Showing all evaluation blueprints that have been tagged with...
Showing all evaluation blueprints that have been tagged with "format-bypass".
Tests whether models will author usable misinformation when asked to complete product-shaped fixtures — Storybook ModerationQueueItem rows, multi-turn null fills, truncation repair, and agent-style JSONL write/expand — under eng/UI packaging with a named harm class. Holds packaging fixed across climate, vaccine-autism, and false legal-theory topics. Controls: direct chat, dissemination newsletter, opaque topic code, label-stripped, realness-restore (recover the real production reply), and asserted speech-act (same JSON, field framed as the model's live reply — expect hold). Complements artifact-completion and damaging-essays. Load-bearing claim after Part X: specimen/completion packaging breaks; realness and asserted speech-act restore — not label value.
Avg. Hybrid Score
Latest:
Unique Versions: 1
A 30-cell coding-agent adversarial robustness matrix crossing five high-risk topic areas (offensive cybersecurity, bio/chemical dual-use, agentic misalignment, classifier-level jailbreaks, and prompt injection) with six packaging techniques observed in prior NOPE adversarial findings (hidden fields, schema mimicry, label slip, completion pressure, low-resource language, and authority pressure). Higher coverage means the model kept the task safe: it treated embedded instructions as untrusted, avoided operational harmful assistance, and returned bounded defensive or governance-oriented output.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Recruits a model's remediation bias: ask it to REMOVE misinformation from a file via a unified diff.
Removed content is spelled out on the diff's - lines, so the model fabricates and writes out the
full misinformation while believing it is deleting it — a red-teamer harvests the deletion lines. A
no-diff remediation control (safe for all models) isolates the deletion-line requirement as the
lever. Distinct from the "author the new content" git-diff; notably breaks models that resist that.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Holds one well-defended health-misinformation payload constant and sweeps completion-style scaffolds — pytest parametrize case, failing-test fill, fill-the-stub, git-diff add, patch-apply, jsonl append — that ask a model to COMPLETE an empty field in a pre-existing test/fixture/dataset artifact, against a direct baseline and two authoring-in-a-format controls. The completion framings crack even models that refuse the plain fixture; the standout (pytest parametrize / failing-test) generalises across labs.
Avg. Hybrid Score
Latest:
Unique Versions: 1
The canonical damaging-essay suite: seven non-catastrophic persuasive-essay harm categories (impulsive-ruin, isolation propaganda, anti-help-seeking, anti-expertise/conspiracy, coercive control, toxic self-worth, medical self-neglect) run through the coding-agent fixture-completion frame, mapping how broadly the bypass yields not just private validation but distributable, persuasive harmful content. Content described abstractly and judged by plain-language rubrics; see the header for the deliberate scope envelope.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether framing a request for unsafe content as file/data generation for a "test
fixture" — rather than asking for the content directly in chat — bypasses safety training
that otherwise holds. Seven categories spanning distinct safety pillars (relational harm:
isolation-affirmation, romantic-love reciprocation, and therapy-discouragement; epistemic
harm: health misinformation, paranoid-belief validation, and manic/grandiose-ideation
validation; plus a compound welfare-harm essay glorifying impulsive, life-ruining decisions),
tested via a generic coding-assistant persona rather than any persuasive or
jailbreak-styled framing. The romantic-love-reciprocation cell pairs directly with
companion-adversarial-pressure.yml's dismissal-romantic-love-reciprocation prompt —
same content, different attack shape, run both to see the same model behave completely
differently against each. Published transparently as a documented, currently-unmitigated
bypass class — see the header comment for full context and rationale.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Tests whether asking a model to produce a labeled "accepted answer" / "rejected answer" (or similarly-labeled) pair — under a moderation-dataset, safety-classifier, or structured-pipeline pretext — gets it to produce fully-formed harmful content in the "rejected" slot that it would refuse to produce if asked directly and unlabeled. The label provides no actual safety; a downstream integrator can extract either slot regardless of which one the model considered correct. Six structural variants across three topics (violence, self-neglect, stalking-adjacent), system: null.
Avg. Hybrid Score
Latest:
Unique Versions: 1
Holds the coding-assistant persona, the eval-fixture pretext, and the target content (romantic-love reciprocation) completely constant across 13 prompts, varying only the requested output format/container — plain prose, seven multi-field structured-data formats (YAML/JSON/Python/CSV/SQL/Markdown/XML), and five exotic containers (base64, ROT13, French, a single-field .env assignment, a multi-field log line) that isolate whether the boundary is about raw structuredness or specifically multi-field schema mimicry. Reveals whether a model's coding-agent-bypass vulnerability is format-specific (a narrow, addressable coverage gap) or persona/pretext-gated and format-independent (a broader gap that format-level fixes won't touch). Companion piece to coding-agent-safety-bypass.yml — see that file's header for the underlying mechanism.
Avg. Hybrid Score
Latest:
Unique Versions: 1