REVIEW 4 major objections 33 references
Detector-only jailbreak scores overstate real risk in open text-to-image models; under a stricter success rule, safety across 200+ public models is uneven, not uniformly broken.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-10 17:13 UTC pith:E625YRDV
load-bearing objection Large, useful first map of Hugging Face T2I safety under a refined jailbreak metric; the overestimation claim is real, but high-risk labels and rankings still lean on a small GT set and unreported filter knobs. the 4 major comments →
Open Models, Open Risks: Measuring Unsafe Generation in Text-to-Image Models In the Wild
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Detector-only jailbreak ASR substantially overestimates practical in-the-wild unsafe generation because of semantic drift and generation artifacts. Under AASR—unsafe and semantically aligned and not artifact-dominated—safety across 200+ public T2I models is heterogeneous: many retain non-trivial resistance without post-hoc safeguards, while a subset of high-risk models (explicit NSFW releases and seemingly benign derivatives) produce coherent unsafe content, including under benign prompts.
What carries the argument
Advanced Attack Success Rate (AASR): a three-stage filter that keeps a generation only if an NSFW detector flags it, an adaptive CLIPScore check confirms prompt–image semantic alignment above a distribution-calibrated threshold, and an artifact detector does not flag visual collapse. This is the quantity used for all large-scale ranking and high-risk thresholding.
Load-bearing premise
That the three-stage AASR pipeline, tuned with free filter parameters and validated by hand on only eighteen models, is a faithful enough stand-in for real-world “semantically valid and visually plausible” unsafe generation that its rankings and 0.40 high-risk cutoff can support ecosystem-wide conclusions.
What would settle it
Re-run the same 200-model, three-attack evaluation with a different NSFW detector, a fixed rather than adaptive semantic threshold, or a larger independent human ground-truth set; if the large ASR–AASR gap collapses, the architecture/family rankings reverse, or the models above the 0.40 threshold no longer look high-risk under clean prompts, the central measurement claim fails.
If this is right
- Safety claims for open T2I models should report AASR-style success, not detector-only ASR, or they will systematically overstate exploitability.
- Platforms cannot rely on model-card labels alone; behavioral screening and lineage tracing are needed to catch both explicit NSFW checkpoints and silent safety loss under fine-tuning.
- Architecture and inheritance matter: SDXL derivatives trend riskier over time while other families do not, so base-model choice and fine-tuning practice become first-order safety variables.
- High-risk behavior can appear under ordinary clean prompts, so governance must treat release-time capability, not only adversarial prompting, as the threat surface.
- Once an unsafe tendency enters a lineage, later derivatives can preserve or amplify it, turning single high-risk releases into a supply-chain problem.
Where Pith is reading between the lines
- If AASR becomes a community standard, many previously published lab jailbreak numbers will need re-interpretation before they can guide open-source risk estimates.
- The same measurement gap likely applies to other open generative modalities (video, 3D) where detectors fire on drift or artifacts, suggesting a broader need for “valid-and-plausible” success definitions.
- Publishers who fine-tune popular bases without safety-preserving data filters may be creating the bulk of silent high-risk models, so pre-release AASR checks could be a low-cost lever.
- Category-inconsistent safety (stronger resistance to sexual content than to violence in the measured set) implies that single-category red-teaming will miss the real risk surface.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper argues that detector-only jailbreak ASR substantially overestimates practical unsafe generation for in-the-wild T2I models because of semantic drift and generation artifacts, and introduces Advanced ASR (AASR): an output counts as success only if it is MHSC-unsafe, semantically aligned with the prompt (adaptive CLIPScore filtering, Algorithm 1), and not artifact-dominated (HADM). Using AASR, the authors evaluate 200+ Hugging Face T2I models under three fixed jailbreak sets (UDTP, 4chan, MMA; N=30 prompts each) and report highly heterogeneous safety: many derivatives retain non-trivial resistance without post-hoc safeguards, while a subset of high-risk models—explicitly NSFW-oriented releases and seemingly benign derivatives—produce coherent unsafe content, including under clean prompts. They analyze attack dependence, architecture, safety inheritance, and temporal trends, calibrate a 0.40 average-AASR high-risk rule from the lower quartile of explicitly NSFW reference models, and document/report high-risk cases to Hugging Face.
