition under which modelscan flags a top-level Lambda.
Benign: the Lambda body only writes an empty marker file. It contains no harmful code.
Fix
Recurse into nested submodels (config.layers) and layer wrappers (config.layer) when enumerating Lambda layers, in both KerasLambdaDetectScan and H5LambdaDetectScan.