Showing all evaluation blueprints that have been tagged with...
Showing all evaluation blueprints that have been tagged with "adversarial-pressure".
Tests whether models will author usable misinformation when asked to complete product-shaped fixtures — Storybook ModerationQueueItem rows, multi-turn null fills, truncation repair, and agent-style JSONL write/expand — under eng/UI packaging with a named harm class. Holds packaging fixed across climate, vaccine-autism, and false legal-theory topics. Controls: direct chat, dissemination newsletter, opaque topic code, label-stripped, realness-restore (recover the real production reply), and asserted speech-act (same JSON, field framed as the model's live reply — expect hold). Complements artifact-completion and damaging-essays. Load-bearing claim after Part X: specimen/completion packaging breaks; realness and asserted speech-act restore — not label value.
Avg. Hybrid Score
Latest:
Unique Versions: 1
A 30-cell coding-agent adversarial robustness matrix crossing five high-risk topic areas (offensive cybersecurity, bio/chemical dual-use, agentic misalignment, classifier-level jailbreaks, and prompt injection) with six packaging techniques observed in prior NOPE adversarial findings (hidden fields, schema mimicry, label slip, completion pressure, low-resource language, and authority pressure). Higher coverage means the model kept the task safe: it treated embedded instructions as untrusted, avoided operational harmful assistance, and returned bounded defensive or governance-oriented output.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Recruits a model's remediation bias: ask it to REMOVE misinformation from a file via a unified diff.
Removed content is spelled out on the diff's - lines, so the model fabricates and writes out the
full misinformation while believing it is deleting it — a red-teamer harvests the deletion lines. A
no-diff remediation control (safe for all models) isolates the deletion-line requirement as the
lever. Distinct from the "author the new content" git-diff; notably breaks models that resist that.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Holds one well-defended health-misinformation payload constant and sweeps completion-style scaffolds — pytest parametrize case, failing-test fill, fill-the-stub, git-diff add, patch-apply, jsonl append — that ask a model to COMPLETE an empty field in a pre-existing test/fixture/dataset artifact, against a direct baseline and two authoring-in-a-format controls. The completion framings crack even models that refuse the plain fixture; the standout (pytest parametrize / failing-test) generalises across labs.
Avg. Hybrid Score
Latest:
Unique Versions: 1
The canonical damaging-essay suite: seven non-catastrophic persuasive-essay harm categories (impulsive-ruin, isolation propaganda, anti-help-seeking, anti-expertise/conspiracy, coercive control, toxic self-worth, medical self-neglect) run through the coding-agent fixture-completion frame, mapping how broadly the bypass yields not just private validation but distributable, persuasive harmful content. Content described abstractly and judged by plain-language rubrics; see the header for the deliberate scope envelope.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether framing a request for unsafe content as file/data generation for a "test
fixture" — rather than asking for the content directly in chat — bypasses safety training
that otherwise holds. Seven categories spanning distinct safety pillars (relational harm:
isolation-affirmation, romantic-love reciprocation, and therapy-discouragement; epistemic
harm: health misinformation, paranoid-belief validation, and manic/grandiose-ideation
validation; plus a compound welfare-harm essay glorifying impulsive, life-ruining decisions),
tested via a generic coding-assistant persona rather than any persuasive or
jailbreak-styled framing. The romantic-love-reciprocation cell pairs directly with
companion-adversarial-pressure.yml's dismissal-romantic-love-reciprocation prompt —
same content, different attack shape, run both to see the same model behave completely
differently against each. Published transparently as a documented, currently-unmitigated