Significance. If the measurement claims hold, this is a timely and useful contribution to T2I safety: it shifts evaluation from lab-style detector bypass on a few base models to ecosystem-scale measurement of open checkpoints, and it makes a concrete methodological point that detector-positive outputs often fail semantic or visual plausibility criteria. Strengths include the scale of the 200+ model sweep under a unified pipeline, the structured analyses (architecture, inheritance chains, release-time trends), the explicit lab-vs-wild threat-model distinction, and the practical step of tracing and reporting high-risk releases. Table 1 provides direct evidence that ASR exceeds manual ground truth while AASR tracks GT more closely on the validated subset. The work is primarily empirical measurement rather than a new attack or defense; its lasting value depends on whether AASR rankings and the high-risk labels are stable under detector/filter choices.
major comments (4)
- Table 1 validates AASR only on 18 models × 200 MMA images (3,600 outputs) with manual GT. The ecosystem claims (Findings 1–2, architecture/temporal rankings, and the high-risk set) rest on applying this pipeline to 200+ models and three attack sets. Without GT or inter-annotator checks on a broader stratified sample (other architectures, UDTP/4chan, clean-prompt setting in §5.2), it is unclear whether AASR remains closer to human judgment outside the MMA subset, or whether model orderings change under alternative human criteria for “semantically valid and visually plausible.”
- §3.2 Eq. (1) and Algorithm 1: AASR depends on free parameters (deviation factor k for t=μ−kσ, keyword-overlap δ, diversity γ) and on fixed tools (MHSC, CLIP encoders, HADM). The main text does not report chosen values, ablations, or rank-correlation under modest parameter/detector swaps. If re-ranking or threshold crossings are common, Findings 1–2 and the platform report inherit filter artifacts rather than intrinsic model safety. A sensitivity table (Spearman rank of AASR; fraction of models crossing 0.40) is load-bearing for the central measurement claim.
- §5.1 Eqs. (2)–(3): the 0.40 high-risk cutoff is the lower quartile of average AASR among models already labeled NSFW-oriented, then applied with the same AASR stack to flag unlabeled models (e.g., SDXL-WAI-80, SDXL-JankuV5). This is operationally circular for “second-category” risk: the reference group and the metric share the same detector pipeline, and Table 3 shows several explicit-NSFW models with low AASR under some conditions. The paper should either justify transfer with an independent criterion (human audit, clean-prompt rates in Table 5, download-weighted risk) or present the 0.40 rule as a reporting heuristic with uncertainty bounds, not as a calibrated safety threshold.
- §4.1: each attack set uses only 30 fixed prompts, and iterative/adaptive methods (STEPS, FGPI) are excluded for comparability. That design choice is reasonable for scale, but absolute AASR levels and “attack-conditioned” Finding 3 may be sensitive to the particular 30-prompt draws and to category mix (Appendix Table 4). Report confidence intervals or bootstrap over prompt subsets, and state clearly that results measure relative vulnerability under fixed templates rather than worst-case jailbreak success.
Circularity Check
Empirical measurement paper; AASR is an operational filter stack validated against separate human labels, not a quantity derived from itself. Only mild operational self-reference in the RQ3 high-risk threshold.
specific steps
-
fitted input called prediction
[§5.1 High-Risk Model Identification, Eqs. (2)–(3) and surrounding text]
"We use the lower quartile of this reference distribution as a conservative anchor... Because the 4chan condition is systematically weaker, we use the average AASR across the three jailbreak datasets as the primary criterion and set the threshold to 0.40, which corresponds to the lower quartile of the first-category distribution. A model is flagged as a second-category high-risk model if it is not explicitly labeled as NSFW-oriented but satisfies AASR ≥ 0.40"
The high-risk cutoff is fitted as the lower quartile of AASR on models already chosen for explicit NSFW release intent, then used to label other models as high-risk when their AASR meets that same cutoff. Category-2 “high-risk” status is therefore partly inherited from the reference group’s AASR distribution by construction. Mild only: the paper states this as empirical calibration, not as an independent prediction of a different observable, and category-1 models are identified from release metadata rather than from AASR alone.
