Scanner for TokenBreak vulnerabilities in NLP model artifacts
Project description
๐ TokenBreak Scanner โ NLP Model Vulnerability Auditor
Detect TokenBreak adversarial vulnerabilities in LLMs, classifiers, and encoders before they hit production.
๐ TokenBreak Paper ยท โก Quick Start ยท ๐ Usage ยท ๐ CI Integration
๐ฅ What is TokenBreak?
TokenBreak is an adversarial attack that bypasses text-classification and LLM guardrails by prepending a single character to targeted words. This tiny perturbation corrupts BPE and WordPiece tokenization, causing models to misclassify malicious input as benign โ while humans and downstream LLMs still understand the original meaning.
๐ Paper: TokenBreak: Bypassing Text Classification Models Through Token Manipulation
๐ก๏ธ What TokenBreak Scanner Does
| Capability | Description |
|---|---|
| Inspect model artifacts | Reads config.json, tokenizer.json, tokenizer_config.json to determine tokenizer architecture |
| Identify tokenization algorithm | Detects BPE, WordPiece, Unigram, or SentencePiece |
| Assess TokenBreak vulnerability | Flags BPE/WordPiece models as High Risk; Unigram as Safe |
| Explain the decision | Evidence tree showing which signals (config, runtime, source) contributed to the confidence score |
| Recommend defense | Suggests the Unigram pre-mapping defense (Section 5) or migration to a safer model family |
| Live attack validation (optional) | Loads model weights and runs the BreakPrompt algorithm to verify the bypass experimentally |
๐ฆ Installation
From PyPI (recommended)
pip install tokenbreak-scanner
Optional extras
- Attack validation (requires PyTorch):
pip install "tokenbreak-scanner[attack]"
- Development dependencies (pytest, coverage):
pip install "tokenbreak-scanner[dev]"
From source
git clone https://github.com/your-org/tokenbreak-scanner.git
cd tokenbreak-scanner
pip install -e ".[dev]"
๐ Quick Start
Scan a local model directory
tokenbreak-scan ./models/my-spam-classifier/
Scan a HuggingFace model ID (auto-download)
tokenbreak-scan distilbert-base-uncased --download
Scan Qwen3-0.6B (production example)
tokenbreak-scan Qwen/Qwen3-0.6B --download --trust-remote-code
โ Expected result: HIGH risk โ Qwen uses BPE tokenization and is vulnerable to TokenBreak.
JSON output (for CI pipelines)
tokenbreak-scan <model> --output json
Run live attack validation
tokenbreak-scan <model> --test-attack
๐งช Example Output
Table format (vulnerable model)
======================================================================
TOKENBREAK SCANNER REPORT
======================================================================
Model Name: distilbert-base-uncased
Model Type: distilbert
Family: DistilBERT
Tokenizer Class: DistilBertTokenizerFast
Algorithm: WordPiece
Vocab Size: 30522
Confidence: 0.85
Vulnerable: YES โ ๏ธ
Risk Level: High
======================================================================
Detection Sources:
1. [tokenizer.json model.type] weight=0.40 -> WordPiece
2. [tokenizer_config.json class] weight=0.20 -> WordPiece
3. [config.json model_type] weight=0.15 -> WordPiece
======================================================================
Recommendation:
Model is vulnerable to TokenBreak. Recommended: Implement the
Unigram pre-mapping defense by inserting a Unigram tokenizer
before classification and remapping tokens, or migrate to a
model family using Unigram tokenization.
======================================================================
JSON format
{
"model_name": "distilbert-base-uncased",
"model_type": "distilbert",
"model_family": "DistilBERT",
"tokenizer_class": "DistilBertTokenizerFast",
"tokenizer_algorithm": "WordPiece",
"vocab_size": 30522,
"confidence_score": 0.85,
"vulnerable_to_tokenbreak": true,
"risk_level": "High",
"detection_sources": [...],
"recommendation": "...",
"source": "/path/to/model"
}
๐ CI Integration
Use exit codes to gate vulnerable models in your MLOps pipeline:
| Exit code | Meaning |
|---|---|
0 |
Model is safe (Unigram) or unknown |
1 |
Model is vulnerable (BPE or WordPiece) โ block deployment |
2 |
Error (path not found, download failed, etc.) |
GitHub Actions example
- name: Scan model for TokenBreak vulnerability
run: |
pip install tokenbreak-scanner
tokenbreak-scan ./models-to-deploy/ --output json > scan-report.json
cat scan-report.json
Python SDK example
from tokenbreak_scanner.inspector import inspect_model
from tokenbreak_scanner.models import RiskLevel
report = inspect_model(model_path, download=False)
if report.risk_level == RiskLevel.HIGH:
raise RuntimeError(f"Deployment blocked: {report.model_name} is vulnerable to TokenBreak")
๐ฌ How the Attack Works
- Attack vector: Prepend a single character (AโZ or aโz) to high-impact words, forcing BPE/WordPiece to split tokens differently.