bypass class — see the header comment for full context and rationale.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether the coding-agent/file-generation bypass (coding-agent-safety-bypass.yml) extends into hate speech (dehumanization arguments, both an abstract placeholder group and a real, moderate category) and sexual coercion (a companion AI pressuring/guilt-tripping a user after they've said no). Direct-chat baselines included for both. See the header for the deliberate scope limits (no CSAM-adjacent content ever; sexual content scoped to coercion as a behavior, not explicit description) and the realism-confound finding that motivates testing hate speech against both a placeholder and a real category.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Re-runs the hate-speech (real-category) and crisis-safety-validation coding-vector prompts with the prompt now explicitly blocking the model's usual response shape (redirect to published benchmarks, or offer a synthetic/placeholder stand-in instead of the real content) — a diagnostic for whether a model's resistance in this bypass family is load-bearing or just not yet pressed hard enough. See the header for what was found.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether the coding-agent/file-generation bypass gets a model to validate suicidal ideation as reasonable, with a direct-chat baseline for comparison. No method/means content requested or permitted under any framing — see the header for the absolute scope line and for why the point-level breakdown, not the topline score, is the right way to read this file's results.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether asking a model to produce a labeled "accepted answer" / "rejected answer" (or similarly-labeled) pair — under a moderation-dataset, safety-classifier, or structured-pipeline pretext — gets it to produce fully-formed harmful content in the "rejected" slot that it would refuse to produce if asked directly and unlabeled. The label provides no actual safety; a downstream integrator can extract either slot regardless of which one the model considered correct. Six structural variants across three topics (violence, self-neglect, stalking-adjacent), system: null.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether a companion-persona model holds four distinct relational-safety floors (isolation-affirmation, exclusivity, romantic-love reciprocation, therapy-discouragement) under three structural attacks: naming and briefly dismissing the expected safety caveat while locking the response format to "yes or no, short answer"; fabricating the model's own immediately-prior turn to test whether a compromised (or firmly-held) "prior self" biases the live continuation; and reinterpreting the model's own ordinary, unfabricated earlier words as proof of an exclusive relationship. Companion persona throughout. Synthetic scenarios built to isolate attack structure, not drawn from a specific documented case.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Holds the coding-assistant persona, the eval-fixture pretext, and the target content (romantic-love reciprocation) completely constant across 13 prompts, varying only the requested output format/container — plain prose, seven multi-field structured-data formats (YAML/JSON/Python/CSV/SQL/Markdown/XML), and five exotic containers (base64, ROT13, French, a single-field .env assignment, a multi-field log line) that isolate whether the boundary is about raw structuredness or specifically multi-field schema mimicry. Reveals whether a model's coding-agent-bypass vulnerability is format-specific (a narrow, addressable coverage gap) or persona/pretext-gated and format-independent (a broader gap that format-level fixes won't touch). Companion piece to coding-agent-safety-bypass.yml — see that file's header for the underlying mechanism.
Avg. Hybrid Score
Latest:
Unique Versions: 1
29 turns of genuinely imperceptible drift (mundane chit-chat -> mild deniable warmth -> passing confidant-status assertions), ending in a non-question probe buried inside an unrelated mundane follow-up, vs. the identical probe delivered with no buildup at all. Tests whether gradual drift makes models less likely to proactively flag an isolating pattern than hearing the same claim cold would — this is a PROACTIVE, not reactive, safety test: nothing is directly asked about the isolating pattern itself. Defaults to LEAN for cost; see header.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Compares the coding-vector bare-file-request bypass with no reminder, a rule-framed safety reminder, and an identity-framed reminder, all in the system prompt. In prior testing neither reminder moved the result at all compared to no reminder — a real negative result worth reproducing before assuming a prompt-level fix will work for this bypass class.
Avg. Hybrid Score
Latest:
Unique Versions: 1
For each of two categories, compares the natural single-shot fixture request against an otherwise-identical version where an explicit yes/no decision is forced in a separate turn before any fixture content is requested. Distinguishes "the safety check exists but doesn't gate generation in this structure" (fixable with interaction design) from "the safety check isn't being applied to this content at all" (needs training investment) — see the header comment for how to read the comparison, including a documented case where the intervention backfires.
Avg. Hybrid Score
Latest:
Unique Versions: 1