# modelscan — nested Keras `Lambda` detection bypass (benign PoC) Authorized coordinated-disclosure PoC for the Protect AI **modelscan** huntr MFV program (Celvex Group). Benign marker only — no weaponized payload. ## What it is `nested_k2.h5` is a Keras model that contains a `Lambda` layer nested **one level below** the top-level `layers[]` array (inside an inner Functional submodel). modelscan's Lambda detectors (`KerasLambdaDetectScan` / `H5LambdaDetectScan`) enumerate only the top-level `layers[]` with a **flat, non-recursive** walk, so the nested `Lambda` is never inspected. ## Result (validated vs modelscan 0.8.8) - `nested_k2.h5` → **0 issues (scans clean — BYPASS)** - the **same** `Lambda` placed at the **top level** → **1 issue (FLAGGED)** — proving the nesting is what evades, and that modelscan itself treats this construct as dangerous. ## Execution Under the Keras 2 API (`tf_keras`) or keras 3 with `safe_mode=False`, the nested `Lambda`'s Python function is reconstructed and invoked on the default `load_model()` path — the same load condition under which modelscan flags a top-level `Lambda`. **Benign:** the `Lambda` body only writes an empty marker file. It contains no harmful code. ## Fix Recurse into nested submodels (`config.layers`) and layer wrappers (`config.layer`) when enumerating `Lambda` layers, in both `KerasLambdaDetectScan` and `H5LambdaDetectScan`.