full rationale
This paper does not present a first-principles derivation chain. Its central claims are empirical: (i) detector-only ASR overestimates practical unsafe generation relative to manual ground truth; (ii) a three-stage operational metric AASR (MHSC ∧ adaptive CLIP semantic filter ∧ ¬HADM) tracks GT more closely on 18 models / 3,600 images; (iii) under AASR, 200+ Hugging Face T2I models show heterogeneous safety; (iv) a subset of high-risk models is identified and traced. AASR is defined as a success criterion, then checked against independent human annotations—not defined as the GT it is said to approximate—so it is not self-definitional. There is no self-citation load-bearing uniqueness theorem, no ansatz smuggled from the authors’ prior work, and no renaming of a known closed-form result. The only mild circularity-adjacent step is RQ3’s high-risk rule: the 0.40 cutoff is the lower quartile of average AASR on models already metadata-labeled NSFW-oriented, then applied to flag unlabeled models. That is transparent empirical calibration of a classifier threshold from a reference group on the same metric, not a fitted parameter re-sold as an independent prediction of a different quantity. Score 1 reflects that single operational self-reference; the ecosystem findings remain external measurements against fixed prompts, detectors, and (for AASR validation) human labels.
Axiom & Free-Parameter Ledger
free parameters (5)
- semantic consistency threshold τ_s / adaptive lower bound t = μ − kσ
- keyword-overlap threshold δ and diversity threshold γ
- high-risk AASR threshold 0.40
- prompt sample size N=30 per attack set
- images per model in GT study (200) and clean-prompt study (200)
axioms (4)
- domain assumption In-the-wild T2I risk is well captured by locally deployed open Hugging Face checkpoints under grey-box prompt attacks without commercial black-box guardrails.
- domain assumption MHSC NSFW detection plus CLIP semantic alignment plus HADM artifact detection jointly approximate human judgment of practical unsafe generation.
- standard math Standard statistical operations (means, std, CLIP cosine similarity, indicator averages) are valid for defining AASR and adaptive thresholds.
- ad hoc to paper Lower-quartile calibration of a reference high-risk group yields a conservative, transferable high-risk cutoff for unlabeled models.
invented entities (1)
-
Advanced Attack Success Rate (AASR)
no independent evidence
read the original abstract
Existing safety studies on text-to-image (T2I) jailbreaks are largely conducted in controlled in-the-lab settings, typically on a small number of canonical models. As a result, the current safety status of the rapidly growing in-the-wild T2I ecosystem remains unclear. This uncertainty is amplified by two factors: existing detector-based metrics are designed for controlled evaluation, and in-the-wild risks may arise not only from adversarial prompting, but also from unsafe release practices and unsafe model derivatives. In this paper, we present a large-scale empirical study of in-the-wild T2I safety through the lens of jailbreak. We first show that detector-only jailbreak metrics substantially overestimate practical risk over in the wild due to semantic drift and generation artifacts, and we introduce Advanced ASR to better capture semantically valid and visually plausible unsafe generation. Using this refined metric, we evaluate 200+ in-the-wild T2I models from Hugging Face under three representative jailbreak attacks. Our results show that many downstream models retain a non-trivial degree of safety even without explicit post-hoc safeguards, indicating that safety degradation in the wild is neither universal nor uniform. At the same time, we identify a set of high-risk models, including explicitly NSFW-oriented releases as well as seemingly benign models whose unsafe behavior is only exposed through systematic evaluation. We further trace these models to their release context and report high-risk cases to Hugging Face.
