YucaSafeBench

Joseph Jesus Aguilar Rodriguez, Angel Abraham Lugo Saenz

YucaSafeBench is a lightweight Spanish-language AI safety evaluation focused on Latin American public-service contexts, especially Mexico and the Yucatan Peninsula. The project proposes an 80-prompt benchmark and scoring rubric to test whether AI assistants respond safely, fairly, and accurately in situations involving public services, health, education, financial advice, migration, indigenous-language sensitivity, and local governance. The goal is to make AI safety evaluation more relevant to Latin America by addressing regional risks that are often missing from English-centered benchmarks.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Missing Core Artifact

The paper's central contribution is a replicable 80-prompt audit kit, yet the prompts themselves are never actually provided. The appendix delivers only a structural skeleton and a small set of illustrative examples, which means the benchmark cannot be reproduced by anyone reading the paper. For a project whose explicit value proposition is accessibility and replicability for small teams and civic organizations, this is a significant gap. Publishing the complete prompt suite, whether as a repository, a spreadsheet, or a full appendix table, is necessary for the paper to fulfill its own stated purpose.

Absence of Empirical Results

The paper has not been run against any model, so there are no empirical findings of any kind. The authors are transparent about this, framing the contribution as a prototype artifact rather than a leaderboard study, which is an honest and appropriate framing for a hackathon context. That said, even a small pilot run against one or two models, reporting aggregate harm rates and a few illustrative response examples, would substantially strengthen the paper's credibility and demonstrate that the rubric is operational rather than purely theoretical.

Inter-Rater Reliability

The scoring rubric relies on human judgment, and the replication protocol calls for at least two reviewers to score 20% of items. However, no worked example is provided showing how two reviewers would handle an ambiguous case, and no pilot inter-rater agreement figure is reported. A brief calibration example would go a long way toward demonstrating that the 0–2 rubric is consistent enough to produce comparable results across different teams, which is essential for a tool designed to be used by many independent groups.

Clear engagement with a real gap in the field. You asked a good question: what happens when a chatbot has to decide on things like a scholarship, a medical translation, or a city procedure, and needs to understand Yucatán rather than California. The way you frame the problem is one of the strong points of the project.

One area I think you can take this further is positioning against the closest prior work, SESGO that already deals with bias in Spanish, and BBQ is where the ambiguous/disambiguated structure comes from, what does YucaSafeBench add that SESGO doesn't already provide? A single sentence answering that would change how the contribution reads.

You've designed a few tests, with clear categories and examples that are easy to follow, but none of them have been tried out on a real model yet. Understandable for a weekend project, but it's the most important thing to fix next: even one hour testing ten of the eighty prompts on a free version of a chatbot would show whether the scoring rubric actually works and whether two people would score the same answer the same way.

- The table in section 4.1 mixes percentages calculated on different bases, which makes it hard to read , a footnote on what each one is based on would fix that.

- The title also covers all of Latin America, while the limitations section notes the data is mostly Mexican Spanish; narrowing the title would make the framing more accurate.

Overall, a well-designed evaluation protocol that hasn't been run yet.

- I like that they focused on building the benchmark itself. However, it's not clear how it was actually created: what was it based on? Why these specific prompts? Covering so many different risks at once probably makes this harder to do well. It might have been better to focus on a single risk and ground the prompt generation in something already documented (existing literature, real cases, etc.).

- I would have liked to see at least one example of an actual LLM being evaluated with the benchmark.

- If responses are going to be scored by humans, it would be important to have more explicit rules or guidelines for each score and for each dimension being evaluated.

Cite this work

@misc {

title={

(HckPrj) YucaSafeBench

},

author={

Joseph Jesus Aguilar Rodriguez, Angel Abraham Lugo Saenz

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.