- Effect: The protection model misclassifies the input (false negative), while the downstream LLM or human reviewer still understands it.
- Defense: Insert a Unigram tokenizer before the target tokenizer. Unigram tokenizes based on probability rather than left-to-right merges, making it naturally resistant to character-level perturbations.
๐ Supported Model Families
| Family | Algorithm | TokenBreak Risk |
|---|---|---|
| GPT-2, GPT-J, GPT-Neo, GPT-NeoX | BPE | ๐ด HIGH |
| LLaMA, Mistral, Mixtral, Falcon | BPE | ๐ด HIGH |
| Qwen, Qwen2, Qwen3 | BPE | ๐ด HIGH |
| Gemma, Gemma 2 | BPE | ๐ด HIGH |
| Phi-3, Phi-4 | BPE | ๐ด HIGH |
| BLOOM, BigScience | BPE | ๐ด HIGH |
| Cohere, Command R | BPE | ๐ด HIGH |
| BERT, DistilBERT, RoBERTa | WordPiece / BPE | ๐ด HIGH |
| DeBERTa-v2, DeBERTa-v3 | Unigram | ๐ข LOW |
| XLM-RoBERTa | Unigram | ๐ข LOW |
| ALBERT | Unigram | ๐ข LOW |
| mT5, T5 (SentencePiece Unigram) | Unigram | ๐ข LOW |
๐ Full mapping in
src/tokenbreak_scanner/tokenizers.py
๐๏ธ Architecture
tokenbreak_scanner/
โโโ __init__.py # Package version
โโโ cli.py # Click CLI with Rich table / JSON output
โโโ inspector.py # Core introspection engine (6-signal weighted aggregation)
โโโ models.py # Pydantic schemas: ScannerReport, DetectionSource, RiskLevel
โโโ tokenizers.py # Tokenizer type detection, model-family mapping, runtime inspection
โโโ validator.py # Optional live attack validation via BreakPrompt
Detection signals (weighted evidence tree)
| Signal | Weight | Source |
|---|---|---|
tokenizer.json model type |
0.40 | HuggingFace tokenizer artifact |
Runtime _tokenizer.model |
0.40 | Live Rust backend inspection |
| Source-code fingerprint | 0.30 | Python module keyword matching |
| Remote source file | 0.30 | HF Hub downloaded tokenizer module |
tokenizer_config.json class |
0.20 | Config metadata |
config.json model_type |
0.15 | Architecture fallback |
๐งช Testing
pytest tests/ -v
All 33+ tests cover:
- Local model directory scanning (BPE, WordPiece, Unigram)
- Missing
tokenizer.jsonfallback - CLI table and JSON output modes
- Tokenizer class name โ algorithm mapping
๐ค Contributing
Contributions are welcome! Please open an issue or pull request.
- Fork the repository
- Create a feature branch (
git checkout -b feat/amazing-feature) - Commit your changes (
git commit -m 'feat: add amazing feature') - Push to the branch (
git push origin feat/amazing-feature) - Open a Pull Request
๐ License
This project is licensed under the GNU Affero General Public License v3.0 or later (AGPL-3.0+).
- โ Freedom to use, modify, and distribute
- ๐ Copyleft: derivative works and services must also be open-sourced under AGPL
- ๐ Network use counts as distribution โ remote users are entitled to the source code
See LICENSE for the full text: https://www.gnu.org/licenses/agpl-3.0.html
๐ Related
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tokenbreak_scanner-0.1.0.tar.gz.
File metadata
- Download URL: tokenbreak_scanner-0.1.0.tar.gz
- Upload date:
- Size: 24.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4119734efffedf578fad6495934a45201f69d1ce6e2cf43a928d747a391b8e51
|
|
| MD5 |
a16f1cb3900831e22ee348fb0d85a5ba
|
|
| BLAKE2b-256 |
e85908ddf16a00d1d21791b97767300b10974c27000315290d24e5188f2eb131
|
File details
Details for the file tokenbreak_scanner-0.1.0-py3-none-any.whl.
File metadata
- Download URL: tokenbreak_scanner-0.1.0-py3-none-any.whl
- Upload date:
- Size: 21.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ca3b3969a3221f2f7789478bd3660f1fc00ed8c18b7ab8c1e0d8d7abfa3cae84
|
|
| MD5 |
a295810eb3645c89abf4e73b50914127
|
|
| BLAKE2b-256 |
4538acd2de668e130d23cc06d8c545827dd5bf6b4ab365a65b0673823489f3fe
|