TriloByte: Evaluating LLMs on Bolivian Quechua Through a Ground-Truth-Based Framework for Low-Resource Languages

Andy Brandon Garcia Espinoza, Sebastian Martinez, Niko Witczak, Max Baldiviezo, Joel Brugmann

This project evaluates the ability of Large Language Models (LLMs) to understand and define vocabulary from Bolivian Quechua, an underrepresented indigenous language. Using a bilingual Quechua–Spanish dictionary as ground truth, we compare model-generated definitions against dictionary entries through semantic similarity metrics and human evaluation. Our methodology combines embeddings and expert judgment to measure adequacy, completeness, and fluency, providing insights into how well modern LLMs capture the meaning of low-resource languages. The results highlight current limitations and opportunities for improving AI systems in linguistically underrepresented communities.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

This project tackles a real and underexplored gap: there is very little systematic evaluation of how LLMs handle Bolivian Quechua, and grounding the evaluation in a curated bilingual Quechua-Spanish dictionary is a sensible, reproducible anchor. Pairing embedding-based semantic similarity with human judgment on adequacy, completeness, and fluency is the right instinct, and the team is commendably honest about the limits of automated metrics. The work is a genuine contribution to linguistic inclusion.

The execution and reporting are where it needs the most work. (1) The headline metric is undefined: "Relative Agreement (%)" of ~32 / ~25 / ~10 leaves the reader unable to tell what is actually being measured - a cosine-similarity threshold, a human adequacy rate, agreement against the dictionary? Define it precisely and report absolute per-criterion scores, not just a relative ranking. (2) Sample size is never stated. The paper says "a limited set of lexical entries" and reports a Spearman of 0.48 over an unstated n - every number is currently unfalsifiable. Report N entries, N human ratings, and N per model. (3) Only three commercial models are tested, all small/fast tiers (Gemini Flash, Flash Lite, Claude Haiku). Add at least one frontier model and one open-source multilingual model - the genuinely interesting safety question is whether scale or multilingual pretraining closes the gap. (4) There is no inter-annotator agreement on the human evaluation, which is the ground truth for the 0.48 correlation claim. (5) The AI-safety framing is thin; tie a lexical error to one concrete downstream harm (the health/legal/education scenario you mention) so it reads as a safety eval and not only an NLP demo.

Concrete fix: define the metric and report absolute per-criterion scores with n, add a frontier and an open-source model, and report inter-annotator agreement. That turns a promising prototype into a citable low-resource benchmark.

The paper's central claim of human evaluation is not supported by the code. The repository shows the assessment was done by an LLM judge (Claude Opus 4.8), so the reported Spearman ≈0.48 measures agreement between two automated metrics, not between automation and humans. Results are also selectively reported and statistically weak: the strongest model (Opus, 79%) is dropped because it ran with the reference visible while the other models are scored on very different sample sizes and ranked as comparable without confidence intervals or significance tests.

Improvement opportunities. Concretely: (1) align paper and code, either run a small real human evaluation or rename it honestly as "LLM-as-judge" (2) use the same blind protocol, the same fixed sample size, and report confidence intervals plus a significance test across models, and either include Opus under blind conditions or drop the leaked run entirely.

Cite this work

@misc {

title={

(HckPrj) TriloByte: Evaluating LLMs on Bolivian Quechua Through a Ground-Truth-Based Framework for Low-Resource Languages

},

author={

Andy Brandon Garcia Espinoza, Sebastian Martinez, Niko Witczak, Max Baldiviezo, Joel Brugmann

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.