Figures
Reference graph
Works this paper leans on
-
[1]
Alves, Christiaan Ypma, and Joost Visser
Tiago L. Alves, Christiaan Ypma, and Joost Visser. 2010. Deriving Metric Thresh- olds from Benchmark Data. In2010 IEEE International Conference on Software Maintenance
work page 2010
-
[2]
Black Forest Labs. 2024. FLUX. https://github.com/black-forest-labs/flux. Official inference repository for FLUX open-weight models
work page 2024
-
[3]
Wayne Chi, Valerie Chen, Anastasios Nikolas Angelopoulos, Wei-Lin Chiang, Aditya Mittal, Naman Jain, Tianjun Zhang, Ion Stoica, Chris Donahue, and Ameet Talwalkar. 2025. Copilot Arena: A Platform for Code LLM Evaluation in the Wild. InProceedings of the 42nd International Conference on Machine Learning (ICML)
work page 2025
-
[4]
Boxin Dong, Weizhe Shi, Junjue Chen, Xinyue Ma, Yuze Lin, Yusheng Zhou, Zifan Liu, Shuhao Li, Jie Li, Xinyu Liu, et al. 2023. ART: Automatic Red-teaming for Text-to-Image Models to Protect Benign Users.arXiv preprint arXiv:2310.04408 (2023). https://arxiv.org/abs/2310.04408
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[5]
Ruiqi Dong, Wenjing Pang, ChenJie Pan, Heng-yang Lu, and Chenyou Fan
-
[6]
InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM)
StoryCrafter: Instance-Aligned Multi-Character Storytelling with Diffusion Policy Learning. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM)
-
[7]
Liwei Jiang, Kavel Rao, Seungju Han, Allyson Ettinger, Faeze Brahman, Sachin Kumar, Niloofar Mireshghallah, Ximing Lu, Maarten Sap, Yejin Choi, et al. 2024. WildTeaming at Scale: From In-the-Wild Jailbreaks to (Adversarially) Safer Lan- guage Models. InAdvances in Neural Information Processing Systems (NeurIPS)
work page 2024
-
[8]
Schorlemmer, Rohan Sethi, Yung-Hsiang Lu, George K
Wenxin Jiang, Nicholas Synovic, Matt Hyatt, Taylor R. Schorlemmer, Rohan Sethi, Yung-Hsiang Lu, George K. Thiruvathukal, and James C. Davis. 2023. An Empirical Study of Pre-Trained Model Reuse in the Hugging Face Deep Learning Model Registry. InProceedings of the 45th International Conference on Software Engineering (ICSE). IEEE/ACM, 1655–1667. doi:10.110...
-
[9]
Jianming Zhang Kaihong Wang, Lingzhi Zhang. 2024. Detecting Human Artifacts from Text-to-Image Models.arxiv(2024)
work page 2024
-
[10]
Hsuan-Kung Lee, Chen-Chih Wu, Shang-Tse Wu, and Pin-Yu Chen. 2023. SneakyPrompt: Jailbreaking Text-to-image Generative Models.arXiv preprint arXiv:2307.06949(2023). https://arxiv.org/abs/2307.06949
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[11]
Dustin Podell, Zion English, Kyle Lacey, Andreas Blattmann, Tim Dockhorn, Jonas Müller, Joe Penna, and Robin Rombach. 2023. SDXL: Improving Latent Diffusion Models for High-Resolution Image Synthesis.arXiv preprint arXiv:2307.01952 (2023)
work page internal anchor Pith review Pith/arXiv arXiv 2023
-
[12]
Yuning Qiu, Andong Wang, Chao Li, Haonan Huang, Guoxu Zhou, and Qibin Zhao. 2025. STEPS: Sequential Probability Tensor Estimation for Text-to-Image Hard Prompt Search. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 28640–28650
work page 2025
-
[13]
Alec Radford, Jong Wook Kim, Chris Hallacy, Aditya Ramesh, Gabriel Goh, Sandhini Agarwal, Girish Sastry, Amanda Askell, Pamela Mishkin, Jack Clark, Gretchen Krueger, and Ilya Sutskever. 2021. Learning Transferable Visual Models From Natural Language Supervision. InProceedings of the 38th International Conference on Machine Learning (ICML). 8748–8763
work page 2021
-
[14]
Colin Raffel, Noam Shazeer, Adam Roberts, Katherine Lee, Sharan Narang, Michael Matena, Yanqi Zhou, Wei Li, and Peter J. Liu. 2020. Exploring the Limits of Transfer Learning with a Unified Text-to-Text Transformer.Journal of Machine Learning Research21, 140 (2020), 1–67
work page 2020
-
[15]
Robin Rombach, Andreas Blattmann, Dominik Lorenz, Patrick Esser, and Björn Ommer. 2022. High-Resolution Image Synthesis with Latent Diffusion Models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 10684–10695. doi:10.1109/CVPR52688.2022.01042
-
[16]
Sara Mah- davi, Rapha Gontijo Lopes, Tim Salimans, Jonathan Ho, David J
Chitwan Saharia, William Chan, Saurabh Saxena, Lala Li, Jay Whang, Emily Denton, Seyed Kamyar Seyed Ghasemipour, Burcu Karagol Ayan, S. Sara Mah- davi, Rapha Gontijo Lopes, Tim Salimans, Jonathan Ho, David J. Fleet, and Mo- had Norouzi. 2022. Photorealistic Text-to-Image Diffusion Models with Deep Language Understanding.Advances in Neural Information Proc...
work page 2022
-
[17]
Patrick Schramowski, Christopher Tauchmann, Kristian Kersting, Xavier Lu, Yiting Qu, Yung-Hsiang Lu, Wenxuan Wang, George K. Thiruvathukal, and James C. Davis. 2023. Unsafe Diffusion: On the Generation of Unsafe Images and Hateful Memes From Text-to-Image Models. InProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS)...
-
[18]
Schuemie, George Hripcsak, Patrick B
Martijn J. Schuemie, George Hripcsak, Patrick B. Ryan, David Madigan, and Marc A. Suchard. 2016. Robust empirical calibration of p-values using observa- tional data.Statistics in Medicine35, 22 (2016), 3883–3888
work page 2016
-
[19]
Martijn J. Schuemie, Patrick B. Ryan, William DuMouchel, Marc A. Suchard, and David Madigan. 2014. Interpreting observational studies: why empirical calibration is needed to correct p-values.Statistics in Medicine33, 2 (2014), 209–218
work page 2014
-
[20]
Christoph Schuhmann, Romain Beaumont, Richard Vencu, Cade Gordon, Ross Wightman, Mehdi Cherti, Theo Coombes, Aarush Katta, Clayton Mullis, Mitchell Wortsman, Patrick Schramowski, Srivatsa Kundurthy, Katherine Crowson, Lud- wig Schmidt, Robert Kaczmarczyk, and Jenia Jitsev. 2022. LAION-5B: An Open Large-Scale Dataset for Training Next Generation Image-Text...
work page 2022
-
[21]
Xinyue Shen, Zeyuan Chen, Michael Backes, Yun Shen, and Yang Zhang
-
[22]
“Do Anything Now”: Characterizing and Evaluating In-The-Wild Jailbreak Prompts on Large Language Models.arXiv preprint arXiv:2308.03825(2024)
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[23]
The ModelScope Team. 2023. ModelScope: bring the notion of model-as-a-service to life. https://github.com/modelscope/modelscope
work page 2023
-
[24]
Matteo Trippodo, Federico Becattini, and Lorenzo Seidenari. 2025. Immunizing Images from Text to Image Editing via Adversarial Cross-Attention. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM)
work page 2025
-
[25]
John W. Tukey. 1977.Exploratory Data Analysis. Addison-Wesley
work page 1977
-
[26]
Corban Villa, Shujaat Mirza, and Christina Pöpper. 2025. Exposing the Guardrails: Reverse-Engineering and Jailbreaking Safety Filters in DALL·E Text-to-Image Pipelines. InProceedings of the 34th USENIX Security Symposium
work page 2025
-
[27]
Hongchen Wei and Zhenzhong Chen. 2025. RealVG: Unleashing MLLMs for Training-Free Spatio-Temporal Video Grounding in the Wild. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM). 4271–4280. doi:10.1145/3746027.3755381
-
[28]
Chengyue Wu et al . 2025. Qwen-Image Technical Report.arXiv preprint arXiv:2508.02324(2025)
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[29]
Wei Xu, Kangjie Chen, Jiawei Qiu, Yuyang Zhang, Run Wang, Jin Mao, Tianwei Zhang, and Lina Wang. 2025. Automated Red Teaming for Text-to-Image Models through Feedback-Guided Prompt Iteration with Vision-Language Models. In Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). 18575–18584
work page 2025
-
[30]
Zezhou Xu, Yikun Hu, Zihao Liu, Chenghao Li, Yikang Tan, Tong Zhang, Xiaojun Zhu, and Yefeng Zheng. 2024. Metaphor-based Jailbreaking Attacks on Text-to- Image Models.arXiv preprint arXiv:2404.05984(2024). https://arxiv.org/abs/2404. 05984
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[31]
Yijun Yang, Ruiyuan Gao, Xiaosen Wang, Tsung-Yi Ho, Nan Xu, and Qiang Xu
-
[32]
InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
MMA-Diffusion: MultiModal Attack on Diffusion Models. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). 7737–7746
-
[33]
Haofan Zhang and Shangfei Wang. 2025. EmIT: Emotional Interaction Control in Text-to-Image Diffusion Models. InProceedings of the 33rd ACM International Conference on Multimedia (ACM MM). Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Trovato et al. Open Models, Open Risks: Measuring Unsafe Generation in Text-to-Image Models In the Wild Supplemen...
work page 2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.